FWIW, I just saw this in code generated by bison:     (yyvsp[-4].string_val), (yyvsp[-2].string_val), (yyvsp[0].string_val) (IIUC) referencing the addresses under the top of the stack when passing $2, $4, $6 into a function from an action (skipping a couple of tokens).  So the sign just depends on which way the stack is growing. As for range checking of pointers into a malloc'd block of memory, the pointer could have just 2 things: the address at the start of the block and the pointer itself, some moving address in the block; and then before the start of the block malloc could stash the address of the end of the block (where it could be referenced by all pointers into the block).  So instead of a triple word, the pointer is a double word, and the malloc'd block has an extra word before it.  This must have been done before by someone, somewhere. I don't think of pointers and arrays in C as the same thing, but rather array references as an alternate syntax for pointer arithmetic (or vice versa). - Aron