xref: /linux/Documentation/bpf/standardization/instruction-set.rst (revision 1479eaff1f16983d8fda7c5a08a586c21891087d) 
1.. contents::
2.. sectnum::
3
4======================================
5BPF Instruction Set Architecture (ISA)
6======================================
7
8This document specifies the BPF instruction set architecture (ISA).
9
10Documentation conventions
11=========================
12
13For brevity and consistency, this document refers to families
14of types using a shorthand syntax and refers to several expository,
15mnemonic functions when describing the semantics of instructions.
16The range of valid values for those types and the semantics of those
17functions are defined in the following subsections.
18
19Types
20-----
21This document refers to integer types with the notation `SN` to specify
22a type's signedness (`S`) and bit width (`N`), respectively.
23
24.. table:: Meaning of signedness notation.
25
26  ==== =========
27  S    Meaning
28  ==== =========
29  u    unsigned
30  s    signed
31  ==== =========
32
33.. table:: Meaning of bit-width notation.
34
35  ===== =========
36  N     Bit width
37  ===== =========
38  8     8 bits
39  16    16 bits
40  32    32 bits
41  64    64 bits
42  128   128 bits
43  ===== =========
44
45For example, `u32` is a type whose valid values are all the 32-bit unsigned
46numbers and `s16` is a type whose valid values are all the 16-bit signed
47numbers.
48
49Functions
50---------
51* htobe16: Takes an unsigned 16-bit number in host-endian format and
52  returns the equivalent number as an unsigned 16-bit number in big-endian
53  format.
54* htobe32: Takes an unsigned 32-bit number in host-endian format and
55  returns the equivalent number as an unsigned 32-bit number in big-endian
56  format.
57* htobe64: Takes an unsigned 64-bit number in host-endian format and
58  returns the equivalent number as an unsigned 64-bit number in big-endian
59  format.
60* htole16: Takes an unsigned 16-bit number in host-endian format and
61  returns the equivalent number as an unsigned 16-bit number in little-endian
62  format.
63* htole32: Takes an unsigned 32-bit number in host-endian format and
64  returns the equivalent number as an unsigned 32-bit number in little-endian
65  format.
66* htole64: Takes an unsigned 64-bit number in host-endian format and
67  returns the equivalent number as an unsigned 64-bit number in little-endian
68  format.
69* bswap16: Takes an unsigned 16-bit number in either big- or little-endian
70  format and returns the equivalent number with the same bit width but
71  opposite endianness.
72* bswap32: Takes an unsigned 32-bit number in either big- or little-endian
73  format and returns the equivalent number with the same bit width but
74  opposite endianness.
75* bswap64: Takes an unsigned 64-bit number in either big- or little-endian
76  format and returns the equivalent number with the same bit width but
77  opposite endianness.
78
79
80Definitions
81-----------
82
83.. glossary::
84
85  Sign Extend
86    To `sign extend an` ``X`` `-bit number, A, to a` ``Y`` `-bit number, B  ,` means to
87
88    #. Copy all ``X`` bits from `A` to the lower ``X`` bits of `B`.
89    #. Set the value of the remaining ``Y`` - ``X`` bits of `B` to the value of
90       the  most-significant bit of `A`.
91
92.. admonition:: Example
93
94  Sign extend an 8-bit number ``A`` to a 16-bit number ``B`` on a big-endian platform:
95  ::
96
97    A:          10000110
98    B: 11111111 10000110
99
100Conformance groups
101------------------
102
103An implementation does not need to support all instructions specified in this
104document (e.g., deprecated instructions).  Instead, a number of conformance
105groups are specified.  An implementation must support the base32 conformance
106group and may support additional conformance groups, where supporting a
107conformance group means it must support all instructions in that conformance
108group.
109
110The use of named conformance groups enables interoperability between a runtime
111that executes instructions, and tools such as compilers that generate
112instructions for the runtime.  Thus, capability discovery in terms of
113conformance groups might be done manually by users or automatically by tools.
