xref: /linux/Documentation/bpf/standardization/instruction-set.rst (revision b1156532bc29ac9a8d1cf71510cabc8f68181540) 
1.. contents::
2.. sectnum::
3
4======================================
5BPF Instruction Set Architecture (ISA)
6======================================
7
8eBPF (which is no longer an acronym for anything), also commonly
9referred to as BPF, is a technology with origins in the Linux kernel
10that can run untrusted programs in a privileged context such as an
11operating system kernel. This document specifies the BPF instruction
12set architecture (ISA).
13
14Documentation conventions
15=========================
16
17The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
18"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
19"OPTIONAL" in this document are to be interpreted as described in
20BCP 14 `<https://www.rfc-editor.org/info/rfc2119>`_
21`RFC8174 <https://www.rfc-editor.org/info/rfc8174>`_
22when, and only when, they appear in all capitals, as shown here.
23
24For brevity and consistency, this document refers to families
25of types using a shorthand syntax and refers to several expository,
26mnemonic functions when describing the semantics of instructions.
27The range of valid values for those types and the semantics of those
28functions are defined in the following subsections.
29
30Types
31-----
32This document refers to integer types with the notation `SN` to specify
33a type's signedness (`S`) and bit width (`N`), respectively.
34
35.. table:: Meaning of signedness notation
36
37  ==== =========
38  S    Meaning
39  ==== =========
40  u    unsigned
41  s    signed
42  ==== =========
43
44.. table:: Meaning of bit-width notation
45
46  ===== =========
47  N     Bit width
48  ===== =========
49  8     8 bits
50  16    16 bits
51  32    32 bits
52  64    64 bits
53  128   128 bits
54  ===== =========
55
56For example, `u32` is a type whose valid values are all the 32-bit unsigned
57numbers and `s16` is a type whose valid values are all the 16-bit signed
58numbers.
59
60Functions
61---------
62* htobe16: Takes an unsigned 16-bit number in host-endian format and
63  returns the equivalent number as an unsigned 16-bit number in big-endian
64  format.
65* htobe32: Takes an unsigned 32-bit number in host-endian format and
66  returns the equivalent number as an unsigned 32-bit number in big-endian
67  format.
68* htobe64: Takes an unsigned 64-bit number in host-endian format and
69  returns the equivalent number as an unsigned 64-bit number in big-endian
70  format.
71* htole16: Takes an unsigned 16-bit number in host-endian format and
72  returns the equivalent number as an unsigned 16-bit number in little-endian
73  format.
74* htole32: Takes an unsigned 32-bit number in host-endian format and
75  returns the equivalent number as an unsigned 32-bit number in little-endian
76  format.
77* htole64: Takes an unsigned 64-bit number in host-endian format and
78  returns the equivalent number as an unsigned 64-bit number in little-endian
79  format.
80* bswap16: Takes an unsigned 16-bit number in either big- or little-endian
81  format and returns the equivalent number with the same bit width but
82  opposite endianness.
83* bswap32: Takes an unsigned 32-bit number in either big- or little-endian
84  format and returns the equivalent number with the same bit width but
85  opposite endianness.
86* bswap64: Takes an unsigned 64-bit number in either big- or little-endian
87  format and returns the equivalent number with the same bit width but
88  opposite endianness.
89
90
91Definitions
92-----------
93
94.. glossary::
95
96  Sign Extend
97    To `sign extend an` ``X`` `-bit number, A, to a` ``Y`` `-bit number, B  ,` means to
98
99    #. Copy all ``X`` bits from `A` to the lower ``X`` bits of `B`.
100    #. Set the value of the remaining ``Y`` - ``X`` bits of `B` to the value of
101       the  most-significant bit of `A`.
102
103.. admonition:: Example
104
105  Sign extend an 8-bit number ``A`` to a 16-bit number ``B`` on a big-endian platform:
106  ::
107
108    A:          10000110
109    B: 11111111 10000110
110
111Conformance groups
112------------------
113
114An implementation does not need to support all instructions specified in this
115document (e.g., deprecated instructions).  Instead, a number of conformance
116groups are specified.  An implementation MUST support the base32 conformance
117group and MAY support additional conformance groups, where supporting a
118conformance group means it MUST support all instructions in that conformance
119group.
