In fact, the only thing that permits the spending of existing [UTXOs](/protocol/blockchain/transaction#transaction-output) is the successful execution of a script.
The only thing preventing the spending of newly created UTXOs is the difficulty of producing a successfully executing script.
Through the use of cryptographic signatures and hash functions, such scripts are often designed specifically to be difficult to produce unless you are the intended spender of a given UTXO, though that need not necessarily be the case.
Scripts are executed using a stack-based memory model and have an intentionally restricted set of available operations.
Unlike the common general-purpose programming languages your are probably aware of, Script (the term for the language itself) does not allow for loops, persistent state/memory across script executions, or the definition of functions.
Instead, scripts are expected to contain whatever data they need and use the available operations to prove transaction validity.
In addition to the primary stack ("the stack"), there is a secondary stack, referred to as the "alt-stack", which data can be moved to temporarily.
Any data left on the alt-stack is lost when a given sub-script finishes execution.
In effect, any data moved to the alt-stack by an unlocking script is not present when the locking script runs.
There are a large number of op-codes that support everything from simple stack-manipulation, to mathematical calculations, to complex cryptographic processes. In terms of control structures there are only basic conditional branching (IF/ELSE) operations available.
### Transaction Validation
Scripts are run when validating transactions, and successful execution of all of the scripts defined by the transaction is a necessary, but not sufficient, condition for transaction validity.
See [Transaction Validation](/protocol/blockchain/transaction-validation) for more details.
As a part of validating a transaction, a script is built for each input spent by the transaction.
Each script is the sequential execution (carrying over the same stack, but not alt-stack) of the [unlocking script](/protocol/blockchain/transaction/unlocking-script) provided with the input definition (which is used that the beginning of the script) and the locking script provided by the [previous output](/protocol/blockchain/transaction#transaction-output) being referenced.
The exception to this is [pay to script hash](/protocol/blockchain/transaction/locking-script#standard-scripts), which has an altered execution workflow.
In general, though, this combined unlocking/locking script is then executed and considered successful if and only if the following conditions are met:
- **No Stack Overflows** - no operation should attempt to pop a value from the stack when the stack is empty. An overflow of the alt-stack is also disallowed.
- **Clean Stack** - after execution the stack must only contain a single value, which must be non-zero (TRUE). Added in [HF-20181115](/protocol/forks/hf-20181115). The alt-stack is exempt from this.
Additionally, in order for the combined script to be valid, the following must be true:
- **Non-Empty Scripts** - both the locking and unlocking scripts must be non-empty.
- **Max Script Length** - the locking and unlocking script must each be less than the max script length of 10,000 bytes (for a combined script maximum of 20,000 bytes).
- **Contained Control Flow** - an IF/ELSE block cannot start in the unlocking script and end in the locking script, the script must be in the top-level scope when the locking script execution begins.
- **Permitted Operations Only** - the locking script must not include operations that are disallowed and must not execute operations that are disabled..
- **Push Only** - the unlocking script must contain only push operations (i.e. those with op codes 0x60 or less). Added in [HF-20181115](/protocol/forks/hf-20181115).