114
115Each conformance group has a short ASCII label (e.g., "base32") that
116corresponds to a set of instructions that are mandatory.  That is, each
117instruction has one or more conformance groups of which it is a member.
118
119This document defines the following conformance groups:
120
121* base32: includes all instructions defined in this
122  specification unless otherwise noted.
123* base64: includes base32, plus instructions explicitly noted
124  as being in the base64 conformance group.
125* atomic32: includes 32-bit atomic operation instructions (see `Atomic operations`_).
126* atomic64: includes atomic32, plus 64-bit atomic operation instructions.
127* divmul32: includes 32-bit division, multiplication, and modulo instructions.
128* divmul64: includes divmul32, plus 64-bit division, multiplication,
129  and modulo instructions.
130* packet: deprecated packet access instructions.
131
132Instruction encoding
133====================
134
135BPF has two instruction encodings:
136
137* the basic instruction encoding, which uses 64 bits to encode an instruction
138* the wide instruction encoding, which appends a second 64 bits
139  after the basic instruction for a total of 128 bits.
140
141Basic instruction encoding
142--------------------------
143
144A basic instruction is encoded as follows::
145
146  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
147  |    opcode     |     regs      |            offset             |
148  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149  |                              imm                              |
150  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151
152**opcode**
153  operation to perform, encoded as follows::
154
155    +-+-+-+-+-+-+-+-+
156    |specific |class|
157    +-+-+-+-+-+-+-+-+
158
159  **specific**
160    The format of these bits varies by instruction class
161
162  **class**
163    The instruction class (see `Instruction classes`_)
164
165**regs**
166  The source and destination register numbers, encoded as follows
167  on a little-endian host::
168
169    +-+-+-+-+-+-+-+-+
170    |src_reg|dst_reg|
171    +-+-+-+-+-+-+-+-+
172
173  and as follows on a big-endian host::
174
175    +-+-+-+-+-+-+-+-+
176    |dst_reg|src_reg|
177    +-+-+-+-+-+-+-+-+
178
179  **src_reg**
180    the source register number (0-10), except where otherwise specified
181    (`64-bit immediate instructions`_ reuse this field for other purposes)
182
183  **dst_reg**
184    destination register number (0-10), unless otherwise specified
185    (future instructions might reuse this field for other purposes)
186
187**offset**
188  signed integer offset used with pointer arithmetic, except where
189  otherwise specified (some arithmetic instructions reuse this field
190  for other purposes)
191
192**imm**
193  signed integer immediate value
194
195Note that the contents of multi-byte fields ('offset' and 'imm') are
196stored using big-endian byte ordering on big-endian hosts and
197little-endian byte ordering on little-endian hosts.
198
199For example::
200
201  opcode                  offset imm          assembly
202         src_reg dst_reg
203  07     0       1        00 00  44 33 22 11  r1 += 0x11223344 // little
204         dst_reg src_reg
205  07     1       0        00 00  11 22 33 44  r1 += 0x11223344 // big
206
207Note that most instructions do not use all of the fields.
208Unused fields shall be cleared to zero.
209
210Wide instruction encoding
211--------------------------
212
213Some instructions are defined to use the wide instruction encoding,
214which uses two 32-bit immediate values.  The 64 bits following
215the basic instruction format contain a pseudo instruction
216with 'opcode', 'dst_reg', 'src_reg', and 'offset' all set to zero.
