Home >Backend Development >PHP Tutorial >Detailed explanation of the timeout mechanism when php script is running, detailed explanation of php script mechanism_PHP tutorial
When doing PHP development, max_input_time and max_execution_time are often set to control the timeout of the script. But I never thought about the principle behind it.
Take advantage of the free time in these two days to study this issue.
Timeout configuration
How PHP’s ini configuration works is a commonplace topic.
First, we configure it in php.ini. When php starts (php_module_startup stage), it will try to read the ini file and parse it. To put it simply, the parsing process is to analyze the ini file, extract the legal key-value pairs, and save them to the configuration_hash table.
OK, then php will further call zend_startup_extensions to start each module (including the php Core module and all extensions that need to be loaded). In the startup function of each module, the REGISTER_INI_ENTRIES action will be completed. REGISTER_INI_ENTRIES is responsible for taking out some configurations corresponding to the module from the configuration_hash table, then calling the processing function, and finally storing the processed values into the globals variable of the module.
The two configurations max_input_time and max_execution_time belong to the php Core module. For php Core, REGISTER_INI_ENTRIES still occurs in php_module_startup. Configurations that also belong to the php Core module include expose_php, display_errors, memory_limit, etc...
The schematic diagram is as follows:
---->php_module_startup----------->php_request_startup----> | | |-->REGISTER_INI_ENTRIES | | |-->zend_startup_extensions | | | |-->zm_startup_date | | |-->REGISTER_INI_ENTRIES | | | |-->zm_startup_json | | |-->REGISTER_INI_ENTRIES | | |-->do otherthings
As mentioned above, REGISTER_INI_ENTRIES will call different functions for different configurations. Let’s look directly at the function corresponding to max_execution_time:
static PHP_INI_MH(OnUpdateTimeout) { // php启动阶段走这里 if (stage == PHP_INI_STAGE_STARTUP) { // 将超时设置保存到EG(timeout_seconds)中 EG(timeout_seconds) = atoi(new_value); return SUCCESS; } // php执行过程中的ini set则走这里 zend_unset_timeout(TSRMLS_C); EG(timeout_seconds) = atoi(new_value); zend_set_timeout(EG(timeout_seconds), 0); return SUCCESS; }
We will only look at the first half for now, because we only need to pay attention to the startup phase of php. The behavior of this function is very simple, and max_execution_time is stored in EG (timeout_seconds).
As for max_input_time, there is no special processing function. By default, max_input_time will be stored in PG (max_input_time).
So when REGISTER_INI_ENTRIES completes, what happens is:
max_execution_time ----> Store in EG(timeout_seconds)
max_input_time ----> Store in PG(max_input_time)
Request timeout control
Now that we understand what happens in the startup phase of PHP, let’s continue to look at how PHP manages timeouts when it actually processes requests.
There is the following code in the php_request_startup function:
if (PG(max_input_time) == -1) { zend_set_timeout(EG(timeout_seconds), 1); } else { zend_set_timeout(PG(max_input_time), 1); }
The timing of php_request_startup is very particular.
Taking cgi as an example, php_request_startup will be called only after php has obtained the original request and some CGI environment variables from CGI. When the above code is actually executed, since the request has been obtained, SG (request_info) is in a ready state, but super global variables such as $_GET, $_POST, $_FILE and so on in PHP have not yet been generated.
Understanding from the code:
1. If the user sets max_input_time to -1, or does not configure it, then the life cycle of the script is only limited by EG (timeout_seconds).
2. Otherwise, the timeout control in the request startup phase is subject to PG (max_input_time).
3. The zend_set_timeout function is responsible for setting the timer. Once the specified time has passed, the timer will notify the php process. zend_set_timeout will be analyzed in detail below.
After php_request_startup is completed, it enters the actual execution phase of php, that is, php_execute_script. You can see it in php_execute_script:
// 设定执行超时 if (PG(max_input_time) != -1) { #ifdef PHP_WIN32 zend_unset_timeout(TSRMLS_C); // 关闭之前的定时器 #endif zend_set_timeout(INI_INT("max_execution_time"), 0); } // 进入执行 retval = (zend_execute_scripts(ZEND_REQUIRE TSRMLS_CC, NULL, 3, prepend_file_p, primary_file, append_file_p) == SUCCESS);
OK, if the code is executed here and the max_input_time timeout has not occurred, the timeout of max_execution_time will be respecified.
The same is done by calling zend_set_timeout and passing in max_execution_time. Pay special attention to the fact that you need to explicitly call zend_unset_timeout to turn off the original timer under Windows, but not under Linux. This is due to the different implementation principles of timers on the two platforms, which will be described in detail below.
