1.. contents:: 2.. sectnum:: 3 4====================================== 5BPF Instruction Set Architecture (ISA) 6====================================== 7 8eBPF (which is no longer an acronym for anything), also commonly 9referred to as BPF, is a technology with origins in the Linux kernel 10that can run untrusted programs in a privileged context such as an 11operating system kernel. This document specifies the BPF instruction 12set architecture (ISA). 13 14Documentation conventions 15========================= 16 17For brevity and consistency, this document refers to families 18of types using a shorthand syntax and refers to several expository, 19mnemonic functions when describing the semantics of instructions. 20The range of valid values for those types and the semantics of those 21functions are defined in the following subsections. 22 23Types 24----- 25This document refers to integer types with the notation `SN` to specify 26a type's signedness (`S`) and bit width (`N`), respectively. 27 28.. table:: Meaning of signedness notation. 29 30 ==== ========= 31 S Meaning 32 ==== ========= 33 u unsigned 34 s signed 35 ==== ========= 36 37.. table:: Meaning of bit-width notation. 38 39 ===== ========= 40 N Bit width 41 ===== ========= 42 8 8 bits 43 16 16 bits 44 32 32 bits 45 64 64 bits 46 128 128 bits 47 ===== ========= 48 49For example, `u32` is a type whose valid values are all the 32-bit unsigned 50numbers and `s16` is a type whose valid values are all the 16-bit signed 51numbers. 52 53Functions 54--------- 55* htobe16: Takes an unsigned 16-bit number in host-endian format and 56 returns the equivalent number as an unsigned 16-bit number in big-endian 57 format. 58* htobe32: Takes an unsigned 32-bit number in host-endian format and 59 returns the equivalent number as an unsigned 32-bit number in big-endian 60 format. 61* htobe64: Takes an unsigned 64-bit number in host-endian format and 62 returns the equivalent number as an unsigned 64-bit number in big-endian 63 format. 64* htole16: Takes an unsigned 16-bit number in host-endian format and 65 returns the equivalent number as an unsigned 16-bit number in little-endian 66 format. 67* htole32: Takes an unsigned 32-bit number in host-endian format and 68 returns the equivalent number as an unsigned 32-bit number in little-endian 69 format. 70* htole64: Takes an unsigned 64-bit number in host-endian format and 71 returns the equivalent number as an unsigned 64-bit number in little-endian 72 format. 73* bswap16: Takes an unsigned 16-bit number in either big- or little-endian 74 format and returns the equivalent number with the same bit width but 75 opposite endianness. 76* bswap32: Takes an unsigned 32-bit number in either big- or little-endian 77 format and returns the equivalent number with the same bit width but 78 opposite endianness. 79* bswap64: Takes an unsigned 64-bit number in either big- or little-endian 80 format and returns the equivalent number with the same bit width but 81 opposite endianness. 82 83 84Definitions 85----------- 86 87.. glossary:: 88 89 Sign Extend 90 To `sign extend an` ``X`` `-bit number, A, to a` ``Y`` `-bit number, B ,` means to 91 92 #. Copy all ``X`` bits from `A` to the lower ``X`` bits of `B`. 93 #. Set the value of the remaining ``Y`` - ``X`` bits of `B` to the value of 94 the most-significant bit of `A`. 95 96.. admonition:: Example 97 98 Sign extend an 8-bit number ``A`` to a 16-bit number ``B`` on a big-endian platform: 99 :: 100 101 A: 10000110 102 B: 11111111 10000110 103 104Conformance groups 105------------------ 106 107An implementation does not need to support all instructions specified in this 108document (e.g., deprecated instructions). Instead, a number of conformance 109groups are specified. An implementation must support the base32 conformance 110group and may support additional conformance groups, where supporting a 111conformance group means it must support all instructions in that conformance 112group. 