217
218This is depicted in the following figure::
219
220  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
221  |    opcode     |     regs      |            offset             |
222  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
223  |                              imm                              |
224  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
225  |                           reserved                            |
226  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
227  |                           next_imm                            |
228  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
229
230**opcode**
231  operation to perform, encoded as explained above
232
233**regs**
234  The source and destination register numbers (unless otherwise
235  specified), encoded as explained above
236
237**offset**
238  signed integer offset used with pointer arithmetic, unless
239  otherwise specified
240
241**imm**
242  signed integer immediate value
243
244**reserved**
245  unused, set to zero
246
247**next_imm**
248  second signed integer immediate value
249
250Instruction classes
251-------------------
252
253The three least significant bits of the 'opcode' field store the instruction class:
254
255=====  =====  ===============================  ===================================
256class  value  description                      reference
257=====  =====  ===============================  ===================================
258LD     0x0    non-standard load operations     `Load and store instructions`_
259LDX    0x1    load into register operations    `Load and store instructions`_
260ST     0x2    store from immediate operations  `Load and store instructions`_
261STX    0x3    store from register operations   `Load and store instructions`_
262ALU    0x4    32-bit arithmetic operations     `Arithmetic and jump instructions`_
263JMP    0x5    64-bit jump operations           `Arithmetic and jump instructions`_
264JMP32  0x6    32-bit jump operations           `Arithmetic and jump instructions`_
265ALU64  0x7    64-bit arithmetic operations     `Arithmetic and jump instructions`_
266=====  =====  ===============================  ===================================
267
268Arithmetic and jump instructions
269================================
270
271For arithmetic and jump instructions (``ALU``, ``ALU64``, ``JMP`` and
272``JMP32``), the 8-bit 'opcode' field is divided into three parts::
273
274  +-+-+-+-+-+-+-+-+
275  |  code |s|class|
276  +-+-+-+-+-+-+-+-+
277
278**code**
279  the operation code, whose meaning varies by instruction class
280
281**s (source)**
282  the source operand location, which unless otherwise specified is one of:
283
284  ======  =====  ==============================================
285  source  value  description
286  ======  =====  ==============================================
287  K       0      use 32-bit 'imm' value as source operand
288  X       1      use 'src_reg' register value as source operand
289  ======  =====  ==============================================
290
291**instruction class**
292  the instruction class (see `Instruction classes`_)
293
294Arithmetic instructions
295-----------------------
296
297``ALU`` uses 32-bit wide operands while ``ALU64`` uses 64-bit wide operands for
298otherwise identical operations. ``ALU64`` instructions belong to the
299base64 conformance group unless noted otherwise.
300The 'code' field encodes the operation as below, where 'src' and 'dst' refer
301to the values of the source and destination registers, respectively.
302
303=====  =====  =======  ==========================================================
304name   code   offset   description
305=====  =====  =======  ==========================================================
306ADD    0x0    0        dst += src
307SUB    0x1    0        dst -= src
308MUL    0x2    0        dst \*= src
309DIV    0x3    0        dst = (src != 0) ? (dst / src) : 0
310SDIV   0x3    1        dst = (src != 0) ? (dst s/ src) : 0
311OR     0x4    0        dst \|= src
312AND    0x5    0        dst &= src
313LSH    0x6    0        dst <<= (src & mask)
314RSH    0x7    0        dst >>= (src & mask)
315NEG    0x8    0        dst = -dst
316MOD    0x9    0        dst = (src != 0) ? (dst % src) : dst
317SMOD   0x9    1        dst = (src != 0) ? (dst s% src) : dst
318XOR    0xa    0        dst ^= src
319MOV    0xb    0        dst = src
320MOVSX  0xb    8/16/32  dst = (s8,s16,s32)src
321ARSH   0xc    0        :term:`sign extending<Sign Extend>` dst >>= (src & mask)
322END    0xd    0        byte swap operations (see `Byte swap instructions`_ below)
323=====  =====  =======  ==========================================================
324
325Underflow and overflow are allowed during arithmetic operations, meaning
326the 64-bit or 32-bit value will wrap. If BPF program execution would
327result in division by zero, the destination register is instead set to zero.
328If execution would result in modulo by zero, for ``ALU64`` the value of
329the destination register is unchanged whereas for ``ALU`` the upper
33032 bits of the destination register are zeroed.
