xref: /linux/Documentation/bpf/standardization/instruction-set.rst (revision 3ff78451b8e446e9a548b98a0d4dd8d24dc5780b)
1.. contents::
2.. sectnum::
3
4======================================
5BPF Instruction Set Architecture (ISA)
6======================================
7
8eBPF (which is no longer an acronym for anything), also commonly
9referred to as BPF, is a technology with origins in the Linux kernel
10that can run untrusted programs in a privileged context such as an
11operating system kernel. This document specifies the BPF instruction
12set architecture (ISA).
13
14Documentation conventions
15=========================
16
17For brevity and consistency, this document refers to families
18of types using a shorthand syntax and refers to several expository,
19mnemonic functions when describing the semantics of instructions.
20The range of valid values for those types and the semantics of those
21functions are defined in the following subsections.
22
23Types
24-----
25This document refers to integer types with the notation `SN` to specify
26a type's signedness (`S`) and bit width (`N`), respectively.
27
28.. table:: Meaning of signedness notation.
29
30  ==== =========
31  S    Meaning
32  ==== =========
33  u    unsigned
34  s    signed
35  ==== =========
36
37.. table:: Meaning of bit-width notation.
38
39  ===== =========
40  N     Bit width
41  ===== =========
42  8     8 bits
43  16    16 bits
44  32    32 bits
45  64    64 bits
46  128   128 bits
47  ===== =========
48
49For example, `u32` is a type whose valid values are all the 32-bit unsigned
50numbers and `s16` is a type whose valid values are all the 16-bit signed
51numbers.
52
53Functions
54---------
55* htobe16: Takes an unsigned 16-bit number in host-endian format and
56  returns the equivalent number as an unsigned 16-bit number in big-endian
57  format.
58* htobe32: Takes an unsigned 32-bit number in host-endian format and
59  returns the equivalent number as an unsigned 32-bit number in big-endian
60  format.
61* htobe64: Takes an unsigned 64-bit number in host-endian format and
62  returns the equivalent number as an unsigned 64-bit number in big-endian
63  format.
64* htole16: Takes an unsigned 16-bit number in host-endian format and
65  returns the equivalent number as an unsigned 16-bit number in little-endian
66  format.
67* htole32: Takes an unsigned 32-bit number in host-endian format and
68  returns the equivalent number as an unsigned 32-bit number in little-endian
69  format.
70* htole64: Takes an unsigned 64-bit number in host-endian format and
71  returns the equivalent number as an unsigned 64-bit number in little-endian
72  format.
73* bswap16: Takes an unsigned 16-bit number in either big- or little-endian
74  format and returns the equivalent number with the same bit width but
75  opposite endianness.
76* bswap32: Takes an unsigned 32-bit number in either big- or little-endian
77  format and returns the equivalent number with the same bit width but
78  opposite endianness.
79* bswap64: Takes an unsigned 64-bit number in either big- or little-endian
80  format and returns the equivalent number with the same bit width but
81  opposite endianness.
82
83
84Definitions
85-----------
86
87.. glossary::
88
89  Sign Extend
90    To `sign extend an` ``X`` `-bit number, A, to a` ``Y`` `-bit number, B  ,` means to
91
92    #. Copy all ``X`` bits from `A` to the lower ``X`` bits of `B`.
93    #. Set the value of the remaining ``Y`` - ``X`` bits of `B` to the value of
94       the  most-significant bit of `A`.
95
96.. admonition:: Example
97
98  Sign extend an 8-bit number ``A`` to a 16-bit number ``B`` on a big-endian platform:
99  ::
100
101    A:          10000110
102    B: 11111111 10000110
103
104Conformance groups
105------------------
106
107An implementation does not need to support all instructions specified in this
108document (e.g., deprecated instructions).  Instead, a number of conformance
109groups are specified.  An implementation must support the base32 conformance
110group and may support additional conformance groups, where supporting a
111conformance group means it must support all instructions in that conformance
112group.