113 114The use of named conformance groups enables interoperability between a runtime 115that executes instructions, and tools such as compilers that generate 116instructions for the runtime. Thus, capability discovery in terms of 117conformance groups might be done manually by users or automatically by tools. 118 119Each conformance group has a short ASCII label (e.g., "base32") that 120corresponds to a set of instructions that are mandatory. That is, each 121instruction has one or more conformance groups of which it is a member. 122 123This document defines the following conformance groups: 124 125* base32: includes all instructions defined in this 126 specification unless otherwise noted. 127* base64: includes base32, plus instructions explicitly noted 128 as being in the base64 conformance group. 129* atomic32: includes 32-bit atomic operation instructions (see `Atomic operations`_). 130* atomic64: includes atomic32, plus 64-bit atomic operation instructions. 131* divmul32: includes 32-bit division, multiplication, and modulo instructions. 132* divmul64: includes divmul32, plus 64-bit division, multiplication, 133 and modulo instructions. 134* packet: deprecated packet access instructions. 135 136Instruction encoding 137==================== 138 139BPF has two instruction encodings: 140 141* the basic instruction encoding, which uses 64 bits to encode an instruction 142* the wide instruction encoding, which appends a second 64 bits 143 after the basic instruction for a total of 128 bits. 144 145Basic instruction encoding 146-------------------------- 147 148A basic instruction is encoded as follows:: 149 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 | opcode | regs | offset | 152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 153 | imm | 154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 155 156**opcode** 157 operation to perform, encoded as follows:: 158 159 +-+-+-+-+-+-+-+-+ 160 |specific |class| 161 +-+-+-+-+-+-+-+-+ 162 163 **specific** 164 The format of these bits varies by instruction class 165 166 **class** 167 The instruction class (see `Instruction classes`_) 168 169**regs** 170 The source and destination register numbers, encoded as follows 171 on a little-endian host:: 172 173 +-+-+-+-+-+-+-+-+ 174 |src_reg|dst_reg| 175 +-+-+-+-+-+-+-+-+ 176 177 and as follows on a big-endian host:: 178 179 +-+-+-+-+-+-+-+-+ 180 |dst_reg|src_reg| 181 +-+-+-+-+-+-+-+-+ 182 183 **src_reg** 184 the source register number (0-10), except where otherwise specified 185 (`64-bit immediate instructions`_ reuse this field for other purposes) 186 187 **dst_reg** 188 destination register number (0-10), unless otherwise specified 189 (future instructions might reuse this field for other purposes) 190 191**offset** 192 signed integer offset used with pointer arithmetic, except where 193 otherwise specified (some arithmetic instructions reuse this field 194 for other purposes) 195 196**imm** 197 signed integer immediate value 198 199Note that the contents of multi-byte fields ('offset' and 'imm') are 200stored using big-endian byte ordering on big-endian hosts and 201little-endian byte ordering on little-endian hosts. 202 203For example:: 204 205 opcode offset imm assembly 206 src_reg dst_reg 207 07 0 1 00 00 44 33 22 11 r1 += 0x11223344 // little 208 dst_reg src_reg 209 07 1 0 00 00 11 22 33 44 r1 += 0x11223344 // big 210 211Note that most instructions do not use all of the fields. 212Unused fields shall be cleared to zero. 213 214Wide instruction encoding 215-------------------------- 216 217Some instructions are defined to use the wide instruction encoding, 218which uses two 32-bit immediate values. The 64 bits following 219the basic instruction format contain a pseudo instruction 220with 'opcode', 'dst_reg', 'src_reg', and 'offset' all set to zero. 221 222This is depicted in the following figure:: 223 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 225 | opcode | regs | offset | 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | imm | 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 229 | reserved | 230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 