331
332``{ADD, X, ALU}``, where 'code' = ``ADD``, 'source' = ``X``, and 'class' = ``ALU``, means::
333
334  dst = (u32) ((u32) dst + (u32) src)
335
336where '(u32)' indicates that the upper 32 bits are zeroed.
337
338``{ADD, X, ALU64}`` means::
339
340  dst = dst + src
341
342``{XOR, K, ALU}`` means::
343
344  dst = (u32) dst ^ (u32) imm
345
346``{XOR, K, ALU64}`` means::
347
348  dst = dst ^ imm
349
350Note that most arithmetic instructions have 'offset' set to 0. Only three instructions
351(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'.
352
353Division, multiplication, and modulo operations for ``ALU`` are part
354of the "divmul32" conformance group, and division, multiplication, and
355modulo operations for ``ALU64`` are part of the "divmul64" conformance
356group.
357The division and modulo operations support both unsigned and signed flavors.
358
359For unsigned operations (``DIV`` and ``MOD``), for ``ALU``,
360'imm' is interpreted as a 32-bit unsigned value. For ``ALU64``,
361'imm' is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
362interpreted as a 64-bit unsigned value.
363
364For signed operations (``SDIV`` and ``SMOD``), for ``ALU``,
365'imm' is interpreted as a 32-bit signed value. For ``ALU64``, 'imm'
366is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
367interpreted as a 64-bit signed value.
368
369Note that there are varying definitions of the signed modulo operation
370when the dividend or divisor are negative, where implementations often
371vary by language such that Python, Ruby, etc.  differ from C, Go, Java,
372etc. This specification requires that signed modulo use truncated division
373(where -13 % 3 == -1) as implemented in C, Go, etc.::
374
375   a % n = a - n * trunc(a / n)
376
377The ``MOVSX`` instruction does a move operation with sign extension.
378``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into
37932-bit operands, and zeroes the remaining upper 32 bits.
380``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit
381operands into 64-bit operands.  Unlike other arithmetic instructions,
382``MOVSX`` is only defined for register source operands (``X``).
383
384The ``NEG`` instruction is only defined when the source bit is clear
385(``K``).
386
387Shift operations use a mask of 0x3F (63) for 64-bit operations and 0x1F (31)
388for 32-bit operations.
389
390Byte swap instructions
391----------------------
392
393The byte swap instructions use instruction classes of ``ALU`` and ``ALU64``
394and a 4-bit 'code' field of ``END``.
395
396The byte swap instructions operate on the destination register
397only and do not use a separate source register or immediate value.
398
399For ``ALU``, the 1-bit source operand field in the opcode is used to
400select what byte order the operation converts from or to. For
401``ALU64``, the 1-bit source operand field in the opcode is reserved
402and must be set to 0.
403
404=====  ========  =====  =================================================
405class  source    value  description
406=====  ========  =====  =================================================
407ALU    TO_LE     0      convert between host byte order and little endian
408ALU    TO_BE     1      convert between host byte order and big endian
409ALU64  Reserved  0      do byte swap unconditionally
410=====  ========  =====  =================================================
411
412The 'imm' field encodes the width of the swap operations.  The following widths
413are supported: 16, 32 and 64.  Width 64 operations belong to the base64
414conformance group and other swap operations belong to the base32
415conformance group.
416
417Examples:
418
419``{END, TO_LE, ALU}`` with 'imm' = 16/32/64 means::
420
421  dst = htole16(dst)
422  dst = htole32(dst)
423  dst = htole64(dst)
424
425``{END, TO_BE, ALU}`` with 'imm' = 16/32/64 means::
426
427  dst = htobe16(dst)
428  dst = htobe32(dst)
429  dst = htobe64(dst)
430
431``{END, TO_LE, ALU64}`` with 'imm' = 16/32/64 means::
432
433  dst = bswap16(dst)
434  dst = bswap32(dst)
435  dst = bswap64(dst)
436
437Jump instructions
438-----------------
439
440``JMP32`` uses 32-bit wide operands and indicates the base32
441conformance group, while ``JMP`` uses 64-bit wide operands for
442otherwise identical operations, and indicates the base64 conformance
443group unless otherwise specified.