113
114The use of named conformance groups enables interoperability between a runtime
115that executes instructions, and tools such as compilers that generate
116instructions for the runtime.  Thus, capability discovery in terms of
117conformance groups might be done manually by users or automatically by tools.
118
119Each conformance group has a short ASCII label (e.g., "base32") that
120corresponds to a set of instructions that are mandatory.  That is, each
121instruction has one or more conformance groups of which it is a member.
122
123This document defines the following conformance groups:
124
125* base32: includes all instructions defined in this
126  specification unless otherwise noted.
127* base64: includes base32, plus instructions explicitly noted
128  as being in the base64 conformance group.
129* atomic32: includes 32-bit atomic operation instructions (see `Atomic operations`_).
130* atomic64: includes atomic32, plus 64-bit atomic operation instructions.
131* divmul32: includes 32-bit division, multiplication, and modulo instructions.
132* divmul64: includes divmul32, plus 64-bit division, multiplication,
133  and modulo instructions.
134* packet: deprecated packet access instructions.
135
136Instruction encoding
137====================
138
139BPF has two instruction encodings:
140
141* the basic instruction encoding, which uses 64 bits to encode an instruction
142* the wide instruction encoding, which appends a second 64 bits
143  after the basic instruction for a total of 128 bits.
144
145Basic instruction encoding
146--------------------------
147
148A basic instruction is encoded as follows::
149
150  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
151  |    opcode     |     regs      |            offset             |
152  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
153  |                              imm                              |
154  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
155
156**opcode**
157  operation to perform, encoded as follows::
158
159    +-+-+-+-+-+-+-+-+
160    |specific |class|
161    +-+-+-+-+-+-+-+-+
162
163  **specific**
164    The format of these bits varies by instruction class
165
166  **class**
167    The instruction class (see `Instruction classes`_)
168
169**regs**
170  The source and destination register numbers, encoded as follows
171  on a little-endian host::
172
173    +-+-+-+-+-+-+-+-+
174    |src_reg|dst_reg|
175    +-+-+-+-+-+-+-+-+
176
177  and as follows on a big-endian host::
178
179    +-+-+-+-+-+-+-+-+
180    |dst_reg|src_reg|
181    +-+-+-+-+-+-+-+-+
182
183  **src_reg**
184    the source register number (0-10), except where otherwise specified
185    (`64-bit immediate instructions`_ reuse this field for other purposes)
186
187  **dst_reg**
188    destination register number (0-10), unless otherwise specified
189    (future instructions might reuse this field for other purposes)
190
191**offset**
192  signed integer offset used with pointer arithmetic, except where
193  otherwise specified (some arithmetic instructions reuse this field
194  for other purposes)
195
196**imm**
197  signed integer immediate value
198
199Note that the contents of multi-byte fields ('offset' and 'imm') are
200stored using big-endian byte ordering on big-endian hosts and
201little-endian byte ordering on little-endian hosts.
202
203For example::
204
205  opcode                  offset imm          assembly
206         src_reg dst_reg
207  07     0       1        00 00  44 33 22 11  r1 += 0x11223344 // little
208         dst_reg src_reg
209  07     1       0        00 00  11 22 33 44  r1 += 0x11223344 // big
210
211Note that most instructions do not use all of the fields.
212Unused fields shall be cleared to zero.
213
214Wide instruction encoding
215--------------------------
216
217Some instructions are defined to use the wide instruction encoding,
218which uses two 32-bit immediate values.  The 64 bits following
219the basic instruction format contain a pseudo instruction
220with 'opcode', 'dst_reg', 'src_reg', and 'offset' all set to zero.
