HSimulate这条Hydrogen里的instruction到底是什么意思?

V8 Crankshaft编译架构的Hydrogen IR中的其他指令都很容易理解,唯独这个 HSimulate 怎么都看不懂。而且与Crankshaft相对应的HotSpot C1中也没有找到这条指令。求指导。
关注者
13
被浏览
317
这是跟V8从Crankshaft开始支持的deoptimization功能相关的HIR指令,用于记录信息以便将Crankshaft优化编译的代码的状态映射到非优化的FullCodeGen的状态。

Sasha大大(Vyacheslav Egorov)如是说:
Optimizing for V8 - Hydrogen
Simulate is a pseudo-instruction that marks a deoptimization point. If some check fails then execution will continue from a place in non-optimized code that corresponds to the closest dominating simulate; simulate id will be used to find this place. This is called deoptimization. Information that each simulate is carrying around describes changes to the state of unoptimized code happened since the previous simulate (which locals were assign, what was pushed on the expression stack). This is used to build description of non-optimized frame that will be used for frame rewriting during deoptimization. Hope this explains it.

另外一个演示稿大致介绍了V8中的deoptimization:
High performance JavaScript with V8
第40页开始

而这篇文章更直接的讲解了HSimulate在deoptimization实现中的作用:
Deoptimize me not, v8

HotSpot C1 / Maxine C1X编译器中没有直接与HSimulate对应的指令,但deoptimization还是实现了的。
在C1 / C1X中,任何一个可能带有safepoint的HIR指令都是潜在的deoptimization位置。它们会携带 ValueStack / FrameState对象来描述解释器栈帧的slot与HIR指令之间的关系,以便在需要deoptimize的时候从C1 / C1X的编译方法的栈帧重新构造出对应的解释器栈帧。

V8的HSimulate与C1 / C1X中带有ValueStack / FrameState的HIR指令的最大区别,就是V8里多条可能deoptimize的HIR指令可以共享同一个HSimulate,而C1 / C1X的则是在deoptimize可能发生的HIR指令上直接携带映射信息。

V8的HSimulate做法可以让代码更加精简,被deoptimization信息所捕获的HIR会更少,减少了deoptimization对编译器优化带来的干扰。
同样的思路在别的地方也有应用,例如说Graal编译器的Guard IR指令。请参考论文:An Intermediate Representation for Speculative Optimizations in a Dynamic Compiler