Notes for the Null pointer at the top of the stack/end of the address space === In HS, I wrote processname-trbl to crap through /proc/pid/mem to extract /proc/pid/cmdline. I noticed this line in the source http://lxr.free-electrons.com/source/fs/exec.c?v=3.18#L281 They subtract the size of a void pointer. There's no explanation why, and it's apparently been there for forever. Fast-forward a few months and I found this article by David Drysdale: http://lwn.net/Articles/630727/ In which he casually describes that chunk as the end-marker for the stack. This is a plausible guess, but I was curious if he could shed any further light: Hi Stan, That's a great question, and one I'd like to know the answer to myself! I also looked for, and failed to find, a use of the final NULL, but it is something that's always been there -- 0.01 has: p = copy_strings(envc,envp,page,PAGE_SIZE*MAX_ARG_PAGES-4); for the first thing on the stack, leaving a 4-byte gap. So maybe some historical ABI convention from Minix or something? Given that neither of use found anything using it, I guess it's logical that removing it doesn't break things -- but that's still an interesting experiment to check that practice matches theory! [I assumed it was some sort of end marker in part because of this page: http://articles.manugarg.com/aboutelfauxiliaryvectors.html It seemed a plausible purpose, but that page doesn't give any references or details...] Sorry not to have any better answers, David On 07/02/2015 18:58, Stan wrote: Hi, I just finished reading the first article in your series "How Programs Get Run" and I had to send an email with thanks! Specifically, I've been wondering for a little bit about the NULL-pointer marking the end of the stack: The p field is set to point at the end of memory space for the new program, but leaves space for a NULL pointer as an end marker for the stack. I wrote a program a little while ago to crawl backwards in a PID's stack inside its /proc/pid/mem entry to pull out information about a process, mostly as an excuse to play with /proc/pid/mem. I saw the subtraction for the null pointer at the end of the stack, but didn't really have any explanation of this other than some vague guesses. It helps seeing someone else verbalize the point! But I'm also curious: do you know of anywhere that actually takes advantage of that NULL pointer, or a reason that it's especially useful? I crawled through the parts where p is referenced, and as much as I'd like to say I didn't see anything relevant, I'm also not an expert when it comes to the kernel -- and searching for "sizeof(void *)" was as useful as I expected :). I also recompiled the kernel on a fresh VM with the end pointer subtraction taken out just to see if I'd be faced with a broken/melting system, and was surprised to see (what appeared to be) no ill effects. Any additional light here would be seriously gratifying. Thanks so much for the article, it was really enjoyable and I look forward to the next installment! Best Regards, Stan So now I need to read that article and potentially do some more code diving.