221
222This is depicted in the following figure::
223
224  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
225  |    opcode     |     regs      |            offset             |
226  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
227  |                              imm                              |
228  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
229  |                           reserved                            |
230  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
231  |                           next_imm                            |
232  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
233
234**opcode**
235  operation to perform, encoded as explained above
236
237**regs**
238  The source and destination register numbers (unless otherwise
239  specified), encoded as explained above
240
241**offset**
242  signed integer offset used with pointer arithmetic, unless
243  otherwise specified
244
245**imm**
246  signed integer immediate value
247
248**reserved**
249  unused, set to zero
250
251**next_imm**
252  second signed integer immediate value
253
254Instruction classes
255-------------------
256
257The three least significant bits of the 'opcode' field store the instruction class:
258
259=====  =====  ===============================  ===================================
260class  value  description                      reference
261=====  =====  ===============================  ===================================
262LD     0x0    non-standard load operations     `Load and store instructions`_
263LDX    0x1    load into register operations    `Load and store instructions`_
264ST     0x2    store from immediate operations  `Load and store instructions`_
265STX    0x3    store from register operations   `Load and store instructions`_
266ALU    0x4    32-bit arithmetic operations     `Arithmetic and jump instructions`_
267JMP    0x5    64-bit jump operations           `Arithmetic and jump instructions`_
268JMP32  0x6    32-bit jump operations           `Arithmetic and jump instructions`_
269ALU64  0x7    64-bit arithmetic operations     `Arithmetic and jump instructions`_
270=====  =====  ===============================  ===================================
271
272Arithmetic and jump instructions
273================================
274
275For arithmetic and jump instructions (``ALU``, ``ALU64``, ``JMP`` and
276``JMP32``), the 8-bit 'opcode' field is divided into three parts::
277
278  +-+-+-+-+-+-+-+-+
279  |  code |s|class|
280  +-+-+-+-+-+-+-+-+
281
282**code**
283  the operation code, whose meaning varies by instruction class
284
285**s (source)**
286  the source operand location, which unless otherwise specified is one of:
287
288  ======  =====  ==============================================
289  source  value  description
290  ======  =====  ==============================================
291  K       0      use 32-bit 'imm' value as source operand
292  X       1      use 'src_reg' register value as source operand
293  ======  =====  ==============================================
294
295**instruction class**
296  the instruction class (see `Instruction classes`_)
297
298Arithmetic instructions
299-----------------------
300
301``ALU`` uses 32-bit wide operands while ``ALU64`` uses 64-bit wide operands for
302otherwise identical operations. ``ALU64`` instructions belong to the
303base64 conformance group unless noted otherwise.
304The 'code' field encodes the operation as below, where 'src' refers to the
305the source operand and 'dst' refers to the value of the destination
306register.
307
308=====  =====  =======  ==========================================================
309name   code   offset   description
310=====  =====  =======  ==========================================================
311ADD    0x0    0        dst += src
312SUB    0x1    0        dst -= src
313MUL    0x2    0        dst \*= src
314DIV    0x3    0        dst = (src != 0) ? (dst / src) : 0
315SDIV   0x3    1        dst = (src != 0) ? (dst s/ src) : 0
316OR     0x4    0        dst \|= src
317AND    0x5    0        dst &= src
318LSH    0x6    0        dst <<= (src & mask)
319RSH    0x7    0        dst >>= (src & mask)
320NEG    0x8    0        dst = -dst
321MOD    0x9    0        dst = (src != 0) ? (dst % src) : dst
322SMOD   0x9    1        dst = (src != 0) ? (dst s% src) : dst
323XOR    0xa    0        dst ^= src
324MOV    0xb    0        dst = src
325MOVSX  0xb    8/16/32  dst = (s8,s16,s32)src
326ARSH   0xc    0        :term:`sign extending<Sign Extend>` dst >>= (src & mask)
327END    0xd    0        byte swap operations (see `Byte swap instructions`_ below)
328=====  =====  =======  ==========================================================
329
330Underflow and overflow are allowed during arithmetic operations, meaning
331the 64-bit or 32-bit value will wrap. If BPF program execution would
332result in division by zero, the destination register is instead set to zero.
333If execution would result in modulo by zero, for ``ALU64`` the value of
334the destination register is unchanged whereas for ``ALU`` the upper
33532 bits of the destination register are zeroed.
