| Summary: | Post increment/decrement should only call ToNumber once | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Robin Morisset <rmorisset> |
| Component: | JavaScriptCore | Assignee: | Robin Morisset <rmorisset> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
*** This bug has been marked as a duplicate of bug 202711 *** |
Currently they call it twice, see the following test case: ``` var o = {}; var counter = 0; o.valueOf = () => {counter ++; return 42}; o++; if (counter != 1) throw "valueOf was executed " + counter + " times during a post-increment instead of once!"; ``` As far as I can tell this is not spec-compliant: 12.4.4 Postfix Increment Operator requires a single call to ToNumeric. Then there is a single chain of ToNumeric -> ToNumber -> ToPrimitive -> OrdinaryToPrimitive -> valueOf with no reason for the call to be duplicated anywhere. The problem appears to be from: ``` static RegisterID* emitPostIncOrDec(BytecodeGenerator& generator, RegisterID* dst, RegisterID* srcDst, Operator oper) { if (dst == srcDst) return generator.emitToNumber(generator.finalDestination(dst), srcDst); RefPtr<RegisterID> tmp = generator.emitToNumber(generator.tempDestination(dst), srcDst); emitIncOrDec(generator, srcDst, oper); return generator.move(dst, tmp.get()); } ``` which uses an emitToNumber, but then does an emitIncOrDec on the original value, which itself can lead to a slow path that does ToNumber anew.