解释
这里基于php7.2.5进行测试,php7之后内部构造变革该当不是太大,但与php5.X有差别。
引用计数
我们之前说过存放字符串的构造为zend_stirng, 忘了的看着里zend_stirng
struct _zend_string { // 这里是引用计数zend_refcounted_h gc; zend_ulong h; / hash value /size_t len; // 长度char val[1]; // 内容};
来看zend_refcounted_h的构造
typedef struct _zend_refcounted_h { // 我们只关注这里 整型的 引用计数 1/2/3...uint32_t refcount;/ reference counter 32-bit /union {struct {ZEND_ENDIAN_LOHI_3(zend_uchar type,zend_uchar flags, / used for strings & objects /uint16_t gc_info) / keeps GC root number (or 0) and color /} v;uint32_t type_info;} u;} zend_refcounted_h;
引用计数是什么
由于引用计数存在zend_value的详细类型中的,如zend_string, zend_array等,以是,引用计数是指当前这个zend_value被多少个zval指向。
引用计数如何产生浸染
$a = time()."hello";echo $a;$b = $a;echo $b;
当赋值$a时,$a指向"hi".time()所在的zend_value, 以是此时引用计数为1
当$b赋值时,$b也指向了"hi".time(), 这时引用计数更新为2
$a = time()."hello";echo $a;$b = $a;echo $b;unset($b);echo $a;
这里我们通过gdb调试程序可以看到引用计数的变革
gdb /home/php7.2.5/debug/bin/php// 设置断点 ZEND_ECHO_SPEC_CV_HANDLER 是echo 的处理程序(gdb) b ZEND_ECHO_SPEC_CV_HANDLERBreakpoint 1 at 0x973289: file /root/php-7.2.5/Zend/zend_vm_execute.h, line 33086.// 运行脚本(gdb) run hello.php// 第一个echo断点Breakpoint 1, ZEND_ECHO_SPEC_CV_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:3308633086SAVE_OPLINE();Missing separate debuginfos, use: debuginfo-install glibc-2.17-222.el7.x86_64 libxml2-2.9.1-6.el7_2.3.x86_64 nss-softokn-freebl-3.36.0-5.el7_5.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-17.el7.x86_64(gdb) n33087z = _get_zval_ptr_cv_undef(opline->op1.var EXECUTE_DATA_CC);(gdb) n33089if (Z_TYPE_P(z) == IS_STRING) {// 打印当前zval, zval.u1.v.type=6解释是字符串(gdb) p z$1 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00, res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = { w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p $1.value.str// 可以看到 目前的refcount=1$2 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}(gdb) p $2.val@15$3 = "1587044278hello"(gdb) n33090zend_string str = Z_STR_P(z);(gdb) n33092if (ZSTR_LEN(str) != 0) {(gdb) cContinuing.1587044278hello// 到了第二个echoBreakpoint 1, cli () at /root/php-7.2.5/Zend/zend_vm_execute.h:3308633086SAVE_OPLINE();(gdb) p z$4 = (zval ) 0x7ffff5e1e090// 打印当前的zval (gdb) p z$5 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00, res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = { w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p $5.value.str// 可以看到refount增加为2$6 = {gc = {refcount = 2, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
可以看到当给$a赋值时,值的引用计数为1,当$a赋值给$b,引用计数再次加1变为2.