336
337``{ADD, X, ALU}``, where 'code' = ``ADD``, 'source' = ``X``, and 'class' = ``ALU``, means::
338
339  dst = (u32) ((u32) dst + (u32) src)
340
341where '(u32)' indicates that the upper 32 bits are zeroed.
342
343``{ADD, X, ALU64}`` means::
344
345  dst = dst + src
346
347``{XOR, K, ALU}`` means::
348
349  dst = (u32) dst ^ (u32) imm
350
351``{XOR, K, ALU64}`` means::
352
353  dst = dst ^ imm
354
355Note that most arithmetic instructions have 'offset' set to 0. Only three instructions
356(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'.
357
358Division, multiplication, and modulo operations for ``ALU`` are part
359of the "divmul32" conformance group, and division, multiplication, and
360modulo operations for ``ALU64`` are part of the "divmul64" conformance
361group.
362The division and modulo operations support both unsigned and signed flavors.
363
364For unsigned operations (``DIV`` and ``MOD``), for ``ALU``,
365'imm' is interpreted as a 32-bit unsigned value. For ``ALU64``,
366'imm' is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
367interpreted as a 64-bit unsigned value.
368
369For signed operations (``SDIV`` and ``SMOD``), for ``ALU``,
370'imm' is interpreted as a 32-bit signed value. For ``ALU64``, 'imm'
371is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
372interpreted as a 64-bit signed value.
373
374Note that there are varying definitions of the signed modulo operation
375when the dividend or divisor are negative, where implementations often
376vary by language such that Python, Ruby, etc.  differ from C, Go, Java,
377etc. This specification requires that signed modulo use truncated division
378(where -13 % 3 == -1) as implemented in C, Go, etc.::
379
380   a % n = a - n * trunc(a / n)
381
382The ``MOVSX`` instruction does a move operation with sign extension.
383``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into
38432-bit operands, and zeroes the remaining upper 32 bits.
385``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit
386operands into 64-bit operands.  Unlike other arithmetic instructions,
387``MOVSX`` is only defined for register source operands (``X``).
388
389The ``NEG`` instruction is only defined when the source bit is clear
390(``K``).
391
392Shift operations use a mask of 0x3F (63) for 64-bit operations and 0x1F (31)
393for 32-bit operations.
394
395Byte swap instructions
396----------------------
397
398The byte swap instructions use instruction classes of ``ALU`` and ``ALU64``
399and a 4-bit 'code' field of ``END``.
400
401The byte swap instructions operate on the destination register
402only and do not use a separate source register or immediate value.
403
404For ``ALU``, the 1-bit source operand field in the opcode is used to
405select what byte order the operation converts from or to. For
406``ALU64``, the 1-bit source operand field in the opcode is reserved
407and must be set to 0.
408
409=====  ========  =====  =================================================
410class  source    value  description
411=====  ========  =====  =================================================
412ALU    TO_LE     0      convert between host byte order and little endian
413ALU    TO_BE     1      convert between host byte order and big endian
414ALU64  Reserved  0      do byte swap unconditionally
415=====  ========  =====  =================================================
416
417The 'imm' field encodes the width of the swap operations.  The following widths
418are supported: 16, 32 and 64.  Width 64 operations belong to the base64
419conformance group and other swap operations belong to the base32
420conformance group.
421
422Examples:
423
424``{END, TO_LE, ALU}`` with 'imm' = 16/32/64 means::
425
426  dst = htole16(dst)
427  dst = htole32(dst)
428  dst = htole64(dst)
429
430``{END, TO_BE, ALU}`` with 'imm' = 16/32/64 means::
431
432  dst = htobe16(dst)
433  dst = htobe32(dst)
434  dst = htobe64(dst)
435
436``{END, TO_LE, ALU64}`` with 'imm' = 16/32/64 means::
437
438  dst = bswap16(dst)
439  dst = bswap32(dst)
440  dst = bswap64(dst)
441
442Jump instructions
443-----------------
444
445``JMP32`` uses 32-bit wide operands and indicates the base32
446conformance group, while ``JMP`` uses 64-bit wide operands for
447otherwise identical operations, and indicates the base64 conformance
448group unless otherwise specified.
