I believe that there is a documentation bug in the pseudo-code for the IRET instruction in the current edition of Volume 2A of the Architectures Software Developers' Manual.
The case we're looking at is using IRET to switch from Ring-0 to Ring-3.
The prose for protected mode states:
If the return is to another privilege level, the IRET
instruction also pops the stack pointer and SS from the stack, before resuming program execution. If the return is
to virtual-8086 mode, the processor also pops the data segment registers from the stack.
However, the flow through the pseudo-code is:
None of the code on this path restores SS or ESP, despite the prose indicating that it should.
I believe that the prose is correct in this case because that would mirror the behaviour of the INT instruction.
The IRET pseudo code changed in rev 54. Rev 55 is current. Can you take a quick look and see if your question / comment is still valid? The change log doc for rev 54 highlights the changes if that is helpful.
It is the Rev 55 (June 2015) manual that I've been reading.
Is the change log you are referring to the one at https://www-ssl.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developers-manual.pdf? Because I had a scan through that for IRET and can't see any updated pseudo code. So I assume I'm looking in the wrong place.
I was referring to the rev 54 change log. Not sure that is still available externally. I always download the changes doc when I get each revision.
Okay, now that I know you are referring to the latest doc, I'll try to discuss this with the relevant parties internally.