231 | next_imm | 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 234**opcode** 235 operation to perform, encoded as explained above 236 237**regs** 238 The source and destination register numbers (unless otherwise 239 specified), encoded as explained above 240 241**offset** 242 signed integer offset used with pointer arithmetic, unless 243 otherwise specified 244 245**imm** 246 signed integer immediate value 247 248**reserved** 249 unused, set to zero 250 251**next_imm** 252 second signed integer immediate value 253 254Instruction classes 255------------------- 256 257The three least significant bits of the 'opcode' field store the instruction class: 258 259===== ===== =============================== =================================== 260class value description reference 261===== ===== =============================== =================================== 262LD 0x0 non-standard load operations `Load and store instructions`_ 263LDX 0x1 load into register operations `Load and store instructions`_ 264ST 0x2 store from immediate operations `Load and store instructions`_ 265STX 0x3 store from register operations `Load and store instructions`_ 266ALU 0x4 32-bit arithmetic operations `Arithmetic and jump instructions`_ 267JMP 0x5 64-bit jump operations `Arithmetic and jump instructions`_ 268JMP32 0x6 32-bit jump operations `Arithmetic and jump instructions`_ 269ALU64 0x7 64-bit arithmetic operations `Arithmetic and jump instructions`_ 270===== ===== =============================== =================================== 271 272Arithmetic and jump instructions 273================================ 274 275For arithmetic and jump instructions (``ALU``, ``ALU64``, ``JMP`` and 276``JMP32``), the 8-bit 'opcode' field is divided into three parts:: 277 278 +-+-+-+-+-+-+-+-+ 279 | code |s|class| 280 +-+-+-+-+-+-+-+-+ 281 282**code** 283 the operation code, whose meaning varies by instruction class 284 285**s (source)** 286 the source operand location, which unless otherwise specified is one of: 287 288 ====== ===== ============================================== 289 source value description 290 ====== ===== ============================================== 291 K 0 use 32-bit 'imm' value as source operand 292 X 1 use 'src_reg' register value as source operand 293 ====== ===== ============================================== 294 295**instruction class** 296 the instruction class (see `Instruction classes`_) 297 298Arithmetic instructions 299----------------------- 300 301``ALU`` uses 32-bit wide operands while ``ALU64`` uses 64-bit wide operands for 302otherwise identical operations. ``ALU64`` instructions belong to the 303base64 conformance group unless noted otherwise. 304The 'code' field encodes the operation as below, where 'src' refers to the 305the source operand and 'dst' refers to the value of the destination 306register. 307 308===== ===== ======= ========================================================== 309name code offset description 310===== ===== ======= ========================================================== 311ADD 0x0 0 dst += src 312SUB 0x1 0 dst -= src 313MUL 0x2 0 dst \*= src 314DIV 0x3 0 dst = (src != 0) ? (dst / src) : 0 315SDIV 0x3 1 dst = (src != 0) ? (dst s/ src) : 0 316OR 0x4 0 dst \|= src 317AND 0x5 0 dst &= src 318LSH 0x6 0 dst <<= (src & mask) 319RSH 0x7 0 dst >>= (src & mask) 320NEG 0x8 0 dst = -dst 321MOD 0x9 0 dst = (src != 0) ? (dst % src) : dst 322SMOD 0x9 1 dst = (src != 0) ? (dst s% src) : dst 323XOR 0xa 0 dst ^= src 324MOV 0xb 0 dst = src 325MOVSX 0xb 8/16/32 dst = (s8,s16,s32)src 326ARSH 0xc 0 :term:`sign extending<Sign Extend>` dst >>= (src & mask) 327END 0xd 0 byte swap operations (see `Byte swap instructions`_ below) 328===== ===== ======= ========================================================== 329 330Underflow and overflow are allowed during arithmetic operations, meaning 331the 64-bit or 32-bit value will wrap. If BPF program execution would 332result in division by zero, the destination register is instead set to zero. 333If execution would result in modulo by zero, for ``ALU64`` the value of 334the destination register is unchanged whereas for ``ALU`` the upper 33532 bits of the destination register are zeroed. 