449The 'code' field encodes the operation as below:
450
451========  =====  =======  =================================  ===================================================
452code      value  src_reg  description                        notes
453========  =====  =======  =================================  ===================================================
454JA        0x0    0x0      PC += offset                       {JA, K, JMP} only
455JA        0x0    0x0      PC += imm                          {JA, K, JMP32} only
456JEQ       0x1    any      PC += offset if dst == src
457JGT       0x2    any      PC += offset if dst > src          unsigned
458JGE       0x3    any      PC += offset if dst >= src         unsigned
459JSET      0x4    any      PC += offset if dst & src
460JNE       0x5    any      PC += offset if dst != src
461JSGT      0x6    any      PC += offset if dst > src          signed
462JSGE      0x7    any      PC += offset if dst >= src         signed
463CALL      0x8    0x0      call helper function by static ID  {CALL, K, JMP} only, see `Helper functions`_
464CALL      0x8    0x1      call PC += imm                     {CALL, K, JMP} only, see `Program-local functions`_
465CALL      0x8    0x2      call helper function by BTF ID     {CALL, K, JMP} only, see `Helper functions`_
466EXIT      0x9    0x0      return                             {CALL, K, JMP} only
467JLT       0xa    any      PC += offset if dst < src          unsigned
468JLE       0xb    any      PC += offset if dst <= src         unsigned
469JSLT      0xc    any      PC += offset if dst < src          signed
470JSLE      0xd    any      PC += offset if dst <= src         signed
471========  =====  =======  =================================  ===================================================
472
473where 'PC' denotes the program counter, and the offset to increment by
474is in units of 64-bit instructions relative to the instruction following
475the jump instruction.  Thus 'PC += 1' skips execution of the next
476instruction if it's a basic instruction or results in undefined behavior
477if the next instruction is a 128-bit wide instruction.
478
479The BPF program needs to store the return value into register R0 before doing an
480``EXIT``.
481
482Example:
483
484``{JSGE, X, JMP32}`` means::
485
486  if (s32)dst s>= (s32)src goto +offset
487
488where 's>=' indicates a signed '>=' comparison.
489
490``{JA, K, JMP32}`` means::
491
492  gotol +imm
493
494where 'imm' means the branch offset comes from the 'imm' field.
495
496Note that there are two flavors of ``JA`` instructions. The
497``JMP`` class permits a 16-bit jump offset specified by the 'offset'
498field, whereas the ``JMP32`` class permits a 32-bit jump offset
499specified by the 'imm' field. A > 16-bit conditional jump may be
500converted to a < 16-bit conditional jump plus a 32-bit unconditional
501jump.
502
503All ``CALL`` and ``JA`` instructions belong to the
504base32 conformance group.
505
506Helper functions
507~~~~~~~~~~~~~~~~
508
509Helper functions are a concept whereby BPF programs can call into a
510set of function calls exposed by the underlying platform.
511
512Historically, each helper function was identified by a static ID
513encoded in the 'imm' field.  The available helper functions may differ
514for each program type, but static IDs are unique across all program types.
515
516Platforms that support the BPF Type Format (BTF) support identifying
517a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID
518identifies the helper name and type.
519
520Program-local functions
521~~~~~~~~~~~~~~~~~~~~~~~
522Program-local functions are functions exposed by the same BPF program as the
523caller, and are referenced by offset from the call instruction, similar to
524``JA``.  The offset is encoded in the 'imm' field of the call instruction.
525An ``EXIT`` within the program-local function will return to the caller.