Finally, a picture is used to represent the process of timeout control. The case on the left shows that the user has configured both max_input_time and max_execution_time. The difference on the right is that the user only configured max_execution_time:
zend_set_timeout
As mentioned earlier, the zend_set_timeout function is used to set the timer. Let’s take a closer look at the implementation:
void zend_set_timeout(long seconds, int reset_signals) /* {{{ */ { TSRMLS_FETCH(); // 赋值 EG(timeout_seconds) = seconds; #ifdef ZEND_WIN32 if(!seconds) { return; } // 启动定时器线程 if (timeout_thread_initialized == 0 && InterlockedIncrement(&timeout_thread_initialized) == 1) { /* We start up this process-wide thread here and not in zend_startup(), because if Zend * is initialized inside a DllMain(), you're not supposed to start threads from it. */ zend_init_timeout_thread(); } // 向线程发送WM_REGISTER_ZEND_TIMEOUT消息 PostThreadMessage(timeout_thread_id, WM_REGISTER_ZEND_TIMEOUT, (WPARAM) GetCurrentThreadId(), (LPARAM) seconds); #else // linux平台下 struct itimerval t_r; /* timeout requested */ int signo; if (seconds) { t_r.it_value.tv_sec = seconds; t_r.it_value.tv_usec = t_r.it_interval.tv_sec = t_r.it_interval.tv_usec = 0; // 设置定时器,seconds秒后会发送SIGPROF信号 setitimer(ITIMER_PROF, &t_r, NULL); } signo = SIGPROF; if (reset_signals) { sigset_t sigset; // 设置SIGPROF信号对应的处理函数为zend_timeout signal(signo, zend_timeout); // 防屏蔽 sigemptyset(&sigset); sigaddset(&sigset, signo); sigprocmask(SIG_UNBLOCK, &sigset, NULL); } #endif }
The above implementation can basically be completely divided into two platforms:
Look at linux first:
The timer under Linux is much easier, just call the setitimer function. In addition, zend_set_timeout also sets the handler of the SIGPROF signal to zend_timeout.
Note that when calling setitimer, set it_interval to 0, indicating that this timer only triggers once, not every other time. setitimer can be timed in three ways. PHP uses ITIMER_PROF, which calculates the execution time of user code and kernel code at the same time. Once the time is up, the SIGPROF signal is generated.
When the php process receives the SIGPROF signal, no matter what is currently being executed, it will jump to zend_timeout. zend_timeout is the function that actually handles timeouts.
Look at windows again:
首先会启动一个子线程,该线程主要用于设置定时器,同时维护EG(timed_out)变量。
子线程一旦生成,主线程便会向子线程发送一条消息:WM_REGISTER_ZEND_TIMEOUT。子线程接收到WM_REGISTER_ZEND_TIMEOUT之后,产生一个定时器并开始计时。同时,子线程会设置EG(timed_out) = 0。这很重要!windows平台下正是通过判断EG(timed_out)是否为1,来决定是否超时。
如果定时器到时间了,子线程收到WM_TIMER消息,则取消定时器,并且设置EG(timed_out) = 1。
如果需要关闭定时器,则子线程会收到WM_UNREGISTER_ZEND_TIMEOUT消息。关闭定时器,并不会改变EG(timed_out)。
相关代码还是很清晰的:
static LRESULT CALLBACK zend_timeout_WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { switch (message) { case WM_DESTROY: PostQuitMessage(0); break; // 生成一个定时器,开始计时 case WM_REGISTER_ZEND_TIMEOUT: /* wParam is the thread id pointer, lParam is the timeout amount in seconds */ if (lParam == 0) { KillTimer(timeout_window, wParam); } else { SetTimer(timeout_window, wParam, lParam*1000, NULL); EG(timed_out) = 0; } break; // 关闭定时器 case WM_UNREGISTER_ZEND_TIMEOUT: /* wParam is the thread id pointer */ KillTimer(timeout_window, wParam); break; // 超时了,也需关闭定时器 case WM_TIMER: { KillTimer(timeout_window, wParam); EG(timed_out) = 1; } break; default: return DefWindowProc(hWnd, message, wParam, lParam); } return 0; }
根据上文描述,最终都是需要跳转到zend_timeout来处理超时的。那windows下如何进入zend_timeout呢?