336 337``{ADD, X, ALU}``, where 'code' = ``ADD``, 'source' = ``X``, and 'class' = ``ALU``, means:: 338 339 dst = (u32) ((u32) dst + (u32) src) 340 341where '(u32)' indicates that the upper 32 bits are zeroed. 342 343``{ADD, X, ALU64}`` means:: 344 345 dst = dst + src 346 347``{XOR, K, ALU}`` means:: 348 349 dst = (u32) dst ^ (u32) imm 350 351``{XOR, K, ALU64}`` means:: 352 353 dst = dst ^ imm 354 355Note that most arithmetic instructions have 'offset' set to 0. Only three instructions 356(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'. 357 358Division, multiplication, and modulo operations for ``ALU`` are part 359of the "divmul32" conformance group, and division, multiplication, and 360modulo operations for ``ALU64`` are part of the "divmul64" conformance 361group. 362The division and modulo operations support both unsigned and signed flavors. 363 364For unsigned operations (``DIV`` and ``MOD``), for ``ALU``, 365'imm' is interpreted as a 32-bit unsigned value. For ``ALU64``, 366'imm' is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then 367interpreted as a 64-bit unsigned value. 368 369For signed operations (``SDIV`` and ``SMOD``), for ``ALU``, 370'imm' is interpreted as a 32-bit signed value. For ``ALU64``, 'imm' 371is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then 372interpreted as a 64-bit signed value. 373 374Note that there are varying definitions of the signed modulo operation 375when the dividend or divisor are negative, where implementations often 376vary by language such that Python, Ruby, etc. differ from C, Go, Java, 377etc. This specification requires that signed modulo use truncated division 378(where -13 % 3 == -1) as implemented in C, Go, etc.:: 379 380 a % n = a - n * trunc(a / n) 381 382The ``MOVSX`` instruction does a move operation with sign extension. 383``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into 38432-bit operands, and zeroes the remaining upper 32 bits. 385``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit 386operands into 64-bit operands. Unlike other arithmetic instructions, 387``MOVSX`` is only defined for register source operands (``X``). 388 389The ``NEG`` instruction is only defined when the source bit is clear 390(``K``). 391 392Shift operations use a mask of 0x3F (63) for 64-bit operations and 0x1F (31) 393for 32-bit operations. 394 395Byte swap instructions 396---------------------- 397 398The byte swap instructions use instruction classes of ``ALU`` and ``ALU64`` 399and a 4-bit 'code' field of ``END``. 400 401The byte swap instructions operate on the destination register 402only and do not use a separate source register or immediate value. 403 404For ``ALU``, the 1-bit source operand field in the opcode is used to 405select what byte order the operation converts from or to. For 406``ALU64``, the 1-bit source operand field in the opcode is reserved 407and must be set to 0. 408 409===== ======== ===== ================================================= 410class source value description 411===== ======== ===== ================================================= 412ALU TO_LE 0 convert between host byte order and little endian 413ALU TO_BE 1 convert between host byte order and big endian 414ALU64 Reserved 0 do byte swap unconditionally 415===== ======== ===== ================================================= 416 417The 'imm' field encodes the width of the swap operations. The following widths 418are supported: 16, 32 and 64. Width 64 operations belong to the base64 419conformance group and other swap operations belong to the base32 420conformance group. 