Large function calls can stack/heap collide undetected

I got this error:

[debug] Server crashed while executing y_functional_gm.amx
[debug] AMX backtrace:
[debug] #0 0001e15c in public OnGameModeInit () at D:\work\SA-MP\pawno\include\YSI_Coding\y_functional\y_functional_rewrite.inc:205
[debug] Native backtrace:
[debug] #0 5370b1b9 in ?? () from plugins\crashdetect.DLL
[debug] #1 5370d6a7 in ?? () from plugins\crashdetect.DLL
[debug] #2 53713159 in ?? () from plugins\crashdetect.DLL
[debug] #3 53714357 in ?? () from plugins\crashdetect.DLL
[debug] #4 5370a767 in ?? () from plugins\crashdetect.DLL
[debug] #5 5370d65a in ?? () from plugins\crashdetect.DLL
[debug] #6 0046f654 in ?? () from samp-server.exe
[debug] #7 65646f6d in ?? () from samp-server.exe
[debug] #8 5f792f73 in ?? () from samp-server.exe
[debug] #9 636e7566 in ?? () from samp-server.exe
[debug] #10 6e6f6974 in ?? () from samp-server.exe
[debug] #11 675f6c61 in ?? () from samp-server.exe
[debug] #12 6d612e6d in ?? () from samp-server.exe
[debug] Registers:
[debug] EAX: 00000000 EBX: 0018fcec ECX: 022cac28 EDX: 00000001
[debug] ESI: 02239e20 EDI: 0000001a EBP: 675f6c61 ESP: 00515c14
[debug] EIP: 6d612e6d EFLAGS: 00010246
[debug] Stack:
[debug] ESP+00000000: 00000078 00000000 00000000 00000000
[debug] ESP+00000020: 00000000 00000000 00000000 00000000
[debug] ESP+00000040: 00000000 00000000 00000000 00000000
[debug] ESP+00000060: 00000000 00000000 00000000 00000000
[debug] ESP+00000080: 00000000 00000000 00000000 00000000
[debug] ESP+000000a0: 00000000 00000000 00000000 00000000
[debug] ESP+000000c0: 00000000 00000000 00000000 00000000
[debug] ESP+000000e0: 00000000 00000000 1110e9d7 00000000
[debug] ESP+00000100: 00000000 00000000 00000000 00000000
[debug] ESP+00000120: 00000000 00000000 00000000 00000000
[debug] ESP+00000140: 00000000 00000000 00000000 00000002
[debug] ESP+00000160: 00000001 003c1ae8 00000000 003c1b08
[debug] ESP+00000180: 00000000 00000000 00000000 00000000
[debug] ESP+000001a0: ffffffff 00000000 00000000 00000000
[debug] ESP+000001c0: 00000000 00000000 00000fa0 ffffffff
[debug] ESP+000001e0: 00000fa0 ffffffff ffffffff 00000000
[debug] ESP+00000200: ffffffff 00000000 00000000 00000000
[debug] ESP+00000220: 00000000 00000000 00000fa0 ffffffff
[debug] ESP+00000240: 00000fa0 ffffffff ffffffff 00000000
[debug] ESP+00000260: ffffffff 00000000 00000000 00000000
[debug] ESP+00000280: 00000000 00000000 00000fa0 ffffffff
[debug] ESP+000002a0: 00000fa0 ffffffff ffffffff 00000000
[debug] ESP+000002c0: ffffffff 00000000 00000000 00000000
[debug] ESP+000002e0: 00000000 00000000 00000fa0 003c5c50
[debug] ESP+00000300: 00000000 00000000 75a2b320 75a22630
[debug] ESP+00000320: 00000000 ffffffc4 006f0052 0061006d
[debug] ESP+00000340: 00610064 00640072 00540020 006d0069
[debug] ESP+00000360: 00000000 00000000 000a0000 00050000
[debug] ESP+00000380: 0061006d 0063006e 00200065 00610044
[debug] ESP+000003a0: 006d0069 00000065 00000000 00000000
[debug] ESP+000003c0: 00050000 00000002 00000000 ffffffc4
[debug] ESP+000003e0: 00000000 00000000 00000000 00000000
[debug] Loaded modules:
[debug] 00400000 - 00519000 samp-server.exe
[debug] 77860000 - 779cf000 ntdll.dll
[debug] 75a10000 - 75b50000 KERNEL32.DLL
[debug] 75f80000 - 76057000 KERNELBASE.dll
[debug] 760d0000 - 7738b000 SHELL32.dll
[debug] 75ca0000 - 75df3000 USER32.dll
[debug] 6da40000 - 6da48000 WSOCK32.dll
[debug] 6f7c0000 - 6f7e3000 WINMM.dll
[debug] 774f0000 - 775b3000 msvcrt.dll
[debug] 75260000 - 753dd000 combase.dll
[debug] 76070000 - 760b5000 SHLWAPI.dll
[debug] 75b90000 - 75c9e000 GDI32.dll
[debug] 758c0000 - 7590f000 WS2_32.dll
[debug] 6e1f0000 - 6e213000 WINMMBASE.dll
[debug] 77660000 - 7771a000 RPCRT4.dll
[debug] 77390000 - 77397000 NSI.dll
[debug] 75b50000 - 75b8c000 cfgmgr32.dll
[debug] 6e000000 - 6e021000 DEVOBJ.dll
[debug] 773a0000 - 773be000 SspiCli.dll
[debug] 75040000 - 7504a000 CRYPTBASE.dll
[debug] 75480000 - 754c1000 sechost.dll
[debug] 74fe0000 - 75034000 bcryptPrimitives.dll
[debug] 77720000 - 77747000 IMM32.DLL
[debug] 75e00000 - 75f12000 MSCTF.dll
[debug] 536f0000 - 53740000 crashdetect.DLL
[debug] 6da50000 - 6dab9000 MSVCP100.dll
[debug] 53630000 - 536ef000 MSVCR100.dll
[debug] 6db30000 - 6db7b000 mswsock.dll
[debug] 5fe80000 - 5fe91000 napinsp.dll
[debug] 5f960000 - 5f976000 pnrpnsp.dll
[debug] 5f940000 - 5f954000 NLAapi.dll
[debug] 6e610000 - 6e68e000 DNSAPI.dll
[debug] 5f930000 - 5f93a000 winrnr.dll
[debug] 5f920000 - 5f930000 wshbth.dll
[debug] 70850000 - 70870000 IPHLPAPI.DLL
[debug] 70360000 - 70368000 WINNSI.DLL
[debug] 6dad0000 - 6db16000 fwpuclnt.dll
[debug] 6db20000 - 6db28000 rasadhlp.dll

