php
diff --git a/‎caddy/admin.go‎
Lines changed: 7 additions & 1 deletion b/‎caddy/admin.go‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎frankenphp.c‎
Lines changed: 167 additions & 6 deletions b/‎frankenphp.c‎
Lines changed: 167 additions & 6 deletions
diff --git a/‎frankenphp.h‎
Lines changed: 34 additions & 0 deletions b/‎frankenphp.h‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎phpmainthread.go‎
Lines changed: 8 additions & 0 deletions b/‎phpmainthread.go‎
Lines changed: 8 additions & 0 deletions
@@ -39,7 +39,13 @@ func (admin *FrankenPHPAdmin) restartWorkers(w http.ResponseWriter, r *http.Requ
 		return admin.error(http.StatusMethodNotAllowed, fmt.Errorf("method not allowed"))
 	}
 
-	frankenphp.RestartWorkers()
+	if err := frankenphp.RestartWorkers(); err != nil {
+		// Restart is incomplete: at least one worker thread was stuck in
+		// an uninterruptible blocking call and did not reload code. Do
+		// not let the admin endpoint lie to automation with a 200.
+		caddy.Log().Sugar().Errorf("workers restart incomplete: %v", err)
+		return admin.error(http.StatusInternalServerError, err)
+	}
 	caddy.Log().Info("workers restarted from admin api")
 	admin.success(w, "workers restarted successfully\n")
 
 
@@ -92,6 +92,135 @@ static bool is_forked_child = false;
 static void frankenphp_fork_child(void) { is_forked_child = true; }
 #endif
 