526
527Load and store instructions
528===========================
529
530For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the
5318-bit 'opcode' field is divided as follows::
532
533  +-+-+-+-+-+-+-+-+
534  |mode |sz |class|
535  +-+-+-+-+-+-+-+-+
536
537**mode**
538  The mode modifier is one of:
539
540    =============  =====  ====================================  =============
541    mode modifier  value  description                           reference
542    =============  =====  ====================================  =============
543    IMM            0      64-bit immediate instructions         `64-bit immediate instructions`_
544    ABS            1      legacy BPF packet access (absolute)   `Legacy BPF Packet access instructions`_
545    IND            2      legacy BPF packet access (indirect)   `Legacy BPF Packet access instructions`_
546    MEM            3      regular load and store operations     `Regular load and store operations`_
547    MEMSX          4      sign-extension load operations        `Sign-extension load operations`_
548    ATOMIC         6      atomic operations                     `Atomic operations`_
549    =============  =====  ====================================  =============
550
551**sz (size)**
552  The size modifier is one of:
553
554    ====  =====  =====================
555    size  value  description
556    ====  =====  =====================
557    W     0      word        (4 bytes)
558    H     1      half word   (2 bytes)
559    B     2      byte
560    DW    3      double word (8 bytes)
561    ====  =====  =====================
562
563  Instructions using ``DW`` belong to the base64 conformance group.
564
565**class**
566  The instruction class (see `Instruction classes`_)
567
568Regular load and store operations
569---------------------------------
570
571The ``MEM`` mode modifier is used to encode regular load and store
572instructions that transfer data between a register and memory.
573
574``{MEM, <size>, STX}`` means::
575
576  *(size *) (dst + offset) = src
577
578``{MEM, <size>, ST}`` means::
579
580  *(size *) (dst + offset) = imm
581
582``{MEM, <size>, LDX}`` means::
583
584  dst = *(unsigned size *) (src + offset)
585
586Where '<size>' is one of: ``B``, ``H``, ``W``, or ``DW``, and
587'unsigned size' is one of: u8, u16, u32, or u64.
588
589Sign-extension load operations
590------------------------------
591
592The ``MEMSX`` mode modifier is used to encode :term:`sign-extension<Sign Extend>` load
593instructions that transfer data between a register and memory.
594
595``{MEMSX, <size>, LDX}`` means::
596
597  dst = *(signed size *) (src + offset)
598
599Where '<size>' is one of: ``B``, ``H``, or ``W``, and
600'signed size' is one of: s8, s16, or s32.
601
602Atomic operations
603-----------------
604
605Atomic operations are operations that operate on memory and can not be
606interrupted or corrupted by other access to the same memory region
607by other BPF programs or means outside of this specification.
608
609All atomic operations supported by BPF are encoded as store operations
610that use the ``ATOMIC`` mode modifier as follows:
611
612* ``{ATOMIC, W, STX}`` for 32-bit operations, which are
613  part of the "atomic32" conformance group.
614* ``{ATOMIC, DW, STX}`` for 64-bit operations, which are
615  part of the "atomic64" conformance group.
616* 8-bit and 16-bit wide atomic operations are not supported.
617
618The 'imm' field is used to encode the actual atomic operation.
619Simple atomic operation use a subset of the values defined to encode
620arithmetic operations in the 'imm' field to encode the atomic operation:
621
622========  =====  ===========
623imm       value  description
624========  =====  ===========
625ADD       0x00   atomic add
626OR        0x40   atomic or
627AND       0x50   atomic and
628XOR       0xa0   atomic xor
629========  =====  ===========
630
631
632``{ATOMIC, W, STX}`` with 'imm' = ADD means::
633
634  *(u32 *)(dst + offset) += src
635
636``{ATOMIC, DW, STX}`` with 'imm' = ADD means::
637
638  *(u64 *)(dst + offset) += src
639
640In addition to the simple atomic operations, there also is a modifier and
641two complex atomic operations:
642
643===========  ================  ===========================
644imm          value             description
645===========  ================  ===========================
646FETCH        0x01              modifier: return old value
647XCHG         0xe0 | FETCH      atomic exchange
648CMPXCHG      0xf0 | FETCH      atomic compare and exchange
649===========  ================  ===========================
650
651The ``FETCH`` modifier is optional for simple atomic operations, and
652always set for the complex atomic operations.  If the ``FETCH`` flag
653is set, then the operation also overwrites ``src`` with the value that
654was in memory before it was modified.
