Currently they call it twice, see the following test case: ``` var o = {}; var counter = 0; o.valueOf = () => {counter ++; return 42}; o++; if (counter != 1) throw "valueOf was executed " + counter + " times during a post-increment instead of once!"; ``` As far as I can tell this is not spec-compliant: 12.4.4 Postfix Increment Operator requires a single call to ToNumeric. Then there is a single chain of ToNumeric -> ToNumber -> ToPrimitive -> OrdinaryToPrimitive -> valueOf with no reason for the call to be duplicated anywhere. The problem appears to be from: ``` static RegisterID* emitPostIncOrDec(BytecodeGenerator& generator, RegisterID* dst, RegisterID* srcDst, Operator oper) { if (dst == srcDst) return generator.emitToNumber(generator.finalDestination(dst), srcDst); RefPtr<RegisterID> tmp = generator.emitToNumber(generator.tempDestination(dst), srcDst); emitIncOrDec(generator, srcDst, oper); return generator.move(dst, tmp.get()); } ``` which uses an emitToNumber, but then does an emitIncOrDec on the original value, which itself can lead to a slow path that does ToNumber anew.
*** This bug has been marked as a duplicate of bug 202711 ***