120
121The use of named conformance groups enables interoperability between a runtime
122that executes instructions, and tools such as compilers that generate
123instructions for the runtime.  Thus, capability discovery in terms of
124conformance groups might be done manually by users or automatically by tools.
125
126Each conformance group has a short ASCII label (e.g., "base32") that
127corresponds to a set of instructions that are mandatory.  That is, each
128instruction has one or more conformance groups of which it is a member.
129
130This document defines the following conformance groups:
131
132* base32: includes all instructions defined in this
133  specification unless otherwise noted.
134* base64: includes base32, plus instructions explicitly noted
135  as being in the base64 conformance group.
136* atomic32: includes 32-bit atomic operation instructions (see `Atomic operations`_).
137* atomic64: includes atomic32, plus 64-bit atomic operation instructions.
138* divmul32: includes 32-bit division, multiplication, and modulo instructions.
139* divmul64: includes divmul32, plus 64-bit division, multiplication,
140  and modulo instructions.
141* packet: deprecated packet access instructions.
142
143Instruction encoding
144====================
145
146BPF has two instruction encodings:
147
148* the basic instruction encoding, which uses 64 bits to encode an instruction
149* the wide instruction encoding, which appends a second 64 bits
150  after the basic instruction for a total of 128 bits.
151
152Basic instruction encoding
153--------------------------
154
155A basic instruction is encoded as follows::
156
157  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
158  |    opcode     |     regs      |            offset             |
159  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
160  |                              imm                              |
161  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
162
163**opcode**
164  operation to perform, encoded as follows::
165
166    +-+-+-+-+-+-+-+-+
167    |specific |class|
168    +-+-+-+-+-+-+-+-+
169
170  **specific**
171    The format of these bits varies by instruction class
172
173  **class**
174    The instruction class (see `Instruction classes`_)
175
176**regs**
177  The source and destination register numbers, encoded as follows
178  on a little-endian host::
179
180    +-+-+-+-+-+-+-+-+
181    |src_reg|dst_reg|
182    +-+-+-+-+-+-+-+-+
183
184  and as follows on a big-endian host::
185
186    +-+-+-+-+-+-+-+-+
187    |dst_reg|src_reg|
188    +-+-+-+-+-+-+-+-+
189
190  **src_reg**
191    the source register number (0-10), except where otherwise specified
192    (`64-bit immediate instructions`_ reuse this field for other purposes)
193
194  **dst_reg**
195    destination register number (0-10), unless otherwise specified
196    (future instructions might reuse this field for other purposes)
197
198**offset**
199  signed integer offset used with pointer arithmetic, except where
200  otherwise specified (some arithmetic instructions reuse this field
201  for other purposes)
202
203**imm**
204  signed integer immediate value
205
206Note that the contents of multi-byte fields ('offset' and 'imm') are
207stored using big-endian byte ordering on big-endian hosts and
208little-endian byte ordering on little-endian hosts.
209
210For example::
211
212  opcode                  offset imm          assembly
213         src_reg dst_reg
214  07     0       1        00 00  44 33 22 11  r1 += 0x11223344 // little
215         dst_reg src_reg
216  07     1       0        00 00  11 22 33 44  r1 += 0x11223344 // big
217
218Note that most instructions do not use all of the fields.
219Unused fields SHALL be cleared to zero.
220
221Wide instruction encoding
222--------------------------
223
224Some instructions are defined to use the wide instruction encoding,
225which uses two 32-bit immediate values.  The 64 bits following
226the basic instruction format contain a pseudo instruction
227with 'opcode', 'dst_reg', 'src_reg', and 'offset' all set to zero.
