Bug 202710 - Post increment/decrement should only call ToNumber once
Summary: Post increment/decrement should only call ToNumber once
Status: RESOLVED DUPLICATE of bug 202711
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Robin Morisset
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-08 16:05 PDT by Robin Morisset
Modified: 2019-10-11 00:04 PDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Morisset 2019-10-08 16:05:01 PDT 
Currently they call it twice, see the following test case:
```
var o = {};
var counter = 0;
o.valueOf = () => {counter ++; return 42};
o++;
if (counter != 1)
    throw "valueOf was executed " + counter + " times during a post-increment instead of once!";
```

As far as I can tell this is not spec-compliant:
12.4.4 Postfix Increment Operator requires a single call to ToNumeric.
Then there is a single chain of ToNumeric -> ToNumber -> ToPrimitive -> OrdinaryToPrimitive -> valueOf with no reason for the call to be duplicated anywhere.

The problem appears to be from:
```
static RegisterID* emitPostIncOrDec(BytecodeGenerator& generator, RegisterID* dst, RegisterID* srcDst, Operator oper)
{
    if (dst == srcDst)
        return generator.emitToNumber(generator.finalDestination(dst), srcDst);
    RefPtr<RegisterID> tmp = generator.emitToNumber(generator.tempDestination(dst), srcDst);
    emitIncOrDec(generator, srcDst, oper);
    return generator.move(dst, tmp.get());
}
```
which uses an emitToNumber, but then does an emitIncOrDec on the original value, which itself can lead to a slow path that does ToNumber anew.
Comment 1 Alexey Proskuryakov 2019-10-11 00:04:02 PDT 

*** This bug has been marked as a duplicate of bug 202711 ***