PHP Kernel Exploration Variables (2) - Understanding References_PHP Tutorial

PHP Kernel Exploration Variables (2) - Understanding Quotes

Main content of this article:

1. Introduction

I wrote an article about citation a long time ago, but it was written in a cursory way and many principles were not explained clearly. Recently I was reading Derick Rethans (home: http://derickrethans.nl/ Github: https://github.com/derickr) When Daniel made a report before, he found an article explaining the PHP reference mechanism, which is this PDF. The article explains reference counting and reference passing from the perspective of zval and symbol tables. , reference return, global parameters, etc., the principles are eloquent, illustrated and written, and it is very exciting. It is recommended that children who have time read the original version. I believe there will be a lot of gains.

Without further ado, let’s talk about today’s topic.

We know that many languages ​​provide a reference mechanism, which allows us to access the same content using different names (or symbols). The definition of a reference in the PHP manual is: "A reference in PHP means accessing the contents of the same variable with a different name. This is not like a pointer in C. Instead, a reference is a symbol table alias." In other words, a reference Some form of "binding" is implemented. For example, this type of interview question we often encounter is a typical example:

$a = array(1,2,3,4);
foreach($a as &$v){
     $v *= $v;
}
 
foreach($a as $v){
     echo $v;
}

Leaving aside the output of this question, today we will follow the footsteps of senior Derick Rethans and uncover the mystery of citation step by step.

2. Symbol table and zval

Before starting to quote the principles, we need to make a brief explanation of the terms that appear repeatedly in the article. The most important and important ones are: 1. Symbol table 2. zval.

1. Symbol table

Computer language is a tool for communication between humans and machines, but unfortunately, the high-level languages ​​we rely on and are proud of cannot be executed directly on computers because computers can only understand some form of machine language. This means that high-level languages ​​must go through a compilation (or interpretation) process before they can be understood and executed by computers. During this process, many complex processes such as lexical analysis, syntax analysis, semantic analysis, intermediate code generation and optimization are required. During these processes, the compiler may repeatedly use information such as identifiers (such as variables) that appear in the source program. Type checking, semantic checking in the semantic analysis stage), this information is stored in different symbol tables. The symbol table stores the name and attribute information of identifiers in the source program. This information may include: type, storage type, scope, storage allocation information and other additional information. In order to efficiently insert and query symbol table entries, many compiler symbol tables are implemented using Hashtable. We can simply understand it as: the symbol table is a hashtable or map that saves the symbol name and various attributes of the symbol. For example, for program:

$str = 'this is a test';
 
function foo( $a, $b ){
    $tmp = 12;
    return $tmp + $a + $b;
}
  
function to(){
 
}

A possible symbol table (not the actual symbol table) is a structure like this:

We don’t pay attention to the specific structure of the symbol table. We only need to know that each function, class, namespace, etc. has its own independent symbol table (separate from the global symbol table). Speaking of this, I suddenly remembered something. When I first started programming in PHP, when I was reading the manual of the extract() function, I saw the sentence "Import variables from the array into the current symbol table" I couldn't understand the meaning of the words, and I was extremely troubled by the suggestion made by my predecessors that "It is not recommended to use extract($_POST) and extract($_GET) to extract variables". In fact, the abuse of extract will not only cause serious security problems, but also pollute the current symbol table ( active symbol table).

So what is an active symbol table?

We know that during the execution of PHP code, it almost always starts from the global scope, scans sequentially, and executes sequentially. If a function call is encountered, the internal execution of the function will be entered. After the function is executed, it will return to the calling program to continue execution. This means that there must be some mechanism to distinguish the symbol tables used in different stages, otherwise it will cause confusion in compilation and execution. The active symbol table is the symbol table used to mark the current activity (at this time there should be at least a global global symbol table and an active active symbol table. Normally, active symbol table refers to global symbol table). The symbol table is not established at the beginning, but is continuously added and updated as the compiler scans it. When entering a function call, zend (PHP's language interpretation engine) creates a symbol table for the function and points the active symbol table to the symbol table. In other words, the symbol table used at any time should be the current active symbol table.

