6-18 Vol. 3A

INTERRUPT AND EXCEPTION HANDLING

the interrupt handler to use faster 16-byte aligned loads and stores (MOVAPS rather than MOVUPS) to save and 
restore XMM registers. 
Although the RSP alignment is always performed when LMA = 1, it is only of consequence for the kernel-mode case 
where there is no stack switch or IST used. For a stack switch or IST, the OS would have presumably put suitably 
aligned RSP values in the TSS.

6.14.3 

IRET in IA-32e Mode 

In IA-32e mode, IRET executes with an 8-byte operand size. There is nothing that forces this requirement. The 
stack is formatted in such a way that for actions where IRET is required, the 8-byte IRET operand size works 
correctly. 
Because interrupt stack-frame pushes are always eight bytes in IA-32e mode, an IRET must pop eight byte items 
off the stack. This is accomplished by preceding the IRET with a 64-bit operand-size prefix. The size of the pop is 
determined by the address size of the instruction. The SS/ESP/RSP size adjustment is determined by the stack size.
IRET pops SS:RSP unconditionally off the interrupt stack frame only when it is executed in 64-bit mode. In compat-
ibility mode, IRET pops SS:RSP off the stack only if there is a CPL change. This allows legacy applications to 
execute properly in compatibility mode when using the IRET instruction. 64-bit interrupt service routines that exit 
with an IRET unconditionally pop SS:RSP off of the interrupt stack frame, even if the target code segment is 
running in 64-bit mode or at CPL = 0. This is because the original interrupt always pushes SS:RSP.
In IA-32e mode, IRET is allowed to load a NULL SS under certain conditions. If the target mode is 64-bit mode and 
the target CPL ≠ 3, IRET allows SS to be loaded with a NULL selector. As part of the stack switch mechanism, an 
interrupt or exception sets the new SS to NULL, instead of fetching a new SS selector from the TSS and loading the 
corresponding descriptor from the GDT or LDT. The new SS selector is set to NULL in order to properly handle 
returns from subsequent nested far transfers. If the called procedure itself is interrupted, the NULL SS is pushed on 
the stack frame. On the subsequent IRET, the NULL SS on the stack acts as a flag to tell the processor not to load 
a new SS descriptor.

6.14.4 

Stack Switching in IA-32e Mode 

The IA-32 architecture provides a mechanism to automatically switch stack frames in response to an interrupt. The 
64-bit extensions of Intel 64 architecture implement a modified version of the legacy stack-switching mechanism 
and an alternative stack-switching mechanism called the interrupt stack table (IST).
In IA-32 modes, the legacy IA-32 stack-switch mechanism is unchanged. In IA-32e mode, the legacy stack-switch 
mechanism is modified. When stacks are switched as part of a 64-bit mode privilege-level change (resulting from 
an interrupt), a new SS descriptor is not loaded. IA-32e mode loads only an inner-level RSP from the TSS. The new 
SS selector is forced to NULL and the SS selector’s RPL field is set to the new CPL. The new SS is set to NULL in 
order to handle nested far transfers (far CALL, INT, interrupts and exceptions). The old SS and RSP are saved on 
the new stack (Figure 6-8). On the subsequent IRET, the old SS is popped from the stack and loaded into the SS 
register.
In summary, a stack switch in IA-32e mode works like the legacy stack switch, except that a new SS selector is not 
loaded from the TSS. Instead, the new SS is forced to NULL.