421 422Examples: 423 424``{END, TO_LE, ALU}`` with 'imm' = 16/32/64 means:: 425 426 dst = htole16(dst) 427 dst = htole32(dst) 428 dst = htole64(dst) 429 430``{END, TO_BE, ALU}`` with 'imm' = 16/32/64 means:: 431 432 dst = htobe16(dst) 433 dst = htobe32(dst) 434 dst = htobe64(dst) 435 436``{END, TO_LE, ALU64}`` with 'imm' = 16/32/64 means:: 437 438 dst = bswap16(dst) 439 dst = bswap32(dst) 440 dst = bswap64(dst) 441 442Jump instructions 443----------------- 444 445``JMP32`` uses 32-bit wide operands and indicates the base32 446conformance group, while ``JMP`` uses 64-bit wide operands for 447otherwise identical operations, and indicates the base64 conformance 448group unless otherwise specified. 449The 'code' field encodes the operation as below: 450 451======== ===== ======= ================================= =================================================== 452code value src_reg description notes 453======== ===== ======= ================================= =================================================== 454JA 0x0 0x0 PC += offset {JA, K, JMP} only 455JA 0x0 0x0 PC += imm {JA, K, JMP32} only 456JEQ 0x1 any PC += offset if dst == src 457JGT 0x2 any PC += offset if dst > src unsigned 458JGE 0x3 any PC += offset if dst >= src unsigned 459JSET 0x4 any PC += offset if dst & src 460JNE 0x5 any PC += offset if dst != src 461JSGT 0x6 any PC += offset if dst > src signed 462JSGE 0x7 any PC += offset if dst >= src signed 463CALL 0x8 0x0 call helper function by static ID {CALL, K, JMP} only, see `Helper functions`_ 464CALL 0x8 0x1 call PC += imm {CALL, K, JMP} only, see `Program-local functions`_ 465CALL 0x8 0x2 call helper function by BTF ID {CALL, K, JMP} only, see `Helper functions`_ 466EXIT 0x9 0x0 return {CALL, K, JMP} only 467JLT 0xa any PC += offset if dst < src unsigned 468JLE 0xb any PC += offset if dst <= src unsigned 469JSLT 0xc any PC += offset if dst < src signed 470JSLE 0xd any PC += offset if dst <= src signed 471======== ===== ======= ================================= =================================================== 472 473where 'PC' denotes the program counter, and the offset to increment by 474is in units of 64-bit instructions relative to the instruction following 475the jump instruction. Thus 'PC += 1' skips execution of the next 476instruction if it's a basic instruction or results in undefined behavior 477if the next instruction is a 128-bit wide instruction. 478 479The BPF program needs to store the return value into register R0 before doing an 480``EXIT``. 481 482Example: 483 484``{JSGE, X, JMP32}`` means:: 485 486 if (s32)dst s>= (s32)src goto +offset 487 488where 's>=' indicates a signed '>=' comparison. 489 490``{JA, K, JMP32}`` means:: 491 492 gotol +imm 493 494where 'imm' means the branch offset comes from the 'imm' field. 495 496Note that there are two flavors of ``JA`` instructions. The 497``JMP`` class permits a 16-bit jump offset specified by the 'offset' 498field, whereas the ``JMP32`` class permits a 32-bit jump offset 499specified by the 'imm' field. A > 16-bit conditional jump may be 500converted to a < 16-bit conditional jump plus a 32-bit unconditional 501jump. 502 503All ``CALL`` and ``JA`` instructions belong to the 504base32 conformance group. 505 506Helper functions 507~~~~~~~~~~~~~~~~ 508 509Helper functions are a concept whereby BPF programs can call into a 510set of function calls exposed by the underlying platform. 511 512Historically, each helper function was identified by a static ID 513encoded in the 'imm' field. The available helper functions may differ 514for each program type, but static IDs are unique across all program types. 515 516Platforms that support the BPF Type Format (BTF) support identifying 517a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID 518identifies the helper name and type. 519 520Program-local functions 521~~~~~~~~~~~~~~~~~~~~~~~ 522Program-local functions are functions exposed by the same BPF program as the 523caller, and are referenced by offset from the call instruction, similar to 524``JA``. The offset is encoded in the 'imm' field of the call instruction. 525An ``EXIT`` within the program-local function will return to the caller. 