Intel 253668-032US User Manual
Vol. 3 6-25
INTERRUPT AND EXCEPTION HANDLING
6.14.3
IRET in IA-32e Mode
In IA-32e mode, IRET executes with an 8-byte operand size. There is nothing that
forces this requirement. The stack is formatted in such a way that for actions where
IRET is required, the 8-byte IRET operand size works correctly.
Because interrupt stack-frame pushes are always eight bytes in IA-32e mode, an
IRET must pop eight byte items off the stack. This is accomplished by preceding the
IRET with a 64-bit operand-size prefix. The size of the pop is determined by the
address size of the instruction. The SS/ESP/RSP size adjustment is determined by
the stack size.
IRET pops SS:RSP unconditionally off the interrupt stack frame only when it is
executed in 64-bit mode. In compatibility mode, IRET pops SS:RSP off the stack only
if there is a CPL change. This allows legacy applications to execute properly in
compatibility mode when using the IRET instruction. 64-bit interrupt service routines
that exit with an IRET unconditionally pop SS:RSP off of the interrupt stack frame,
even if the target code segment is running in 64-bit mode or at CPL = 0. This is
because the original interrupt always pushes SS:RSP.
In IA-32e mode, IRET is allowed to load a NULL SS under certain conditions. If the
target mode is 64-bit mode and the target CPL <> 3, IRET allows SS to be loaded
with a NULL selector. As part of the stack switch mechanism, an interrupt or excep-
tion sets the new SS to NULL, instead of fetching a new SS selector from the TSS and
loading the corresponding descriptor from the GDT or LDT. The new SS selector is set
to NULL in order to properly handle returns from subsequent nested far transfers. If
the called procedure itself is interrupted, the NULL SS is pushed on the stack frame.
On the subsequent IRET, the NULL SS on the stack acts as a flag to tell the processor
not to load a new SS descriptor.
forces this requirement. The stack is formatted in such a way that for actions where
IRET is required, the 8-byte IRET operand size works correctly.
Because interrupt stack-frame pushes are always eight bytes in IA-32e mode, an
IRET must pop eight byte items off the stack. This is accomplished by preceding the
IRET with a 64-bit operand-size prefix. The size of the pop is determined by the
address size of the instruction. The SS/ESP/RSP size adjustment is determined by
the stack size.
IRET pops SS:RSP unconditionally off the interrupt stack frame only when it is
executed in 64-bit mode. In compatibility mode, IRET pops SS:RSP off the stack only
if there is a CPL change. This allows legacy applications to execute properly in
compatibility mode when using the IRET instruction. 64-bit interrupt service routines
that exit with an IRET unconditionally pop SS:RSP off of the interrupt stack frame,
even if the target code segment is running in 64-bit mode or at CPL = 0. This is
because the original interrupt always pushes SS:RSP.
In IA-32e mode, IRET is allowed to load a NULL SS under certain conditions. If the
target mode is 64-bit mode and the target CPL <> 3, IRET allows SS to be loaded
with a NULL selector. As part of the stack switch mechanism, an interrupt or excep-
tion sets the new SS to NULL, instead of fetching a new SS selector from the TSS and
loading the corresponding descriptor from the GDT or LDT. The new SS selector is set
to NULL in order to properly handle returns from subsequent nested far transfers. If
the called procedure itself is interrupted, the NULL SS is pushed on the stack frame.
On the subsequent IRET, the NULL SS on the stack acts as a flag to tell the processor
not to load a new SS descriptor.
6.14.4
Stack Switching in IA-32e Mode
The IA-32 architecture provides a mechanism to automatically switch stack frames in
response to an interrupt. The 64-bit extensions of Intel 64 architecture implement a
modified version of the legacy stack-switching mechanism and an alternative stack-
switching mechanism called the interrupt stack table (IST).
In IA-32 modes, the legacy IA-32 stack-switch mechanism is unchanged. In IA-32e
mode, the legacy stack-switch mechanism is modified. When stacks are switched as
part of a 64-bit mode privilege-level change (resulting from an interrupt), a new SS
descriptor is not loaded. IA-32e mode loads only an inner-level RSP from the TSS.
The new SS selector is forced to NULL and the SS selector’s RPL field is set to the new
CPL. The new SS is set to NULL in order to handle nested far transfers (CALLF, INT,
interrupts and exceptions). The old SS and RSP are saved on the new stack
(Figure 6-8). On the subsequent IRET, the old SS is popped from the stack and
loaded into the SS register.
response to an interrupt. The 64-bit extensions of Intel 64 architecture implement a
modified version of the legacy stack-switching mechanism and an alternative stack-
switching mechanism called the interrupt stack table (IST).
In IA-32 modes, the legacy IA-32 stack-switch mechanism is unchanged. In IA-32e
mode, the legacy stack-switch mechanism is modified. When stacks are switched as
part of a 64-bit mode privilege-level change (resulting from an interrupt), a new SS
descriptor is not loaded. IA-32e mode loads only an inner-level RSP from the TSS.
The new SS selector is forced to NULL and the SS selector’s RPL field is set to the new
CPL. The new SS is set to NULL in order to handle nested far transfers (CALLF, INT,
interrupts and exceptions). The old SS and RSP are saved on the new stack
(Figure 6-8). On the subsequent IRET, the old SS is popped from the stack and
loaded into the SS register.