Hi,
I believe that there is a documentation bug in the pseudo-code for the IRET instruction in the current edition of Volume 2A of the Architectures Software Developers' Manual.
The case we're looking at is using IRET to switch from Ring-0 to Ring-3.
The prose for protected mode states:
If the return is to another privilege level, the IRET
instruction also pops the stack pointer and SS from the stack, before resuming program execution. If the return is
to virtual-8086 mode, the processor also pops the data segment registers from the stack.
However, the flow through the pseudo-code is:
- GOTO PROTECTED-MODE (because we're in protected mode, not in long mode, and not in virtual 8086 mode)
- GOTO PROTECTED-MODE-RETURN (because we're not in a nested task, and not switching to virtual 8086 mode)
- GOTO RETURN-OUTER-PRIVILEGE-LEVEL (because we're switching to a higher privilege level) - note, this appears to be a typo, it should be GOTO RETURN-TO-OUTER-PRIVILEGE-LEVEL
None of the code on this path restores SS or ESP, despite the prose indicating that it should.
I believe that the prose is correct in this case because that would mirror the behaviour of the INT instruction.