526 527Load and store instructions 528=========================== 529 530For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the 5318-bit 'opcode' field is divided as follows:: 532 533 +-+-+-+-+-+-+-+-+ 534 |mode |sz |class| 535 +-+-+-+-+-+-+-+-+ 536 537**mode** 538 The mode modifier is one of: 539 540 ============= ===== ==================================== ============= 541 mode modifier value description reference 542 ============= ===== ==================================== ============= 543 IMM 0 64-bit immediate instructions `64-bit immediate instructions`_ 544 ABS 1 legacy BPF packet access (absolute) `Legacy BPF Packet access instructions`_ 545 IND 2 legacy BPF packet access (indirect) `Legacy BPF Packet access instructions`_ 546 MEM 3 regular load and store operations `Regular load and store operations`_ 547 MEMSX 4 sign-extension load operations `Sign-extension load operations`_ 548 ATOMIC 6 atomic operations `Atomic operations`_ 549 ============= ===== ==================================== ============= 550 551**sz (size)** 552 The size modifier is one of: 553 554 ==== ===== ===================== 555 size value description 556 ==== ===== ===================== 557 W 0 word (4 bytes) 558 H 1 half word (2 bytes) 559 B 2 byte 560 DW 3 double word (8 bytes) 561 ==== ===== ===================== 562 563 Instructions using ``DW`` belong to the base64 conformance group. 564 565**class** 566 The instruction class (see `Instruction classes`_) 567 568Regular load and store operations 569--------------------------------- 570 571The ``MEM`` mode modifier is used to encode regular load and store 572instructions that transfer data between a register and memory. 573 574``{MEM, <size>, STX}`` means:: 575 576 *(size *) (dst + offset) = src 577 578``{MEM, <size>, ST}`` means:: 579 580 *(size *) (dst + offset) = imm 581 582``{MEM, <size>, LDX}`` means:: 583 584 dst = *(unsigned size *) (src + offset) 585 586Where '<size>' is one of: ``B``, ``H``, ``W``, or ``DW``, and 587'unsigned size' is one of: u8, u16, u32, or u64. 588 589Sign-extension load operations 590------------------------------ 591 592The ``MEMSX`` mode modifier is used to encode :term:`sign-extension<Sign Extend>` load 593instructions that transfer data between a register and memory. 594 595``{MEMSX, <size>, LDX}`` means:: 596 597 dst = *(signed size *) (src + offset) 598 599Where '<size>' is one of: ``B``, ``H``, or ``W``, and 600'signed size' is one of: s8, s16, or s32. 601 602Atomic operations 603----------------- 604 605Atomic operations are operations that operate on memory and can not be 606interrupted or corrupted by other access to the same memory region 607by other BPF programs or means outside of this specification. 608 609All atomic operations supported by BPF are encoded as store operations 610that use the ``ATOMIC`` mode modifier as follows: 611 612* ``{ATOMIC, W, STX}`` for 32-bit operations, which are 613 part of the "atomic32" conformance group. 614* ``{ATOMIC, DW, STX}`` for 64-bit operations, which are 615 part of the "atomic64" conformance group. 616* 8-bit and 16-bit wide atomic operations are not supported. 617 618The 'imm' field is used to encode the actual atomic operation. 619Simple atomic operation use a subset of the values defined to encode 620arithmetic operations in the 'imm' field to encode the atomic operation: 621 622======== ===== =========== 623imm value description 624======== ===== =========== 625ADD 0x00 atomic add 626OR 0x40 atomic or 627AND 0x50 atomic and 628XOR 0xa0 atomic xor 629======== ===== =========== 630 631 632``{ATOMIC, W, STX}`` with 'imm' = ADD means:: 633 634 *(u32 *)(dst + offset) += src 635 636``{ATOMIC, DW, STX}`` with 'imm' = ADD means:: 637 638 *(u64 *)(dst + offset) += src 639 640In addition to the simple atomic operations, there also is a modifier and 641two complex atomic operations: 642 643=========== ================ =========================== 644imm value description 645=========== ================ =========================== 646FETCH 0x01 modifier: return old value 647XCHG 0xe0 | FETCH atomic exchange 648CMPXCHG 0xf0 | FETCH atomic compare and exchange 649=========== ================ =========================== 650 651The ``FETCH`` modifier is optional for simple atomic operations, and 652always set for the complex atomic operations. If the ``FETCH`` flag 653is set, then the operation also overwrites ``src`` with the value that 654was in memory before it was modified. 