调用JS替换的函数，会crash

[xiaolongiy]

crash信息：

Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x000000000000000e Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [0] Triggered by Thread: 0

Thread 0 name: Thread 0 Crashed: 0 JavaScriptCore 0x000000018dab0d98 JSC::jsIsObjectTypeOrNull(JSC::ExecState*, JSC::JSValue) + 88 (StructureIDBlob.h:59) 1 JavaScriptCore 0x000000018d666eec slow_path_is_object_or_null + 124 (CommonSlowPaths.cpp:539) 2 JavaScriptCore 0x000000018da83be0 llint_entry + 21088 3 JavaScriptCore 0x000000018da84a38 llint_entry + 24760 4 JavaScriptCore 0x000000018da84a38 llint_entry + 24760 5 JavaScriptCore 0x000000018da84a38 llint_entry + 24760 6 JavaScriptCore 0x000000018da84a38 llint_entry + 24760 7 JavaScriptCore 0x000000018da7e7b8 vmEntryToJavaScript + 264 8 JavaScriptCore 0x000000018d951a88 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 168 (JITCode.cpp:80) 9 JavaScriptCore 0x000000018d3a35fc JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 352 (Interpreter.cpp:1018) 10 JavaScriptCore 0x000000018d6161a0 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 160 (CallData.cpp:40) 11 JavaScriptCore 0x000000018d3a33b0 JSObjectCallAsFunction + 536 (JSObjectRef.cpp:540) 12 JavaScriptCore 0x000000018da359f4 -[JSValue callWithArguments:] + 304 (JSValue.mm:411) 13 netdisk_iPhone 0x0000000100283494 JPForwardInvocation + 5936 (JPEngine.m:847) 14 CoreFoundation 0x00000001894ae078 forwarding + 404 (NSForwarding.m:3133) 15 CoreFoundation 0x00000001893a859c _CF_forwarding_prep_0 + 92

JS实现：

defineClass('User',{},{ isActive: function() { return self.isLogin(); } })

返回的是bool型，self.isLogin(),也是一个返回bool型的函数

[GarfieldGitHub]

你们的是必崩吗？跟操作系统版本有关吗？

[GarfieldGitHub]

我们是偶现的崩溃，只在iOS7和iOS8下崩溃，而且崩溃类型是SIGSEGV，但也涉及到了布尔值