655
656The ``XCHG`` operation atomically exchanges ``src`` with the value
657addressed by ``dst + offset``.
658
659The ``CMPXCHG`` operation atomically compares the value addressed by
660``dst + offset`` with ``R0``. If they match, the value addressed by
661``dst + offset`` is replaced with ``src``. In either case, the
662value that was at ``dst + offset`` before the operation is zero-extended
663and loaded back to ``R0``.
664
66564-bit immediate instructions
666-----------------------------
667
668Instructions with the ``IMM`` 'mode' modifier use the wide instruction
669encoding defined in `Instruction encoding`_, and use the 'src_reg' field of the
670basic instruction to hold an opcode subtype.
671
672The following table defines a set of ``{IMM, DW, LD}`` instructions
673with opcode subtypes in the 'src_reg' field, using new terms such as "map"
674defined further below:
675
676=======  =========================================  ===========  ==============
677src_reg  pseudocode                                 imm type     dst type
678=======  =========================================  ===========  ==============
6790x0      dst = (next_imm << 32) | imm               integer      integer
6800x1      dst = map_by_fd(imm)                       map fd       map
6810x2      dst = map_val(map_by_fd(imm)) + next_imm   map fd       data address
6820x3      dst = var_addr(imm)                        variable id  data address
6830x4      dst = code_addr(imm)                       integer      code address
6840x5      dst = map_by_idx(imm)                      map index    map
6850x6      dst = map_val(map_by_idx(imm)) + next_imm  map index    data address
686=======  =========================================  ===========  ==============
687
688where
689
690* map_by_fd(imm) means to convert a 32-bit file descriptor into an address of a map (see `Maps`_)
691* map_by_idx(imm) means to convert a 32-bit index into an address of a map
692* map_val(map) gets the address of the first value in a given map
693* var_addr(imm) gets the address of a platform variable (see `Platform Variables`_) with a given id
694* code_addr(imm) gets the address of the instruction at a specified relative offset in number of (64-bit) instructions
695* the 'imm type' can be used by disassemblers for display
696* the 'dst type' can be used for verification and JIT compilation purposes
697
698Maps
699~~~~
700
701Maps are shared memory regions accessible by BPF programs on some platforms.
702A map can have various semantics as defined in a separate document, and may or
703may not have a single contiguous memory region, but the 'map_val(map)' is
704currently only defined for maps that do have a single contiguous memory region.
705
706Each map can have a file descriptor (fd) if supported by the platform, where
707'map_by_fd(imm)' means to get the map with the specified file descriptor. Each
708BPF program can also be defined to use a set of maps associated with the
709program at load time, and 'map_by_idx(imm)' means to get the map with the given
710index in the set associated with the BPF program containing the instruction.
711
712Platform Variables
713~~~~~~~~~~~~~~~~~~
714
715Platform variables are memory regions, identified by integer ids, exposed by
716the runtime and accessible by BPF programs on some platforms.  The
717'var_addr(imm)' operation means to get the address of the memory region
718identified by the given id.
719
720Legacy BPF Packet access instructions
721-------------------------------------
722
723BPF previously introduced special instructions for access to packet data that were
724carried over from classic BPF. These instructions used an instruction
725class of ``LD``, a size modifier of ``W``, ``H``, or ``B``, and a
726mode modifier of ``ABS`` or ``IND``.  The 'dst_reg' and 'offset' fields were
727set to zero, and 'src_reg' was set to zero for ``ABS``.  However, these
728instructions are deprecated and should no longer be used.  All legacy packet
729access instructions belong to the "packet" conformance group.
730