| OP_0, OP_FALSE | 0 | 0x00 | | 0 | An empty array of bytes is pushed onto the stack. See also [OP_X](/protocol/blockchain/script/op-codes/op-x) |
| N/A | 1-75 | 0x01-0x4b | | | The next *value* bytes is data to be pushed onto the stack. See also [OP_DATA_X](/protocol/blockchain/script/op-codes/op-data-x) |
| OP_IF | 99 | 0x63 | <expression> IF [statements] [ELSE [statements]] ENDIF || If the top stack value is not False, the statements are executed. The top stack value is removed. |
| OP_NOTIF | 100 | 0x64 | <expression> NOTIF [statements] [ELSE [statements]] ENDIF || If the top stack value is False, the statements are executed. The top stack value is removed. |
| OP_ELSE | 103 | 0x67 | <expression> IF [statements] [ELSE [statements]] ENDIF || If the preceding OP_IF or OP_NOTIF or OP_ELSE was not executed then these statements are and if the preceding OP_IF or OP_NOTIF or OP_ELSE was executed then these statements are not. |
| OP_ENDIF | 104 | 0x68 | <expression> IF [statements] [ELSE [statements]] ENDIF || Ends an if/else block. All blocks must end, or the transaction is **marked as invalid**. An OP_ENDIF without OP_IF earlier is also **invalid**. |
| OP_VERIFY | 105 | 0x69 | true / false | Nothing / *fail* | **Marks transaction as invalid** if top stack value is not true. The top stack value is removed. |
| OP_RETURN | 106 | 0x6a | | *fail* | **Marks the output as unspendable**. Since [Bitcoin Core 0.9](https://bitcoin.org/en/release/v0.9.0#opreturn-and-data-in-the-block-chain), a standard way of attaching extra data to transactions is to add a zero-value output with a scriptPubKey consisting of OP_RETURN followed by data. Such outputs are provably unspendable and specially discarded from storage in the UTXO set, reducing their cost to the network. Current [standard relay rules](https://reference.cash/protocol/blockchain/transaction-validation/network-level-validation-rules/) on the Bitcoin Cash network allow a single output with OP_RETURN, that contains any sequence of push statements (or OP_RESERVED) after the OP_RETURN provided the total scriptPubKey length is at most 223 bytes. |
|OP_REVERSEBYTES |188 |0xbc |x |out |Reverses the order of the bytes in byte sequence *x* so that the first byte is now its last byte, the second is now its second-to-last, and so forth. Enabled in [HF-20200515](/protocol/forks/hf-20200515). |
| OP_CODESEPARATOR | 171 | 0xab | Nothing | Nothing | Makes `OP_CHECK(MULTI)SIG(VERIFY)` use the subset of the script of everything after the most recently-executed OP_CODESEPARATOR when computing the sighash. |
| OP_CHECKSIG | 172 | 0xac | sig pubkey | true / false | The last byte (=sighash type) of the signature is removed. The sighash for this input is calculated based on the sighash type. The truncated signature used by OP_CHECKSIG must be a valid ECDSA or Schnorr signature for this hash and public key. If it is valid, 1 is returned, if it is empty, 0 is returned, otherwise the operation fails. |
| OP_CHECKMULTISIG | 174 | 0xae | dummy sig1 sig2 ... <#-of-sigs> pub1 pub2 ... <#-of-pubkeys> | true / false | Signatures are checked against public keys. Signatures must be placed in the unlocking script using the same order as their corresponding public keys were placed in the locking script or redeem script. If all signatures are valid, 1 is returned, 0 otherwise. All elements are removed from the stack. For more information on the execution of this opcode, see [Multisignature](/protocol/blockchain/cryptography/multisignature). |
| OP_CHECKMULTISIGVERIFY | 175 | 0xaf | dummy sig1 sig2 ... <#-of-sigs> pub1 pub2 ... <#-of-pubkeys> | Nothing / *fail* | Same as OP_CHECKMULTISIG, but OP_VERIFY is executed afterward. |
| OP_CHECKDATASIG | 186 | 0xba | sig msg pubkey | true / false | Check if signature is valid for message and a public key. [See spec](/protocol/forks/op_checkdatasig) |
| OP_CHECKLOCKTIMEVERIFY | 177 | 0xb1 | x |x / *fail* | Marks transaction as invalid if the top stack item is greater than the transaction's nLockTime field, otherwise script evaluation continues as though an OP_NOP was executed. Transaction is also invalid if 1. the stack is empty; or 2. the top stack item is negative; or 3. the top stack item is greater than or equal to 500000000 while the transaction's nLockTime field is less than 500000000, or vice versa; or 4. the input's nSequence field is equal to 0xffffffff. The precise semantics are described in [BIP65](/protocol/forks/bip-0065). |
| OP_CHECKSEQUENCEVERIFY | 178 | 0xb2 | x |x / *fail* | Marks transaction as invalid if the relative lock time of the input (enforced by BIP68 with nSequence) is not equal to or longer than the value of the top stack item. The precise semantics are described in [BIP112](/protocol/forks/bip-0112). |