444The 'code' field encodes the operation as below:
445
446========  =====  =======  =================================  ===================================================
447code      value  src_reg  description                        notes
448========  =====  =======  =================================  ===================================================
449JA        0x0    0x0      PC += offset                       {JA, K, JMP} only
450JA        0x0    0x0      PC += imm                          {JA, K, JMP32} only
451JEQ       0x1    any      PC += offset if dst == src
452JGT       0x2    any      PC += offset if dst > src          unsigned
453JGE       0x3    any      PC += offset if dst >= src         unsigned
454JSET      0x4    any      PC += offset if dst & src
455JNE       0x5    any      PC += offset if dst != src
456JSGT      0x6    any      PC += offset if dst > src          signed
457JSGE      0x7    any      PC += offset if dst >= src         signed
458CALL      0x8    0x0      call helper function by static ID  {CALL, K, JMP} only, see `Helper functions`_
459CALL      0x8    0x1      call PC += imm                     {CALL, K, JMP} only, see `Program-local functions`_
460CALL      0x8    0x2      call helper function by BTF ID     {CALL, K, JMP} only, see `Helper functions`_
461EXIT      0x9    0x0      return                             {CALL, K, JMP} only
462JLT       0xa    any      PC += offset if dst < src          unsigned
463JLE       0xb    any      PC += offset if dst <= src         unsigned
464JSLT      0xc    any      PC += offset if dst < src          signed
465JSLE      0xd    any      PC += offset if dst <= src         signed
466========  =====  =======  =================================  ===================================================
467
468The BPF program needs to store the return value into register R0 before doing an
469``EXIT``.
470
471Example:
472
473``{JSGE, X, JMP32}`` means::
474
475  if (s32)dst s>= (s32)src goto +offset
476
477where 's>=' indicates a signed '>=' comparison.
478
479``{JA, K, JMP32}`` means::
480
481  gotol +imm
482
483where 'imm' means the branch offset comes from the 'imm' field.
484
485Note that there are two flavors of ``JA`` instructions. The
486``JMP`` class permits a 16-bit jump offset specified by the 'offset'
487field, whereas the ``JMP32`` class permits a 32-bit jump offset
488specified by the 'imm' field. A > 16-bit conditional jump may be
489converted to a < 16-bit conditional jump plus a 32-bit unconditional
490jump.
491
492All ``CALL`` and ``JA`` instructions belong to the
493base32 conformance group.
494
495Helper functions
496~~~~~~~~~~~~~~~~
497
498Helper functions are a concept whereby BPF programs can call into a
499set of function calls exposed by the underlying platform.
500
501Historically, each helper function was identified by a static ID
502encoded in the 'imm' field.  The available helper functions may differ
503for each program type, but static IDs are unique across all program types.
504
505Platforms that support the BPF Type Format (BTF) support identifying
506a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID
507identifies the helper name and type.
508
509Program-local functions
510~~~~~~~~~~~~~~~~~~~~~~~
511Program-local functions are functions exposed by the same BPF program as the
512caller, and are referenced by offset from the call instruction, similar to
513``JA``.  The offset is encoded in the 'imm' field of the call instruction.
514An ``EXIT`` within the program-local function will return to the caller.
