GPU/Shader Instruction Set
Overview
A compiled shader binary is comprised of two parts : the main instruction sequence and the operand descriptor table. These are both sent to the GPU around the same time but using separate GPU Commands. Instructions (such as format 1 instruction) may reference operand descriptors. When such is the case, the operand descriptor ID is the offset, in words, of the descriptor within the table. Both instructions and descriptors are coded in little endian. A basic implementation of the following specification can be found at [1] Please note that this page is being written as the instruction set is reverse engineered; as such it may very well contain mistakes.
Instruction formats
Format 1 : (used for register instructions)
Offset | Size (bits) | Description |
---|---|---|
0x0 | 0x5 | Operand descriptor ID (DESC) |
0x5 | 0x7 | Source 1 register (SRC2) |
0xC | 0x7 | Source 2 register (SRC1) |
0x13 | 0x7 | Destination register (DST) |
0x1A | 0x6 | Opcode |
Format 2 : (used for flow control instructions)
Offset | Size | Description |
---|---|---|
0x0 | 0x8 | Number of instructions ? (NUM) |
0x8 | 0x10? | Destination offset (DST) |
0x1A | 0x6 | Opcode |
Instructions
Opcode | Format | Name | Description |
---|---|---|---|
0x00 | 1 | ADD | Adds two vectors component by component; DST[i] = SRC1[i]+SRC2[i] for all i (modulo destination component masking) |
0x01 | 1 | DP3 | Computes dot product on 3-component vectors; DST = SRC1.SRC2 |
0x02 | 1 | DP4 | Computes dot product on 4-component vectors; DST = SRC1.SRC2 |
0x08 | 1 | MUL | Multiplies two vectors component by component; DST[i] = SRC1[i].SRC2[i] for all i (modulo destination component masking) |
0x09 | 1 | MAX | Takes the max of two vectors, component by component; DST[i] = MAX(SRC1[i], SRC2[i]) for all i (modulo destination component masking) |
0x0A | 1 | MIN | Takes the max of two vectors, component by component; DST[i] = MIN(SRC1[i], SRC2[i]) for all i (modulo destination component masking) |
0x13 | 1 | MOV | Moves value from one register to another; DST = SRC1 |
0x24 | 2 | CALL | Jumps to DST and executes NUM instructions |
0x21 | 1 | END2 | ? |
0x22 | 1 | END1 | ? |
Operand descriptors
Offset | Size | Description |
---|---|---|
0x0 | 0x4 | Destination component mask. Bit 3 = x, 2 = y, 1 = z, 0 = w. |
0x5 | 0x8 | Source 1 component selector |
0x14 | 0x8 | Source 2 component selector |
0x1F | 0x1 | Flag |
Component selector :
Offset | Size | Description |
---|---|---|
0x0 | 0x2 | Component 3 value |
0x2 | 0x2 | Component 2 value |
0x4 | 0x2 | Component 1 value |
0x6 | 0x2 | Component 0 value |
Value | Component |
---|---|
0x0 | x |
0x1 | y |
0x2 | z |
0x3 | w |
The component selector enables swizzling. For example, component selector 0x1B is equivalent to .xyzw, while 0x55 is equivalent to .yyyy.
Registers
It is not yet fully understood how registers are organized. It does however seem that registers are separated into various banks, some RO, some WO and some RW. Because of this separation, a given register ID may not refer to the same register value when it is used as SRC or as DST.
Attribute (input, RO) registers are located within the 0x0-0x10 range. What data they are fed is specified by the CPU. Output (WO) registers are also located within the 0x0-0x10 range. What data they are contain is specified by the CPU. Registers within the 0x20-0x40 ranges seem to be RW. They contain uniforms, such as matrix data.
It appears that SRC1 and SRC2 operands don't map to registers in the same way. SRC1 is mapped to RO input registers (attributes and uniforms), while SRC2 is mapped to RW register and some RO input registers (attributes). DST is mapped to WO output registers and RW registers. As such, a register written to by an instruction cannot be referenced by SRC1, but it can be referenced by SRC2.
It appears that writing twice to the same output register can cause problems, such as the GPU hanging.