228
229This is depicted in the following figure::
230
231  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
232  |    opcode     |     regs      |            offset             |
233  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
234  |                              imm                              |
235  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
236  |                           reserved                            |
237  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
238  |                           next_imm                            |
239  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
240
241**opcode**
242  operation to perform, encoded as explained above
243
244**regs**
245  The source and destination register numbers (unless otherwise
246  specified), encoded as explained above
247
248**offset**
249  signed integer offset used with pointer arithmetic, unless
250  otherwise specified
251
252**imm**
253  signed integer immediate value
254
255**reserved**
256  unused, set to zero
257
258**next_imm**
259  second signed integer immediate value
260
261Instruction classes
262-------------------
263
264The three least significant bits of the 'opcode' field store the instruction class:
265
266.. table:: Instruction class
267
268  =====  =====  ===============================  ===================================
269  class  value  description                      reference
270  =====  =====  ===============================  ===================================
271  LD     0x0    non-standard load operations     `Load and store instructions`_
272  LDX    0x1    load into register operations    `Load and store instructions`_
273  ST     0x2    store from immediate operations  `Load and store instructions`_
274  STX    0x3    store from register operations   `Load and store instructions`_
275  ALU    0x4    32-bit arithmetic operations     `Arithmetic and jump instructions`_
276  JMP    0x5    64-bit jump operations           `Arithmetic and jump instructions`_
277  JMP32  0x6    32-bit jump operations           `Arithmetic and jump instructions`_
278  ALU64  0x7    64-bit arithmetic operations     `Arithmetic and jump instructions`_
279  =====  =====  ===============================  ===================================
280
281Arithmetic and jump instructions
282================================
283
284For arithmetic and jump instructions (``ALU``, ``ALU64``, ``JMP`` and
285``JMP32``), the 8-bit 'opcode' field is divided into three parts::
286
287  +-+-+-+-+-+-+-+-+
288  |  code |s|class|
289  +-+-+-+-+-+-+-+-+
290
291**code**
292  the operation code, whose meaning varies by instruction class
293
294**s (source)**
295  the source operand location, which unless otherwise specified is one of:
296
297  .. table:: Source operand location
298
299    ======  =====  ==============================================
300    source  value  description
301    ======  =====  ==============================================
302    K       0      use 32-bit 'imm' value as source operand
303    X       1      use 'src_reg' register value as source operand
304    ======  =====  ==============================================
305
306**instruction class**
307  the instruction class (see `Instruction classes`_)
308
309Arithmetic instructions
310-----------------------
311
312``ALU`` uses 32-bit wide operands while ``ALU64`` uses 64-bit wide operands for
313otherwise identical operations. ``ALU64`` instructions belong to the
314base64 conformance group unless noted otherwise.
315The 'code' field encodes the operation as below, where 'src' refers to the
316the source operand and 'dst' refers to the value of the destination
317register.
318
319.. table:: Arithmetic instructions
320
321  =====  =====  =======  ==========================================================
322  name   code   offset   description
323  =====  =====  =======  ==========================================================
324  ADD    0x0    0        dst += src
325  SUB    0x1    0        dst -= src
326  MUL    0x2    0        dst \*= src
327  DIV    0x3    0        dst = (src != 0) ? (dst / src) : 0
328  SDIV   0x3    1        dst = (src != 0) ? (dst s/ src) : 0
329  OR     0x4    0        dst \|= src
330  AND    0x5    0        dst &= src
331  LSH    0x6    0        dst <<= (src & mask)
332  RSH    0x7    0        dst >>= (src & mask)
333  NEG    0x8    0        dst = -dst
334  MOD    0x9    0        dst = (src != 0) ? (dst % src) : dst
335  SMOD   0x9    1        dst = (src != 0) ? (dst s% src) : dst
336  XOR    0xa    0        dst ^= src
337  MOV    0xb    0        dst = src
338  MOVSX  0xb    8/16/32  dst = (s8,s16,s32)src
339  ARSH   0xc    0        :term:`sign extending<Sign Extend>` dst >>= (src & mask)
340  END    0xd    0        byte swap operations (see `Byte swap instructions`_ below)
341  =====  =====  =======  ==========================================================
342
343Underflow and overflow are allowed during arithmetic operations, meaning
344the 64-bit or 32-bit value will wrap. If BPF program execution would
345result in division by zero, the destination register is instead set to zero.
346If execution would result in modulo by zero, for ``ALU64`` the value of
347the destination register is unchanged whereas for ``ALU`` the upper
34832 bits of the destination register are zeroed.