515
516Load and store instructions
517===========================
518
519For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the
5208-bit 'opcode' field is divided as follows::
521
522  +-+-+-+-+-+-+-+-+
523  |mode |sz |class|
524  +-+-+-+-+-+-+-+-+
525
526**mode**
527  The mode modifier is one of:
528
529    =============  =====  ====================================  =============
530    mode modifier  value  description                           reference
531    =============  =====  ====================================  =============
532    IMM            0      64-bit immediate instructions         `64-bit immediate instructions`_
533    ABS            1      legacy BPF packet access (absolute)   `Legacy BPF Packet access instructions`_
534    IND            2      legacy BPF packet access (indirect)   `Legacy BPF Packet access instructions`_
535    MEM            3      regular load and store operations     `Regular load and store operations`_
536    MEMSX          4      sign-extension load operations        `Sign-extension load operations`_
537    ATOMIC         6      atomic operations                     `Atomic operations`_
538    =============  =====  ====================================  =============
539
540**sz (size)**
541  The size modifier is one of:
542
543    ====  =====  =====================
544    size  value  description
545    ====  =====  =====================
546    W     0      word        (4 bytes)
547    H     1      half word   (2 bytes)
548    B     2      byte
549    DW    3      double word (8 bytes)
550    ====  =====  =====================
551
552  Instructions using ``DW`` belong to the base64 conformance group.
553
554**class**
555  The instruction class (see `Instruction classes`_)
556
557Regular load and store operations
558---------------------------------
559
560The ``MEM`` mode modifier is used to encode regular load and store
561instructions that transfer data between a register and memory.
562
563``{MEM, <size>, STX}`` means::
564
565  *(size *) (dst + offset) = src
566
567``{MEM, <size>, ST}`` means::
568
569  *(size *) (dst + offset) = imm
570
571``{MEM, <size>, LDX}`` means::
572
573  dst = *(unsigned size *) (src + offset)
574
575Where '<size>' is one of: ``B``, ``H``, ``W``, or ``DW``, and
576'unsigned size' is one of: u8, u16, u32, or u64.
577
578Sign-extension load operations
579------------------------------
580
581The ``MEMSX`` mode modifier is used to encode :term:`sign-extension<Sign Extend>` load
582instructions that transfer data between a register and memory.
583
584``{MEMSX, <size>, LDX}`` means::
585
586  dst = *(signed size *) (src + offset)
587
588Where '<size>' is one of: ``B``, ``H``, or ``W``, and
589'signed size' is one of: s8, s16, or s32.
590
591Atomic operations
592-----------------
593
594Atomic operations are operations that operate on memory and can not be
595interrupted or corrupted by other access to the same memory region
596by other BPF programs or means outside of this specification.
597
598All atomic operations supported by BPF are encoded as store operations
599that use the ``ATOMIC`` mode modifier as follows:
600
601* ``{ATOMIC, W, STX}`` for 32-bit operations, which are
602  part of the "atomic32" conformance group.
603* ``{ATOMIC, DW, STX}`` for 64-bit operations, which are
604  part of the "atomic64" conformance group.
605* 8-bit and 16-bit wide atomic operations are not supported.
606
607The 'imm' field is used to encode the actual atomic operation.
608Simple atomic operation use a subset of the values defined to encode
609arithmetic operations in the 'imm' field to encode the atomic operation:
610
611========  =====  ===========
612imm       value  description
613========  =====  ===========
614ADD       0x00   atomic add
615OR        0x40   atomic or
616AND       0x50   atomic and
617XOR       0xa0   atomic xor
618========  =====  ===========
619
620
621``{ATOMIC, W, STX}`` with 'imm' = ADD means::
622
623  *(u32 *)(dst + offset) += src
624
625``{ATOMIC, DW, STX}`` with 'imm' = ADD means::
626
627  *(u64 *)(dst + offset) += src
628
629In addition to the simple atomic operations, there also is a modifier and
630two complex atomic operations:
631
632===========  ================  ===========================
633imm          value             description
634===========  ================  ===========================
635FETCH        0x01              modifier: return old value
636XCHG         0xe0 | FETCH      atomic exchange
637CMPXCHG      0xf0 | FETCH      atomic compare and exchange
638===========  ================  ===========================
639
640The ``FETCH`` modifier is optional for simple atomic operations, and
641always set for the complex atomic operations.  If the ``FETCH`` flag
642is set, then the operation also overwrites ``src`` with the value that
643was in memory before it was modified.
