Analyze the internal implementation of variables in the PHP7 kernel

The basic structure of PHP variable implementation is zval. Various types of implementation are based on this structure. It is the most basic structure in PHP. Each PHP variable corresponds to a zval. Let’s take a look at this structure and the memory management mechanism of PHP variables.

zval structure

Related learning recommendations: PHP Programming from entry to master

zval结构比较简单，内嵌一个union类型的zend_value保存具体变量类型的值或指针，zval中还有两个union：u1、u2:

• u1: Its meaning is relatively intuitive, and the type of the variable is determined by u1.typeDifferentiation, the other value type_flags is the type mask, which will be used in the memory management of variables and the gc mechanism. The third part will analyze it in detail. As for the last two const_flags , reservedNever mind for the moment

• u2: This value is purely an auxiliary value, if zval only has: For the two values ​​​​value and u1, the size of the entire zval will also be aligned to 16byte. Since the size is 16byte regardless of whether there is u2 or not, it is still cost-effective to use the extra 4byte for some special purposes. For example, next will be used in the hash table to resolve hash conflicts, and fe_pos will be used in foreach...

Fromzend_valueIt can be seen that except for the long and double types that directly store values, other types are pointers, pointing to their respective structures.

Type

zval.u1.typeType:

Scalar type

The simplest types are true, false, long, double, and null. Among them, true, false, and null have no value and are directly distinguished by type, while the values ​​of long and double directly exist in value. Medium: zend_long, double, that is, scalar types do not require additional value pointers.

String

Strings in PHP are represented by zend_string:

• gc: Variable reference information, such as the number of references to the current value. All variable types that use reference counting will have this structure. Section 3.1 will analyze it in detail

• h: Hash value, used when calculating the index in the array

• len: String length, through this The value ensures binary security

• val:String content, variable length struct, apply for memory according to the length of len when allocating

In fact, strings can be divided into several categories: IS_STR_PERSISTENT (allocated through malloc), IS_STR_INTERNED (some literals written in PHP code, such as function names, variable values), IS_STR_PERMANENT (permanent value, life cycle is greater than request) , IS_STR_CONSTANT (constant), IS_STR_CONSTANT_UNQUALIFIED, this information is saved through flag: zval.value->gc.u.flags, and will be analyzed in detail when used later.

Array

array is a very powerful data structure in PHP. Its underlying implementation is an ordinary ordered HashTable. Here is a brief look at its structure. One section will analyze the implementation of arrays separately.

Object/Resource

#Objects are more common, resources refer to TCP connection, file handle and other types. This type is more flexible. You can define struct at will and point it through ptr. This type will be analyzed separately later, so I won’t go into details here.

Reference

Reference is a special type in PHP. It actually points to another A PHP variable, modification to it will directly change the actual zval pointed to, which can be simply understood as a pointer in C. In PHP, a reference variable is generated through the

& operator, which means that regardless of the previous What is the type? &First, a new zval will be generated with the type IS_REFERENCE, and then the value of val will point to the value of the original zval.

The structure is very simple. Except for the public part

zend_refcounted_h, there is only one val. Let’s take an example to see the specific structural relationship:

The final result is as shown below:

##Note: References can only be generated through & and cannot be passed by assignment, such as:

#$b = &$a

At this time, the types of $a and $b are references, but $c = $ b will not directly assign $b to $c, but will assign the zval actually pointed to by $b to $c. If If you want $c to be a reference, you need to do this:

## This also means that the reference in PHP can only have one layer

,

will not have one reference pointing to another reference , that is, there is no pointer to the pointer in C language the concept of. Memory Management

Next, analyze the allocation and destruction of variables.

在分析变量内存管理之前我们先自己想一下可能的实现方案，最简单的处理方式：定义变量时alloc一个zval及对应的value结构(ref/arr/str/res...)，赋值、函数传参时硬拷贝一个副本，这样各变量最终的值完全都是独立的，不会出现多个变量同时共用一个value的情况，在执行完以后直接将各变量及value结构free掉。

这种方式是可行的，而且内存管理也很简单，但是，硬拷贝带来的一个问题是效率低，比如我们定义了一个变量然后赋值给另外一个变量，可能后面都只是只读操作，假如硬拷贝的话就会有多余的一份数据，这个问题的解决方案是：引用计数+写时复制。PHP变量的管理正是基于这两点实现的。

引用计数

引用计数是指在value中增加一个字段refcount记录指向当前value的数量，变量复制、函数传参时并不直接硬拷贝一份value数据，而是将refcount++，变量销毁时将refcount--，等到refcount减为0时表示已经没有变量引用这个value，将它销毁即可。

引用计数的信息位于给具体value结构的gc中：

从上面的zend_value结构可以看出并不是所有的数据类型都会用到引用计数，long、double直接都是硬拷贝，只有value是指针的那几种类型才可能会用到引用计数。

下面再看一个例子：

$a = "hi~";$b = $a;

猜测一下变量$a/$b的引用情况。

这个不跟上面的例子一样吗？字符串"hi~"有$a/$b两个引用，所以zend_string1(refcount=2)。但是这是错的，gdb调试发现上面例子zend_string的引用计数为0。这是为什么呢？

$a,$b -> zend_string_1(refcount=0,val="hi~")