349
350``{ADD, X, ALU}``, where 'code' = ``ADD``, 'source' = ``X``, and 'class' = ``ALU``, means::
351
352  dst = (u32) ((u32) dst + (u32) src)
353
354where '(u32)' indicates that the upper 32 bits are zeroed.
355
356``{ADD, X, ALU64}`` means::
357
358  dst = dst + src
359
360``{XOR, K, ALU}`` means::
361
362  dst = (u32) dst ^ (u32) imm
363
364``{XOR, K, ALU64}`` means::
365
366  dst = dst ^ imm
367
368Note that most arithmetic instructions have 'offset' set to 0. Only three instructions
369(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'.
370
371Division, multiplication, and modulo operations for ``ALU`` are part
372of the "divmul32" conformance group, and division, multiplication, and
373modulo operations for ``ALU64`` are part of the "divmul64" conformance
374group.
375The division and modulo operations support both unsigned and signed flavors.
376
377For unsigned operations (``DIV`` and ``MOD``), for ``ALU``,
378'imm' is interpreted as a 32-bit unsigned value. For ``ALU64``,
379'imm' is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
380interpreted as a 64-bit unsigned value.
381
382For signed operations (``SDIV`` and ``SMOD``), for ``ALU``,
383'imm' is interpreted as a 32-bit signed value. For ``ALU64``, 'imm'
384is first :term:`sign extended<Sign Extend>` from 32 to 64 bits, and then
385interpreted as a 64-bit signed value.
386
387Note that there are varying definitions of the signed modulo operation
388when the dividend or divisor are negative, where implementations often
389vary by language such that Python, Ruby, etc.  differ from C, Go, Java,
390etc. This specification requires that signed modulo MUST use truncated division
391(where -13 % 3 == -1) as implemented in C, Go, etc.::
392
393   a % n = a - n * trunc(a / n)
394
395The ``MOVSX`` instruction does a move operation with sign extension.
396``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into
39732-bit operands, and zeroes the remaining upper 32 bits.
398``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit
399operands into 64-bit operands.  Unlike other arithmetic instructions,
400``MOVSX`` is only defined for register source operands (``X``).
401
402``{MOV, K, ALU64}`` means::
403
404  dst = (s64)imm
405
406``{MOV, X, ALU}`` means::
407
408  dst = (u32)src
409
410``{MOVSX, X, ALU}`` with 'offset' 8 means::
411
412  dst = (u32)(s32)(s8)src
413
414
415The ``NEG`` instruction is only defined when the source bit is clear
416(``K``).
417
418Shift operations use a mask of 0x3F (63) for 64-bit operations and 0x1F (31)
419for 32-bit operations.
420
421Byte swap instructions
422----------------------
423
424The byte swap instructions use instruction classes of ``ALU`` and ``ALU64``
425and a 4-bit 'code' field of ``END``.
426
427The byte swap instructions operate on the destination register
428only and do not use a separate source register or immediate value.
429
430For ``ALU``, the 1-bit source operand field in the opcode is used to
431select what byte order the operation converts from or to. For
432``ALU64``, the 1-bit source operand field in the opcode is reserved
433and MUST be set to 0.
434
435.. table:: Byte swap instructions
436
437  =====  ========  =====  =================================================
438  class  source    value  description
439  =====  ========  =====  =================================================
440  ALU    TO_LE     0      convert between host byte order and little endian
441  ALU    TO_BE     1      convert between host byte order and big endian
442  ALU64  Reserved  0      do byte swap unconditionally
443  =====  ========  =====  =================================================
444
445The 'imm' field encodes the width of the swap operations.  The following widths
446are supported: 16, 32 and 64.  Width 64 operations belong to the base64
447conformance group and other swap operations belong to the base32
448conformance group.
449
450Examples:
451
452``{END, TO_LE, ALU}`` with 'imm' = 16/32/64 means::
453
454  dst = htole16(dst)
455  dst = htole32(dst)
456  dst = htole64(dst)
457
458``{END, TO_BE, ALU}`` with 'imm' = 16/32/64 means::
459
460  dst = htobe16(dst)
461  dst = htobe32(dst)
462  dst = htobe64(dst)
463
464``{END, TO_LE, ALU64}`` with 'imm' = 16/32/64 means::
465
466  dst = bswap16(dst)
467  dst = bswap32(dst)
468  dst = bswap64(dst)
469
470Jump instructions
471-----------------
472
473``JMP32`` uses 32-bit wide operands and indicates the base32
474conformance group, while ``JMP`` uses 64-bit wide operands for
475otherwise identical operations, and indicates the base64 conformance
476group unless otherwise specified.