window下仅在execute函数中(zend_vm_execute.h刚开始的地方),可以看到调用zend_timeout:
while (1) { int ret; #ifdef ZEND_WIN32 if (EG(timed_out)) { // windows下的超时,执行每条opcode之前都判断是否需要调用zend_timeout zend_timeout(0); } #endif if ((ret = OPLINE->handler(execute_data TSRMLS_CC)) > 0) { ... } }
上述代码可以看到:
在windows下,每执行完成一条opcode指令,就会进行一次超时判断。
因为主线程执行opcode的同时,子线程可能已经发生超时,而windows并没有什么机制可以让主线程停止手头的工作,直接跳入zend_timeout。所以只好利用子线程先将EG(timed_out)设置为1,然后主线程在等到当前opcode执行完成、进入下一条opcode之前,判断一下EG(timed_out)再调用zend_timeout。
因此准确的讲,windows的超时,其实是有一点点延时的。至少在某一个opcode执行的过程中,无法被打断。当然,正常情况下,单条opcode的执行时间会很短。但是可以很容易人为构造出一些很耗时的函数,使得function call需要等待较长时间。此时,如果子线程判断出超时了,则还需要经过漫长的等待,直到主线程完成该条opcode之后,才能调用zend_timeout。
zend_unset_timeout
void zend_unset_timeout(TSRMLS_D) /* {{{ */ { #ifdef ZEND_WIN32 // 通过发送WM_UNREGISTER_ZEND_TIMEOUT消息来关闭定时器 if(timeout_thread_initialized) { PostThreadMessage(timeout_thread_id, WM_UNREGISTER_ZEND_TIMEOUT, (WPARAM) GetCurrentThreadId(), (LPARAM) 0); } #else if (EG(timeout_seconds)) { struct itimerval no_timeout; no_timeout.it_value.tv_sec = no_timeout.it_value.tv_usec = no_timeout.it_interval.tv_sec = no_timeout.it_interval.tv_usec = 0; // 全置0,相当于关闭定时器 setitimer(ITIMER_PROF, &no_timeout, NULL); } #endif }
zend_unset_timeout同样分成两种平台的实现。
先看linux:
linux下的关闭定时器也很简单。只要将struct itimerval中的4个值都设置为0,就行了。
再看windows:
由于windows是利用一个独立的线程来计时。因此,zend_unset_timeout会向该线程发送WM_UNREGISTER_ZEND_TIMEOUT消息。WM_UNREGISTER_ZEND_TIMEOUT对应的动作是去调用KillTimer来关闭定时器。注意,线程本身并不退出。
前文留下了一个问题,在php_execute_script中,windows下面要显示调用zend_unset_timeout来关闭定时器,而linux下不需要。因为对于一个linux进程来说,只能存在一个setitimer定时器。也就是说,重复调用setitimer,后面的定时器会直接覆盖前面的。
zend_timeout
ZEND_API void zend_timeout(int dummy) /* {{{ */ { TSRMLS_FETCH(); if (zend_on_timeout) { zend_on_timeout(EG(timeout_seconds) TSRMLS_CC); } zend_error(E_ERROR, "Maximum execution time of %d second%s exceeded", EG(timeout_seconds), EG(timeout_seconds) == 1 ? "" : "s"); }
如前文所述,zend_timeout是实际处理超时的函数。它的实现也很简单。
如果有配置exit_on_timeout,则zend_on_timeout会尝试调用sapi_terminate_process关闭sapi进程。如果无需exit_on_timeout,则直接进入zend_error进行出错处理。大部分情况下,我们并不会设置exit_on_timeout,毕竟我们期望的是虽然一个请求超时了,但是进程仍然保留下来,服务下一个请求。
zend_error除了会打印错误日志,还会利用longjump跳转到boilout指定的栈帧,一般是zend_end_try或者zend_catch宏所在的地方。关于longjump,可以另起一个话题,本文就不具体叙述了。在php_execute_script里面,zend_error会使得程序跳转到zend_end_try的位置然后继续执行。继续执行是指,会调用php_request_shutdown等函数来完成收尾工作。
直到这里,php脚本的超时机制算是讲清楚了。
最后来看一个疑似php内核的bug。
windows下max_input_time的bug
回忆一下,之前有提到windows下只有一个地方调用了zend_timeout,就是execute函数里,准确讲是每条opcode执行之前。
那么,假如发生max_input_time类型的超时,即使子线程将EG(timed_out)被置为1,也得延迟到execute中才能进行超时处理。貌似一切正常。
而问题的关键之处便在于,我们并不能保证主线程执行到execute时,EG(timed_out)任然为1。一旦进入execute之前,EG(timed_out)被子线程修改成0,那么max_input_time类型的超时就永远不会被handle了。
为何EG(timed_out)会被子线程又修改为0呢?原因在于:php_execute_script中,调用了zend_set_timeout(INI_INT("max_execution_time"), 0)来设置定时器。
zend_set_timeout will send the WM_REGISTER_ZEND_TIMEOUT message to the child thread. When the child thread receives this message, in addition to creating a timer, it will also set EG(timed_out) = 0 (see the zend_timeout_WndProc code snippet intercepted above for details). Due to the uncertainty of thread execution, it is impossible to determine whether the child thread has received the message and set EG (timed_out) to 0 when the main thread executes execute.
As shown in the picture,
If the judgment in execute occurs at the time point marked by the red line, EG (timed_out) is 1, and execute will call zend_timeout for timeout processing.
If the judgment in execute occurs at the time point marked by the blue line, EG (timed_out) has been reset to 0, and the max_input_time timeout is completely covered.