// unset 操作的处理Breakpoint 2, ZEND_UNSET_CV_SPEC_CV_UNUSED_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:4051140511zval var = EX_VAR(opline->op1.var);(gdb) n40513if (Z_REFCOUNTED_P(var)) {(gdb) n40514zend_refcounted garbage = Z_COUNTED_P(var);(gdb) n40516ZVAL_UNDEF(var);(gdb) n40517SAVE_OPLINE();(gdb) n// --GC_REFCOUNT 引用计数减一40518if (!--GC_REFCOUNT(garbage)) {(gdb) n40521gc_check_possible_root(garbage);(gdb) n40523ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();(gdb) n40528}(gdb) p var$5 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00, res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = { w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 0 '\000', type_flags = 0 '\000', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 0}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p $5.value.str// 再次打印value的refcount变为1$6 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}(gdb)
也便是在实行unset($b)之后引用计数减一
写时复制
意思便是变量发生变革时再复制一份。
如上所示$b=$a时,并没有把$a复制一份给$b,而是$b、$a指向同一个zend_value, 并更新zend_value的refcount,这样是节省内存的。
那如果接着操作$b重新赋值会发生什么呢
$a = time()."hello";echo $a;$b = $a;$b = "hi".time();echo $b;
看调试结果
(gdb) p z$1 = {value = {lval = 140737318919856, dval = 6.9533474366104141e-310, counted = 0x7ffff5e69eb0, str = 0x7ffff5e69eb0, arr = 0x7ffff5e69eb0, obj = 0x7ffff5e69eb0, res = 0x7ffff5e69eb0, ref = 0x7ffff5e69eb0, ast = 0x7ffff5e69eb0, zv = 0x7ffff5e69eb0, ptr = 0x7ffff5e69eb0, ce = 0x7ffff5e69eb0, func = 0x7ffff5e69eb0, ww = { w1 = 4125531824, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p z$2 = (zval ) 0x7ffff5e1e080(gdb) p $1.value.str// $a = time()."hello" 之后 refcount=1$3 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}(gdb) p $3.val@15$4 = "1587215850hello"......(gdb) cContinuing.1587215850hello// $b = $a 操作Breakpoint 2, ZEND_ASSIGN_SPEC_CV_CV_RETVAL_UNUSED_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:4377943779SAVE_OPLINE();(gdb) n43780value = _get_zval_ptr_cv_BP_VAR_R(opline->op2.var EXECUTE_DATA_CC);(gdb) n43781variable_ptr = _get_zval_ptr_cv_undef_BP_VAR_W(opline->op1.var EXECUTE_DATA_CC);(gdb) n43789value = zend_assign_to_variable(variable_ptr, value, IS_CV);(gdb) n43797ZEND_VM_NEXT_OPCODE_CHECK_EXCEPTION();(gdb) n43798}(gdb) p value$5 = {value = {lval = 140737318919856, dval = 6.9533474366104141e-310, counted = 0x7ffff5e69eb0, str = 0x7ffff5e69eb0, arr = 0x7ffff5e69eb0, obj = 0x7ffff5e69eb0, res = 0x7ffff5e69eb0, ref = 0x7ffff5e69eb0, ast = 0x7ffff5e69eb0, zv = 0x7ffff5e69eb0, ptr = 0x7ffff5e69eb0, ce = 0x7ffff5e69eb0, func = 0x7ffff5e69eb0, ww = { w1 = 4125531824, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p $5.value.str// $b = $a之后 refcount=2$6 = {gc = {refcount = 2, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}....// $b = "hi".time()Breakpoint 1, ZEND_ECHO_SPEC_CV_HANDLER () at /root/php-7.2.5/Zend/zend_vm_execute.h:3308633086SAVE_OPLINE();(gdb) n33087z = _get_zval_ptr_cv_undef(opline->op1.var EXECUTE_DATA_CC);(gdb) n33089if (Z_TYPE_P(z) == IS_STRING) {(gdb) p z // 把稳str的地址 跟$a不是一个了$7 = {value = {lval = 140737318919936, dval = 6.9533474366143666e-310, counted = 0x7ffff5e69f00, str = 0x7ffff5e69f00, arr = 0x7ffff5e69f00, obj = 0x7ffff5e69f00, res = 0x7ffff5e69f00, ref = 0x7ffff5e69f00, ast = 0x7ffff5e69f00, zv = 0x7ffff5e69f00, ptr = 0x7ffff5e69f00, ce = 0x7ffff5e69f00, func = 0x7ffff5e69f00, ww = { w1 = 4125531904, w2 = 32767}}, u1 = {v = {type = 6 '\006', type_flags = 20 '\024', const_flags = 0 '\000', reserved = 0 '\000'}, type_info = 5126}, u2 = {next = 0, cache_slot = 0, lineno = 0, num_args = 0, fe_pos = 0, fe_iter_idx = 0, access_flags = 0, property_guard = 0, extra = 0}}(gdb) p $7.value.str// 新值的refcount=1$8 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 12, val = "h"}(gdb) p $8.val@12$12 = "hi1587216014"// 再来看 原值的refcount 变为了1(gdb) p $1.value.str$11 = {gc = {refcount = 1, u = {v = {type = 6 '\006', flags = 0 '\000', gc_info = 0}, type_info = 6}}, h = 0, len = 15, val = "1"}
总结
引用计数与写时复制是PHP自动垃圾回收的根本。
通过对zval的引用计数的变革监测判断是否可以回收变量,而写时复制则会节省变量所占内存。
把稳事变:
gdb调试时,PHP必须要打开debug模式,在编译的时候加上--enable-debug即可
参考资料:
《PHP7内核阐发》
