PHP RFC: Add support for timing out based on wall-clock time

• Date: 2020-12-12
• Author: Máté Kocsis kocsismate@php.net
• Status: Under discussion
• Target Version: PHP 8.1
• Implementation: https://github.com/php/php-src/pull/6504

On most platforms, PHP currently measures timeouts based on CPU time, rather than wall-clock time. This can be fairly surprising, since neither sleep(), nor network or system calls count towards the limit of the max_execution_time ini setting.

Unfortunately, it is not only surprising, but it can have serious consequences for distributed systems with high traffic, where finishing a request in a timely manner is essential for avoiding cascading failures.

Even if each individual network/system calls have their own timeouts, execution time can still horribly go out of control when there are hundreds or even thousands of them during the same request. This also applies to CLI scripts (e.g. cron jobs) which can possibly execute millions of DB queries, although the timeout command comes in handy in this case.

To make things even worse, neither the most popular web servers offer a remedy. I.e. when using PHP-FPM as process manager, one could make use of the request_terminate_timeout pool-level config option to stop execution after a certain amount of time at latest. This can help, but still falls short when there is a wide variety of acceptable timeout settings for the individual scripts. So in the end, one would have to maintain different pools for slow and fast scripts... Clearly, this can quickly become a burden.

Another solution for the problem could be using something like

if (time() - $startTime > $timeout) {
    die("Timeout exceeded");
}

But let's just leave this idea aside...

This RFC proposes to add a max_execution_wall_time ini setting. If a script runs longer than the value of max_execution_wall_time in seconds according to wall-clock (or real) time, a fatal error is raised. By default, the value of the ini setting is 0, which means that the allowed script duration is unlimited.

A limitation of the implementation is that the timeout takes into effect on a best-effort basis, meaning that the fatal error is triggered only after the call exceeding the time limit is finished. This is in line with the current timeout behavior, and the RFC considers this as an acceptable limitation.

HHVM solved the problem by introducing the TimeoutsUseWallTime ini setting (https://github.com/facebook/hhvm/commit/9a9b42e3610cdf242f16ddb8936ce34adfa0be9e) in order to be able to change the meaning of max_execution_time, while still (partially) remaining compatible with PHP.

None.

Add the max_execution_wall_time ini setting?

The vote requires 2/3 majority to be accepted.