655 656The ``XCHG`` operation atomically exchanges ``src`` with the value 657addressed by ``dst + offset``. 658 659The ``CMPXCHG`` operation atomically compares the value addressed by 660``dst + offset`` with ``R0``. If they match, the value addressed by 661``dst + offset`` is replaced with ``src``. In either case, the 662value that was at ``dst + offset`` before the operation is zero-extended 663and loaded back to ``R0``. 664 66564-bit immediate instructions 666----------------------------- 667 668Instructions with the ``IMM`` 'mode' modifier use the wide instruction 669encoding defined in `Instruction encoding`_, and use the 'src_reg' field of the 670basic instruction to hold an opcode subtype. 671 672The following table defines a set of ``{IMM, DW, LD}`` instructions 673with opcode subtypes in the 'src_reg' field, using new terms such as "map" 674defined further below: 675 676======= ========================================= =========== ============== 677src_reg pseudocode imm type dst type 678======= ========================================= =========== ============== 6790x0 dst = (next_imm << 32) | imm integer integer 6800x1 dst = map_by_fd(imm) map fd map 6810x2 dst = map_val(map_by_fd(imm)) + next_imm map fd data address 6820x3 dst = var_addr(imm) variable id data address 6830x4 dst = code_addr(imm) integer code address 6840x5 dst = map_by_idx(imm) map index map 6850x6 dst = map_val(map_by_idx(imm)) + next_imm map index data address 686======= ========================================= =========== ============== 687 688where 689 690* map_by_fd(imm) means to convert a 32-bit file descriptor into an address of a map (see `Maps`_) 691* map_by_idx(imm) means to convert a 32-bit index into an address of a map 692* map_val(map) gets the address of the first value in a given map 693* var_addr(imm) gets the address of a platform variable (see `Platform Variables`_) with a given id 694* code_addr(imm) gets the address of the instruction at a specified relative offset in number of (64-bit) instructions 695* the 'imm type' can be used by disassemblers for display 696* the 'dst type' can be used for verification and JIT compilation purposes 697 698Maps 699~~~~ 700 701Maps are shared memory regions accessible by BPF programs on some platforms. 702A map can have various semantics as defined in a separate document, and may or 703may not have a single contiguous memory region, but the 'map_val(map)' is 704currently only defined for maps that do have a single contiguous memory region. 705 706Each map can have a file descriptor (fd) if supported by the platform, where 707'map_by_fd(imm)' means to get the map with the specified file descriptor. Each 708BPF program can also be defined to use a set of maps associated with the 709program at load time, and 'map_by_idx(imm)' means to get the map with the given 710index in the set associated with the BPF program containing the instruction. 711 712Platform Variables 713~~~~~~~~~~~~~~~~~~ 714 715Platform variables are memory regions, identified by integer ids, exposed by 716the runtime and accessible by BPF programs on some platforms. The 717'var_addr(imm)' operation means to get the address of the memory region 718identified by the given id. 719 720Legacy BPF Packet access instructions 721------------------------------------- 722 723BPF previously introduced special instructions for access to packet data that were 724carried over from classic BPF. These instructions used an instruction 725class of ``LD``, a size modifier of ``W``, ``H``, or ``B``, and a 726mode modifier of ``ABS`` or ``IND``. The 'dst_reg' and 'offset' fields were 727set to zero, and 'src_reg' was set to zero for ``ABS``. However, these 728instructions are deprecated and should no longer be used. All legacy packet 729access instructions belong to the "packet" conformance group. 730