The above is the entire content of the symbol table. Let’s briefly extract the key contents:

　　更多的资料可以查看：

　　1. http://www.scs.stanford.edu/11wi-cs140/pintos/specs/sysv-abi-update.html/ch4.symtab.html

　　2. http://arantxa.ii.uam.es/~modonnel/Compilers/04_SymbolTablesI.pdf

2. Zval

　　在上一篇博客（PHP内核探索之变量（1）Zval）中，我们已经对zval的结构和基本原理有了一些了解。对zval不了解的童鞋可以先看看。为了方便阅读，我们再次贴出zval的结构：

struct _zval_struct {
    zvalue_value value;       /* value */
    zend_uint refcount__gc;   /* variable ref count */
    zend_uchar type;         /* active type */
    zend_uchar is_ref__gc;    /* if it is a ref variable */
};

typedef struct _zval_struct zval;

三、引用

1.　　引用计数

　　正如上节所言，zval是PHP变量底层的真正容器，为了节省空间，并不是每个变量都有自己独立的zval容器，例如对于赋值（assign-by-value）操作:$a = $b（假设$b,$a都不是引用型变量），Zend并不会为$b变量开辟新的空间，而是将符号表中a符号和b符号指向同一个zval。只有在其中一个变量发生变化时，才会执行zval分离的操作。这被称为COW(Copy-on-write)的机制，可以在一定程度上节省内存和提高效率。

　　为了实现上述机制，需要对zval的引用状态做标记，zval的结构中，refcount__gc便是用于计数的，这个值记录了有多少个变量指向该zval, 在上述赋值操作中,$a=$b ,会增加原始的$b的zval的refcount值。关于这一点，上次(PHP内核探索之变量（1）Zval)已经做了详细的解释，这里不再赘述。

2. 函数传参

　　在脚本执行的过程中，全局的符号表几乎是一直存在的，但除了这个全局的global symbol table，实际上还会生成其他的symbol table：例如函数调用的过程中，Zend会创建该函数的内部symbol table，用于存放函数内部变量的信息，而在函数调用结束后，会删除该symbol table。我们接下来以一个简单的函数调用为例，介绍一下在传参的过程中，变量和zval的状态变化,我们使用的测试脚本是：

function do_zval_test($s){
    $s = "change ";
    return $s;
}
 
$a = "before";
$b = do_zval_test($a);

我们来逐步分析:

(1). $a = "before";

　　这会为$a变量开辟一个新的zval（refcount=1,is_ref=0）,如下所示：

(2). 函数调用do_zval_test($a)

　　由于函数的调用，Zend会为do_zval_test这个函数创建单独的符号表（其中包含该函数内部的符号s），同时，由于$s实际上是函数的形参，因此并不会为$s创建新的zval，而是指向$a的zval。这时，$a指向的zval的refcount应该为3（分别是$a,$s和函数调用堆栈）：

a: (refcount=3, is_ref=0)='before func'

　　如下图所示：

(3).函数内部执行$s = "change "

　　由于$s的值发生了改变，因此会执行zval分离，为s专门copy生成一个新的zval:

(4).函数返回 return $s ; $b = do_zval_test($a).

　　$b与$s共享zval（暂时），准备销毁函数中的符号表：

(5). 销毁函数中的符号表，回到Global环境中：<喎?"http://www.Bkjia.com/kf/ware/vc/" target="_blank" class="keylink">vc3Ryb25nPjwvcD4KPHA+IDxpbWcgc3JjPQ=="http://www.2cto.com/uploadfile/Collfiles/20141129/20141129083533169.jpg" alt="PHP Kernel Exploration Variables (2) - Understanding References_PHP Tutorial">

$src = "string";
debug_zval_dump($src);

string(6) "string" refcount(2)

$a = "simple test";
$b = &a;
$c = &a;
 
$b = 42;
unset($c);
unset($b);

$a = "src";
$b = $a;
$c = &$b;

$a = "src";
$b = &$a;
$c = $a;

function do_zval_test(&$s){
    $s = "after";
    return $s;
}
 
$a = "before";
$b = do_zval_test($a);

PHP Notice:  Only variable references should be returned by reference in xxx(参看PHP手册中的Note).

function &find_node($key,&$tree){
    $item = &$tree[$key];
    return $item;
} 
 
$tree = array(1=>'one',2=>'two',3=>'three');
$node =& find_node(3,$tree);
$node ='new';

tree: (refcount=1, is_ref=0)=array (
    1 => (refcount=1, is_ref=0)='one',
    2 => (refcount=1, is_ref=0)='two',
    3 => (refcount=1, is_ref=0)='three'
)

$var = "outside";
function inside()
{
    $var = "inside";
    echo $var;
    global $var;
    echo $var;
}
 
inside();

$var = "one";      
function update_var($value){
         global $var;
         unset($var);
         global $var;
         $var = $value;
}
 
update_var('four');
echo $var;

$a = array(1,2,3);
foreach($a as &$v){
     $v *= $v;
}
 
foreach($a as $v){
     echo $v;
}

$v = &$a[0];
$v = &$a[1];
$v = &$a[2];

foreach($a as $v){
     echo $v;
}

$v = $a[0];
$v = $a[1];
$v = $a[2];

$a = 123;
xdebug_debug_zval('a');
$b=&$a;
xdebug_debug_zval('a');