644
645The ``XCHG`` operation atomically exchanges ``src`` with the value
646addressed by ``dst + offset``.
647
648The ``CMPXCHG`` operation atomically compares the value addressed by
649``dst + offset`` with ``R0``. If they match, the value addressed by
650``dst + offset`` is replaced with ``src``. In either case, the
651value that was at ``dst + offset`` before the operation is zero-extended
652and loaded back to ``R0``.
653
65464-bit immediate instructions
655-----------------------------
656
657Instructions with the ``IMM`` 'mode' modifier use the wide instruction
658encoding defined in `Instruction encoding`_, and use the 'src_reg' field of the
659basic instruction to hold an opcode subtype.
660
661The following table defines a set of ``{IMM, DW, LD}`` instructions
662with opcode subtypes in the 'src_reg' field, using new terms such as "map"
663defined further below:
664
665=======  =========================================  ===========  ==============
666src_reg  pseudocode                                 imm type     dst type
667=======  =========================================  ===========  ==============
6680x0      dst = (next_imm << 32) | imm               integer      integer
6690x1      dst = map_by_fd(imm)                       map fd       map
6700x2      dst = map_val(map_by_fd(imm)) + next_imm   map fd       data address
6710x3      dst = var_addr(imm)                        variable id  data address
6720x4      dst = code_addr(imm)                       integer      code address
6730x5      dst = map_by_idx(imm)                      map index    map
6740x6      dst = map_val(map_by_idx(imm)) + next_imm  map index    data address
675=======  =========================================  ===========  ==============
676
677where
678
679* map_by_fd(imm) means to convert a 32-bit file descriptor into an address of a map (see `Maps`_)
680* map_by_idx(imm) means to convert a 32-bit index into an address of a map
681* map_val(map) gets the address of the first value in a given map
682* var_addr(imm) gets the address of a platform variable (see `Platform Variables`_) with a given id
683* code_addr(imm) gets the address of the instruction at a specified relative offset in number of (64-bit) instructions
684* the 'imm type' can be used by disassemblers for display
685* the 'dst type' can be used for verification and JIT compilation purposes
686
687Maps
688~~~~
689
690Maps are shared memory regions accessible by BPF programs on some platforms.
691A map can have various semantics as defined in a separate document, and may or
692may not have a single contiguous memory region, but the 'map_val(map)' is
693currently only defined for maps that do have a single contiguous memory region.
694
695Each map can have a file descriptor (fd) if supported by the platform, where
696'map_by_fd(imm)' means to get the map with the specified file descriptor. Each
697BPF program can also be defined to use a set of maps associated with the
698program at load time, and 'map_by_idx(imm)' means to get the map with the given
699index in the set associated with the BPF program containing the instruction.
700
701Platform Variables
702~~~~~~~~~~~~~~~~~~
703
704Platform variables are memory regions, identified by integer ids, exposed by
705the runtime and accessible by BPF programs on some platforms.  The
706'var_addr(imm)' operation means to get the address of the memory region
707identified by the given id.
708
709Legacy BPF Packet access instructions
710-------------------------------------
711
712BPF previously introduced special instructions for access to packet data that were
713carried over from classic BPF. These instructions used an instruction
714class of ``LD``, a size modifier of ``W``, ``H``, or ``B``, and a
715mode modifier of ``ABS`` or ``IND``.  The 'dst_reg' and 'offset' fields were
716set to zero, and 'src_reg' was set to zero for ``ABS``.  However, these
717instructions are deprecated and should no longer be used.  All legacy packet
718access instructions belong to the "packet" conformance group.
719