After a lot of debugging I discovered it was a stack/heap collision, but wasn't reported as one. I've seen those before, so I don't know why it didn't. Digging further, it seems OP_PUSH isn't checked for collision, only OP_STACK, OP_CALL and a few select others are. So I think I was blowing the stack (in fact, I don't think there was any heap data at all, so I've a feeling I was going entirely outside of dynamic memory). This was the code (using YSI 5.x):

#pragma option -O0
#pragma option -d3

//#pragma dynamic 1024 * 1024

#define FILTERSCRIPT
//#define _DEBUG 2

#include <a_samp>

#define YSI_NO_HEAP_MALLOC
#include <YSI_Coding\y_functional>

stock test_call(Func:f)
{
    return @.f(10, 20);
}

#define test_call<%0>({%1}) LAMBDA_%0<test_call>{%1}()

public OnFilterScriptInit()
{
    printf("A");
    printf("%d", test_call<ii>({_0 + _1}));
}

It was actually @IllidanS4 that noticed a problem, which I failed to track down with crashdetect. The exact crash is on this call:

https://github.com/pawn-lang/YSI-Includes/blob/6d5a39cf6aa0a77644e170ee53722867658e1401/YSI_Coding/y_functional/y_functional_rewrite.inc#L205-L211

The code immediately before is run, but the function is never entered.

Zeex / samp-plugin-crashdetect

Large function calls can stack/heap collide undetected #71