477The 'code' field encodes the operation as below:
478
479.. table:: Jump instructions
480
481  ========  =====  =======  =================================  ===================================================
482  code      value  src_reg  description                        notes
483  ========  =====  =======  =================================  ===================================================
484  JA        0x0    0x0      PC += offset                       {JA, K, JMP} only
485  JA        0x0    0x0      PC += imm                          {JA, K, JMP32} only
486  JEQ       0x1    any      PC += offset if dst == src
487  JGT       0x2    any      PC += offset if dst > src          unsigned
488  JGE       0x3    any      PC += offset if dst >= src         unsigned
489  JSET      0x4    any      PC += offset if dst & src
490  JNE       0x5    any      PC += offset if dst != src
491  JSGT      0x6    any      PC += offset if dst > src          signed
492  JSGE      0x7    any      PC += offset if dst >= src         signed
493  CALL      0x8    0x0      call helper function by static ID  {CALL, K, JMP} only, see `Helper functions`_
494  CALL      0x8    0x1      call PC += imm                     {CALL, K, JMP} only, see `Program-local functions`_
495  CALL      0x8    0x2      call helper function by BTF ID     {CALL, K, JMP} only, see `Helper functions`_
496  EXIT      0x9    0x0      return                             {CALL, K, JMP} only
497  JLT       0xa    any      PC += offset if dst < src          unsigned
498  JLE       0xb    any      PC += offset if dst <= src         unsigned
499  JSLT      0xc    any      PC += offset if dst < src          signed
500  JSLE      0xd    any      PC += offset if dst <= src         signed
501  ========  =====  =======  =================================  ===================================================
502
503where 'PC' denotes the program counter, and the offset to increment by
504is in units of 64-bit instructions relative to the instruction following
505the jump instruction.  Thus 'PC += 1' skips execution of the next
506instruction if it's a basic instruction or results in undefined behavior
507if the next instruction is a 128-bit wide instruction.
508
509Example:
510
511``{JSGE, X, JMP32}`` means::
512
513  if (s32)dst s>= (s32)src goto +offset
514
515where 's>=' indicates a signed '>=' comparison.
516
517``{JLE, K, JMP}`` means::
518
519  if dst <= (u64)(s64)imm goto +offset
520
521``{JA, K, JMP32}`` means::
522
523  gotol +imm
524
525where 'imm' means the branch offset comes from the 'imm' field.
526
527Note that there are two flavors of ``JA`` instructions. The
528``JMP`` class permits a 16-bit jump offset specified by the 'offset'
529field, whereas the ``JMP32`` class permits a 32-bit jump offset
530specified by the 'imm' field. A > 16-bit conditional jump may be
531converted to a < 16-bit conditional jump plus a 32-bit unconditional
532jump.
533
534All ``CALL`` and ``JA`` instructions belong to the
535base32 conformance group.
536
537Helper functions
538~~~~~~~~~~~~~~~~
539
540Helper functions are a concept whereby BPF programs can call into a
541set of function calls exposed by the underlying platform.
542
543Historically, each helper function was identified by a static ID
544encoded in the 'imm' field.  The available helper functions may differ
545for each program type, but static IDs are unique across all program types.
546
547Platforms that support the BPF Type Format (BTF) support identifying
548a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID
549identifies the helper name and type.  Further documentation of BTF
550is outside the scope of this document and is left for future work.
551
552Program-local functions
553~~~~~~~~~~~~~~~~~~~~~~~
554Program-local functions are functions exposed by the same BPF program as the
555caller, and are referenced by offset from the instruction following the call
556instruction, similar to ``JA``.  The offset is encoded in the 'imm' field of
557the call instruction. An ``EXIT`` within the program-local function will
558return to the caller.
