beautypg.com

1 stack switching in 64-bit mode, 6 returning from a called procedure – Intel IA-32 User Manual

Page 156

background image

4-26 Vol. 3A

PROTECTION

4.8.5.1

Stack Switching in 64-bit Mode

Although protection-check rules for call gates are unchanged from 32-bit mode, stack-switch
changes in 64-bit mode are different.

When stacks are switched as part of a 64-bit mode privilege-level change through a call gate, a
new SS (stack segment) descriptor is not loaded; 64-bit mode only loads an inner-level RSP
from the TSS. The new SS is forced to NULL and the SS selector’s RPL field is forced to the
new CPL. The new SS is set to NULL in order to handle nested far transfers (CALLF, INTn,
interrupts and exceptions). The old SS and RSP are saved on the new stack.

On a subsequent RETF, the old SS is popped from the stack and loaded into the SS register. See
Table 4-2.

In 64-bit mode, stack operations resulting from a privilege-level-changing far call or far return
are eight-bytes wide and change the RSP by eight. The mode does not support the automatic
parameter-copy feature found in 32-bit mode. The call-gate count field is ignored. Software can
access the old stack, if necessary, by referencing the old stack-segment selector and stack pointer
saved on the new process stack.

In 64-bit mode, RETF is allowed to load a NULL SS under certain conditions. If the target mode
is 64-bit mode and the target CPL< >3, IRET allows SS to be loaded with a NULL selector. If
the called procedure itself is interrupted, the NULL SS is pushed on the stack frame. On the
subsequent RETF, the NULL SS on the stack acts as a flag to tell the processor not to load a new
SS descriptor.

4.8.6

Returning from a Called Procedure

The RET instruction can be used to perform a near return, a far return at the same privilege level,
and a far return to a different privilege level. This instruction is intended to execute returns from
procedures that were called with a CALL instruction. It does not support returns from a JMP
instruction, because the JMP instruction does not save a return instruction pointer on the stack.

A near return only transfers program control within the current code segment; therefore, the
processor performs only a limit check. When the processor pops the return instruction pointer

Table 4-2. 64-Bit-Mode Stack Layout After CALLF with CPL Change

32-bit Mode

IA-32e mode

Old SS Selector

+12

+24

Old SS Selector

Old ESP

+8

+16

Old RSP

CS Selector

+4

+8

Old CS Selector

EIP

0

ESP

RSP

0

RIP

< 4 Bytes >

< 8 Bytes >