From 632bd741f7efeadfde48202f91976829367333f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Foucault?= Date: Fri, 17 Oct 2025 14:39:31 +0200 Subject: [PATCH 1/2] Fix #148071: EEVEE: Crash when using Sky Texture + Multi-scattering Caused by some tricky use after-free / stack corruption. This affect both Cycles and EEVEE. The `sms` local variable is getting dereferenced by `get_inscattering` inside the threaded for loop but is passed by copy to the lambda expression. This makes its lifetime ill-defined in a multithreaded context. I am not fully sure about the rules at play here so maybe my understanding is wrong. But removing the call to `get_inscattering` avoids the crash. Note that `SkyMultipleScattering` is also very big (it contains the whole LUT). So copying it might have caused stack overflow. But that should trigger a system interupt. Passing everything by references fixes the issue. This seems to be safe since all as the other local variables are `const` anyway. Also the loop doesn't seem to modify the one that aren't. Pull Request: https://projects.blender.org/blender/blender/pulls/148260 --- intern/sky/source/sky_multiple_scattering.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/intern/sky/source/sky_multiple_scattering.cpp b/intern/sky/source/sky_multiple_scattering.cpp index e0e00731c8b..a29a2b1acba 100644 --- a/intern/sky/source/sky_multiple_scattering.cpp +++ b/intern/sky/source/sky_multiple_scattering.cpp @@ -319,7 +319,7 @@ void SKY_multiple_scattering_precompute_texture(float *pixels, const float3 sun_dir = sun_direction(sun_zenith_cos_angle); const int rows_per_task = std::max(1024 / width, 1); - SKY_parallel_for(0, height, rows_per_task, [=](const size_t begin, const size_t end) { + SKY_parallel_for(0, height, rows_per_task, [&](const size_t begin, const size_t end) { for (int y = begin; y < end; y++) { float *pixel_row = pixels + (y * width * stride); for (int x = 0; x < half_width; x++) { From c990cd6759b6ef69dfdccefb3b1f2be786045924 Mon Sep 17 00:00:00 2001 From: Jacques Lucke Date: Fri, 17 Oct 2025 14:40:43 +0200 Subject: [PATCH 2/2] Fix: correct previous commit This is an alternative to ba0f73d0760ae9a. I'm not exactly sure why that on didn't work yet. Seems like there is some hidden state somewhere, not sure. Now this fix is more similar to what is done in `curves_blend_write`. Pull Request: https://projects.blender.org/blender/blender/pulls/148267 --- source/blender/blenkernel/intern/grease_pencil.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/source/blender/blenkernel/intern/grease_pencil.cc b/source/blender/blenkernel/intern/grease_pencil.cc index 55f7e41182e..7167a62a9cc 100644 --- a/source/blender/blenkernel/intern/grease_pencil.cc +++ b/source/blender/blenkernel/intern/grease_pencil.cc @@ -4416,8 +4416,11 @@ static void write_drawing_array(GreasePencil &grease_pencil, curves.blend_write_prepare(write_data); drawing_copy.runtime = nullptr; - curves.blend_write(*writer, grease_pencil.id, write_data); + BLO_write_shared_tag(writer, curves.curve_offsets); + BLO_write_shared_tag(writer, curves.custom_knots); + BLO_write_struct_at_address(writer, GreasePencilDrawing, drawing_base, &drawing_copy); + curves.blend_write(*writer, grease_pencil.id, write_data); break; } case GP_DRAWING_REFERENCE: {