559
560Load and store instructions
561===========================
562
563For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the
5648-bit 'opcode' field is divided as follows::
565
566  +-+-+-+-+-+-+-+-+
567  |mode |sz |class|
568  +-+-+-+-+-+-+-+-+
569
570**mode**
571  The mode modifier is one of:
572
573  .. table:: Mode modifier
574
575    =============  =====  ====================================  =============
576    mode modifier  value  description                           reference
577    =============  =====  ====================================  =============
578    IMM            0      64-bit immediate instructions         `64-bit immediate instructions`_
579    ABS            1      legacy BPF packet access (absolute)   `Legacy BPF Packet access instructions`_
580    IND            2      legacy BPF packet access (indirect)   `Legacy BPF Packet access instructions`_
581    MEM            3      regular load and store operations     `Regular load and store operations`_
582    MEMSX          4      sign-extension load operations        `Sign-extension load operations`_
583    ATOMIC         6      atomic operations                     `Atomic operations`_
584    =============  =====  ====================================  =============
585
586**sz (size)**
587  The size modifier is one of:
588
589  .. table:: Size modifier
590
591    ====  =====  =====================
592    size  value  description
593    ====  =====  =====================
594    W     0      word        (4 bytes)
595    H     1      half word   (2 bytes)
596    B     2      byte
597    DW    3      double word (8 bytes)
598    ====  =====  =====================
599
600  Instructions using ``DW`` belong to the base64 conformance group.
601
602**class**
603  The instruction class (see `Instruction classes`_)
604
605Regular load and store operations
606---------------------------------
607
608The ``MEM`` mode modifier is used to encode regular load and store
609instructions that transfer data between a register and memory.
610
611``{MEM, <size>, STX}`` means::
612
613  *(size *) (dst + offset) = src
614
615``{MEM, <size>, ST}`` means::
616
617  *(size *) (dst + offset) = imm
618
619``{MEM, <size>, LDX}`` means::
620
621  dst = *(unsigned size *) (src + offset)
622
623Where '<size>' is one of: ``B``, ``H``, ``W``, or ``DW``, and
624'unsigned size' is one of: u8, u16, u32, or u64.
625
626Sign-extension load operations
627------------------------------
628
629The ``MEMSX`` mode modifier is used to encode :term:`sign-extension<Sign Extend>` load
630instructions that transfer data between a register and memory.
631
632``{MEMSX, <size>, LDX}`` means::
633
634  dst = *(signed size *) (src + offset)
635
636Where '<size>' is one of: ``B``, ``H``, or ``W``, and
637'signed size' is one of: s8, s16, or s32.
638
639Atomic operations
640-----------------
641
642Atomic operations are operations that operate on memory and can not be
643interrupted or corrupted by other access to the same memory region
644by other BPF programs or means outside of this specification.
645
646All atomic operations supported by BPF are encoded as store operations
647that use the ``ATOMIC`` mode modifier as follows:
648
649* ``{ATOMIC, W, STX}`` for 32-bit operations, which are
650  part of the "atomic32" conformance group.
651* ``{ATOMIC, DW, STX}`` for 64-bit operations, which are
652  part of the "atomic64" conformance group.
653* 8-bit and 16-bit wide atomic operations are not supported.
654
655The 'imm' field is used to encode the actual atomic operation.
656Simple atomic operation use a subset of the values defined to encode
657arithmetic operations in the 'imm' field to encode the atomic operation:
658
659.. table:: Simple atomic operations
660
661  ========  =====  ===========
662  imm       value  description
663  ========  =====  ===========
664  ADD       0x00   atomic add
665  OR        0x40   atomic or
666  AND       0x50   atomic and
667  XOR       0xa0   atomic xor
668  ========  =====  ===========
669
670
671``{ATOMIC, W, STX}`` with 'imm' = ADD means::
672
673  *(u32 *)(dst + offset) += src
674
675``{ATOMIC, DW, STX}`` with 'imm' = ADD means::
676
677  *(u64 *)(dst + offset) += src
678
679In addition to the simple atomic operations, there also is a modifier and
680two complex atomic operations:
681
682.. table:: Complex atomic operations
683
684  ===========  ================  ===========================
685  imm          value             description
686  ===========  ================  ===========================
687  FETCH        0x01              modifier: return old value
688  XCHG         0xe0 | FETCH      atomic exchange
689  CMPXCHG      0xf0 | FETCH      atomic compare and exchange
690  ===========  ================  ===========================
691
692The ``FETCH`` modifier is optional for simple atomic operations, and
693always set for the complex atomic operations.  If the ``FETCH`` flag
694is set, then the operation also overwrites ``src`` with the value that
695was in memory before it was modified.
