Having written a few toy VMs in the past (and some in production!), there are always avenues to "make it weird."
Sol's yield/end instruction pair looks super abusable if you want to write somethiing obfuscated.
My favourite alteration has always been to not have any control flow instructions in the provided ISA, but allow the programmer direct write access to the program counter register, or force them to write self modifying code.
> My favourite alteration has always been to not have any control flow instructions in the provided ISA, but allow the programmer direct write access to the program counter register
I did that for a toy RISC ISA of mine, but I added the additional soft constraint of one assembler temporary. It turns out that’s enough to macro-code most control flow instructions in the assembler even if your instruction set is very poor, so it’s really not a huge barrier in practice. (You jump into the middle of a branch island, which performs the test and scales it so that it is large enough that the -1/0/+1 result is enough so that pc+that value is enough to reach all three arms of the condition.)
While z80 does have control, it only has jumps to constant addresses. You had to do a push and a ret in order to jump at a calculated address. Or use self-modifying code, although I don't think it was really used.
Ah, I misremembered. The push-ret trick was for things like emulating JP(BC) or pushing multiple addresses to indirectly call a few functions in a row. There was an indirect jump but no indirect call.
This got me curious so I looked it up. My understanding is yes on ARM32, not sure on ARM64, and yes with only minor indirection on x86 and x86_64. For example (x86, untested):
call 0
pop eax
shl eax 1
jmp eax
Note that using call 0 in this way doesn't trash the return address predictor because it is special cased (since at least Pentium Pro as far as I could find).
Having written a few toy VMs in the past (and some in production!), there are always avenues to "make it weird."
Sol's yield/end instruction pair looks super abusable if you want to write somethiing obfuscated.
My favourite alteration has always been to not have any control flow instructions in the provided ISA, but allow the programmer direct write access to the program counter register, or force them to write self modifying code.
After all, programming is fun.