Intel 64 and IA-32 Architectures Software Developers Manual Volume 2B, Instruction Set Reference, N-Z
4-128 Vol. 2B
INSTRUCTION SET REFERENCE, N-Z
The address-size attribute of the stack segment determines the stack pointer size
(16, 32, 64 bits) and the operand-size attribute of the current code segment deter-
mines the amount the stack pointer is incremented (2, 4, 8 bytes).
For example, if the address- and operand-size attributes are 32, the 32-bit ESP
register (stack pointer) is incremented by 4; if they are 16, the 16-bit SP register is
incremented by 2. (The B flag in the stack segment’s segment descriptor determines
the stack’s address-size attribute, and the D flag in the current code segment’s
segment descriptor, along with prefixes, determines the operand-size attribute and
also the address-size attribute of the destination operand.)
If the destination operand is one of the segment registers DS, ES, FS, GS, or SS, the
value loaded into the register must be a valid segment selector. In protected mode,
popping a segment selector into a segment register automatically causes the
descriptor information associated with that segment selector to be loaded into the
hidden (shadow) part of the segment register and causes the selector and the
descriptor information to be validated (see the “Operation” section below).
A NULL value (0000-0003) may be popped into the DS, ES, FS, or GS register without
causing a general protection fault. However, any subsequent attempt to reference a
segment whose corresponding segment register is loaded with a NULL value causes
a general protection exception (#GP). In this situation, no memory reference occurs
and the saved value of the segment register is NULL.
The POP instruction cannot pop a value into the CS register. To load the CS register
from the stack, use the RET instruction.
If the ESP register is used as a base register for addressing a destination operand in
memory, the POP instruction computes the effective address of the operand after it
increments the ESP register. For the case of a 16-bit stack where ESP wraps to 0H as
a result of the POP instruction, the resulting location of the memory write is
processor-family-specific.
The POP ESP instruction increments the stack pointer (ESP) before data at the old top
of stack is written into the destination.
A POP SS instruction inhibits all interrupts, including the NMI interrupt, until after
execution of the next instruction. This action allows sequential execution of POP SS
and MOV ESP, EBP instructions without the danger of having an invalid stack during
an interrupt
1
. However, use of the LSS instruction is the preferred method of loading
the SS and ESP registers.
1. If a code instruction breakpoint (for debug) is placed on an instruction located immediately after
a POP SS instruction, the breakpoint may not be triggered. However, in a sequence of instruc-
tions that POP the SS register, only the first instruction in the sequence is guaranteed to delay
an interrupt.
In the following sequence, interrupts may be recognized before POP ESP executes:
POP SS
POP SS
POP ESP