Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=4950
in battle_weapon_attack():
CODE
if (sc->data[SC_SACRIFICE])
{
...
status_zap(src, sstatus->max_hp*9/100, 0);//Damage to self is always 9%
return (damage_lv)skill_attack(BF_WEAPON,src,src,target,PA_SACRIFICE,skilllv,tick,0);
Calling status_zap() can kill the user, in which case skill_attack() will execute with a dead unit.
Now consider what happens when a player clone does this. Upon death, it is immediately unit_free'd, which involves calling
CODE
int mob_clone_delete(struct mob_data *md)
{
const int class_ = md->class_;
if (class_ >= MOB_CLONE_START && class_ < MOB_CLONE_END && mob_db_data[class_]!=NULL) {
aFree(mob_db_data[class_]);
mob_db_data[class_]=NULL;
//Clear references to the db
md->db = mob_dummy;
md->vd = NULL;}
So not only does the clone have partially removed data, it also no longer has its mobdb entry, and more importantly, its view data is set to NULL. This ultimately leads to a crash in status_get_class(), which expects a non-null md->vd (crash is in battle_calc_weapon_attack).
To reproduce, just make a strong enough paladin with martyr's reckoning, and damage its health by at least 10% (then clones start casting self skills).