事实上并不是所有的PHP变量都会用到引用计数，标量：true/false/double/long/null是硬拷贝自然不需要这种机制，但是除了这几个还有两个特殊的类型也不会用到：interned string(内部字符串，就是上面提到的字符串flag：IS_STR_INTERNED)、immutable array，它们的type是IS_STRING、IS_ARRAY，与普通string、array类型相同，那怎么区分一个value是否支持引用计数呢？还记得zval.u1中那个类型掩码type_flag吗？正是通过这个字段标识的，这个字段除了标识value是否支持引用计数外还有其它几个标识位，按位分割，注意：type_flag与zval.value->gc.u.flag不是一个值。

支持引用计数的value类型其zval.u1.type_flag包含(注意是&，不是等于)IS_TYPE_REFCOUNTED：

#define IS_TYPE_REFCOUNTED          (1<p style="color:rgb(51,51,51);clear:both;min-height:1em;font-family:'Helvetica Neue', Helvetica, 'Hiragino Sans GB', 'Microsoft YaHei', '微软雅黑', Arial, sans-serif;font-size:16px;">下面具体列下哪些类型会有这个标识：</p><pre style="color:rgb(62,62,62);font-size:18px;line-height:28.8px;" class="brush:php;toolbar:false;">|     type       | refcounted |
+----------------+------------+
|simple types    |            |
|string          |      Y     |
|interned string |            |
|array           |      Y     |
|immutable array |            |
|object          |      Y     |
|resource        |      Y     |
|reference       |      Y     |

simple types很显然用不到，不再解释，string、array、object、resource、reference有引用计数机制也很容易理解，下面具体解释下另外两个特殊的类型：

• interned string：内部字符串，这是种什么类型？我们在PHP中写的所有字符都可以认为是这种类型，比如function name、class name、variable name、静态字符串等等，我们这样定义:$a = "hi~;"后面的字符串内容是唯一不变的，这些字符串等同于C语言中定义在静态变量区的字符串：char *a = "hi~";，这些字符串的生命周期为request期间，request完成后会统一销毁释放，自然也就无需在运行期间通过引用计数管理内存。

• immutable array：只有在用opcache的时候才会用到这种类型，不清楚具体实现，暂时忽略。

写时复制

上一小节介绍了引用计数，多个变量可能指向同一个value，然后通过refcount统计引用数，这时候如果其中一个变量试图更改value的内容则会重新拷贝一份value修改，同时断开旧的指向，写时复制的机制在计算机系统中有非常广的应用，它只有在必要的时候(写)才会发生硬拷贝，可以很好的提高效率，下面从示例看下：

$a = array(1,2);$b = &$a;$c = $a;//发生分离$b[] = 3;

最终的结果：

不是所有类型都可以copy的，比如对象、资源，实时上只有string、array两种支持，与引用计数相同，也是通过zval.u1.type_flag标识value是否可复制的：

#define IS_TYPE_COLLECTABLE         (1<pre style="color:rgb(62,62,62);font-size:18px;line-height:28.8px;" class="brush:php;toolbar:false;">|     type       |  copyable  |
+----------------+------------+
|simple types    |            |
|string          |      Y     |
|interned string |            |
|array           |      Y     |
|immutable array |            |
|object          |            |
|resource        |            |
|reference       |            |

copyable的意思是当value发生duplication时是否需要copy，这个具体有两种情形下会发生：

• a.从literal变量区复制到局部变量区，比如：$a = [];实际会有两个数组，而$a = "hi~";//interned string则只有一个string

• b.局部变量区分离时(写时复制)：如改变变量内容时引用计数大于1则需要分离，$a = [];$b = $a; $b[] = 1;这里会分离，类型是array所以可以复制，如果是对象：$a = new user;$b = $a;$a->name = "dd";这种情况是不会复制object的，$a、$b指向的对象还是同一个

具体literal、局部变量区变量的初始化、赋值后面编译、执行两篇文章会具体分析，这里知道变量有个copyable的属性就行了。

变量回收

PHP变量的回收主要有两种：主动销毁、自动销毁。主动销毁指的就是unset，而自动销毁就是PHP的自动管理机制，在return时减掉局部变量的refcount，即使没有显式的return，PHP也会自动给加上这个操作。

垃圾回收

PHP变量的回收是根据refcount实现的，当unset、return时会将变量的引用计数减掉，如果refcount减到0则直接释放value，这是变量的简单gc过程，但是实际过程中出现gc无法回收导致内存泄漏的bug，先看下一个例子：

$a = [1];$a[] = &$a;unset($a);

unset($a)之前引用关系：

unset($a)之后：

可以看到，unset($a)之后由于数组中有子元素指向$a，所以refcount > 0，无法通过简单的gc机制回收，这种变量就是垃圾，垃圾回收器要处理的就是这种情况，目前垃圾只会出现在array、object两种类型中，所以只会针对这两种情况作特殊处理：当销毁一个变量时，如果发现减掉refcount后仍然大于0，且类型是IS_ARRAY、IS_OBJECT则将此value放入gc可能垃圾双向链表中，等这个链表达到一定数量后启动检查程序将所有变量检查一遍，如果确定是垃圾则销毁释放。

标识变量是否需要回收也是通过u1.type_flag区分的：

#define IS_TYPE_COLLECTABLE

|     type       | collectable |
+----------------+-------------+
|simple types    |             |
|string          |             |
|interned string |             |
|array           |      Y      |
|immutable array |             |
|object          |      Y      |
|resource        |             |
|reference       |             |

具体的垃圾回收过程这里不再介绍。

The above is the detailed content of Analyze the internal implementation of variables in the PHP7 kernel. For more information, please follow other related articles on the PHP Chinese website!