696
697The ``XCHG`` operation atomically exchanges ``src`` with the value
698addressed by ``dst + offset``.
699
700The ``CMPXCHG`` operation atomically compares the value addressed by
701``dst + offset`` with ``R0``. If they match, the value addressed by
702``dst + offset`` is replaced with ``src``. In either case, the
703value that was at ``dst + offset`` before the operation is zero-extended
704and loaded back to ``R0``.
705
70664-bit immediate instructions
707-----------------------------
708
709Instructions with the ``IMM`` 'mode' modifier use the wide instruction
710encoding defined in `Instruction encoding`_, and use the 'src_reg' field of the
711basic instruction to hold an opcode subtype.
712
713The following table defines a set of ``{IMM, DW, LD}`` instructions
714with opcode subtypes in the 'src_reg' field, using new terms such as "map"
715defined further below:
716
717.. table:: 64-bit immediate instructions
718
719  =======  =========================================  ===========  ==============
720  src_reg  pseudocode                                 imm type     dst type
721  =======  =========================================  ===========  ==============
722  0x0      dst = (next_imm << 32) | imm               integer      integer
723  0x1      dst = map_by_fd(imm)                       map fd       map
724  0x2      dst = map_val(map_by_fd(imm)) + next_imm   map fd       data address
725  0x3      dst = var_addr(imm)                        variable id  data address
726  0x4      dst = code_addr(imm)                       integer      code address
727  0x5      dst = map_by_idx(imm)                      map index    map
728  0x6      dst = map_val(map_by_idx(imm)) + next_imm  map index    data address
729  =======  =========================================  ===========  ==============
730
731where
732
733* map_by_fd(imm) means to convert a 32-bit file descriptor into an address of a map (see `Maps`_)
734* map_by_idx(imm) means to convert a 32-bit index into an address of a map
735* map_val(map) gets the address of the first value in a given map
736* var_addr(imm) gets the address of a platform variable (see `Platform Variables`_) with a given id
737* code_addr(imm) gets the address of the instruction at a specified relative offset in number of (64-bit) instructions
738* the 'imm type' can be used by disassemblers for display
739* the 'dst type' can be used for verification and JIT compilation purposes
740
741Maps
742~~~~
743
744Maps are shared memory regions accessible by BPF programs on some platforms.
745A map can have various semantics as defined in a separate document, and may or
746may not have a single contiguous memory region, but the 'map_val(map)' is
747currently only defined for maps that do have a single contiguous memory region.
748
749Each map can have a file descriptor (fd) if supported by the platform, where
750'map_by_fd(imm)' means to get the map with the specified file descriptor. Each
751BPF program can also be defined to use a set of maps associated with the
752program at load time, and 'map_by_idx(imm)' means to get the map with the given
753index in the set associated with the BPF program containing the instruction.
754
755Platform Variables
756~~~~~~~~~~~~~~~~~~
757
758Platform variables are memory regions, identified by integer ids, exposed by
759the runtime and accessible by BPF programs on some platforms.  The
760'var_addr(imm)' operation means to get the address of the memory region
761identified by the given id.
762
763Legacy BPF Packet access instructions
764-------------------------------------
765
766BPF previously introduced special instructions for access to packet data that were
767carried over from classic BPF. These instructions used an instruction
768class of ``LD``, a size modifier of ``W``, ``H``, or ``B``, and a
769mode modifier of ``ABS`` or ``IND``.  The 'dst_reg' and 'offset' fields were
770set to zero, and 'src_reg' was set to zero for ``ABS``.  However, these
771instructions are deprecated and SHOULD no longer be used.  All legacy packet
772access instructions belong to the "packet" conformance group.
773