+/* Best-effort force-kill for PHP threads after the graceful-drain grace
+ * period. Each thread captures pointers to its own executor_globals'
+ * vm_interrupt and timed_out atomic bools at boot and hands them back to
+ * Go via go_frankenphp_store_force_kill_slot. From any goroutine, the
+ * Go side passes that slot back to frankenphp_force_kill_thread, which
+ * stores true into both bools, waking the VM at the next opcode boundary
+ * and unwinding the thread through zend_timeout().
+ *
+ * On platforms with POSIX realtime signals (Linux, FreeBSD), force-kill
+ * also delivers SIGRTMIN+3 to the target thread so any in-flight blocking
+ * syscall (select, sleep, nanosleep, blocking I/O without SA_RESTART)
+ * returns EINTR and the VM gets a chance to observe the atomic bools on
+ * the next opcode. On Windows, CancelSynchronousIo + QueueUserAPC does
+ * the equivalent for alertable I/O and SleepEx. Non-alertable Sleep()
+ * (including PHP's usleep on Windows) stays uninterruptible - the VM
+ * must wait for it to return naturally before bailing.
+ *
+ * macOS has no realtime signals exposed to user-space, so the atomic
+ * bool path is the only mechanism there: threads busy-looping in PHP
+ * are killed promptly, threads stuck in blocking syscalls wait to
+ * return on their own.
+ *
+ * JIT caveat: when the OPcache JIT is enabled, some hot code paths do
+ * not check vm_interrupt between opcodes. A thread stuck in a
+ * JIT-compiled busy loop may not observe the atomic-bool store at all
+ * (see https://github.com/php/php-src/issues/21267). The syscall-
+ * interruption path (signal -> EINTR) still works since the kernel
+ * wakes the thread regardless of JIT state, so the regression surface
+ * is pure-PHP busy loops under JIT. Those fall through to the abandon
+ * path after forceKillDeadline.
+ *
+ * Signal number reservation: SIGRTMIN+3 is reserved by FrankenPHP for
+ * force-kill. If a PHP user script registers its own handler via
+ * pcntl_signal(SIGRTMIN+3, ...), it clobbers ours and force-kill stops
+ * working for threads it runs on. Projects embedding FrankenPHP
+ * alongside their own Go code that also uses that signal must choose a
+ * different one here. Keep this in mind if ever changing the constant.
+ *
+ * The slot lives in the Go-side phpThread struct - there is no C-side
+ * array or init/destroy dance. Signal handler installation happens once
+ * via pthread_once the first time a thread registers. */
+#ifdef PHP_WIN32
+static void CALLBACK frankenphp_noop_apc(ULONG_PTR param) { (void)param; }
+#endif
+
+#ifdef FRANKENPHP_HAS_KILL_SIGNAL
+/* No-op handler: signal delivery is sufficient on its own because it
+ * forces the in-flight syscall to return EINTR. The VM then observes
+ * vm_interrupt on the next opcode and unwinds via zend_timeout(). */
+static void frankenphp_kill_signal_handler(int sig) { (void)sig; }
+
+static pthread_once_t kill_signal_handler_installed = PTHREAD_ONCE_INIT;
+static void install_kill_signal_handler(void) {
+  /* Install the no-op handler process-wide with SA_RESTART cleared so
+   * blocking syscalls return EINTR when the signal is delivered rather
+   * than being transparently restarted by libc. SA_ONSTACK is set
+   * defensively: the signal targets non-Go pthreads via pthread_kill,
+   * but if it's ever delivered to a Go-managed thread (e.g. through
+   * accidental process-level raise), Go requires the handler to run on
+   * the alternate signal stack to avoid corrupting the goroutine's. */
+  struct sigaction sa;
+  memset(&sa, 0, sizeof(sa));
+  sa.sa_handler = frankenphp_kill_signal_handler;
+  sigemptyset(&sa.sa_mask);
+  sa.sa_flags = SA_ONSTACK;
+  sigaction(FRANKENPHP_KILL_SIGNAL, &sa, NULL);
+}
+#endif
+
+/* Called by each PHP thread at boot, from its own TSRM context, so that
+ * the EG-backed addresses resolve to the thread's private executor_globals
+ * and the captured thread identity refers to itself. Hands the slot to
+ * the Go side via go_frankenphp_store_force_kill_slot; the slot's
+ * lifetime is the phpThread's. */
+void frankenphp_register_thread_for_kill(uintptr_t idx) {
+  force_kill_slot slot;
+  memset(&slot, 0, sizeof(slot));
+  slot.vm_interrupt = &EG(vm_interrupt);
+  slot.timed_out = &EG(timed_out);
+#ifdef FRANKENPHP_HAS_KILL_SIGNAL
+  slot.tid = pthread_self();
+  pthread_once(&kill_signal_handler_installed, install_kill_signal_handler);
+#elif defined(PHP_WIN32)
+  if (!DuplicateHandle(GetCurrentProcess(), GetCurrentThread(),
+                       GetCurrentProcess(), &slot.thread_handle, 0, FALSE,
+                       DUPLICATE_SAME_ACCESS)) {
+    /* DuplicateHandle can fail under resource pressure; leave the handle
+     * NULL so force_kill_thread falls back to the atomic-bool path only. */
+    slot.thread_handle = NULL;
+  }
+#endif
+  go_frankenphp_store_force_kill_slot(idx, slot);
+}
+
+void frankenphp_force_kill_thread(force_kill_slot slot) {
+  if (slot.vm_interrupt == NULL) {
+    /* Thread never reached register_thread_for_kill (aborted during boot). */
+    return;
+  }
+  /* Set the atomic bools first so that by the time the thread wakes up -
+   * whether from our signal/APC or naturally - the VM sees them and
+   * routes through zend_timeout() -> "Maximum execution time exceeded". */
+  zend_atomic_bool_store(slot.timed_out, true);
+  zend_atomic_bool_store(slot.vm_interrupt, true);
+
+#ifdef FRANKENPHP_HAS_KILL_SIGNAL
+  /* Return value intentionally ignored: ESRCH (thread already exited) and
+   * EINVAL are both benign - there is simply nothing to unblock. */
+  pthread_kill(slot.tid, FRANKENPHP_KILL_SIGNAL);
+#elif defined(PHP_WIN32)
+  if (slot.thread_handle != NULL) {
+    CancelSynchronousIo(slot.thread_handle);
+    QueueUserAPC((PAPCFUNC)frankenphp_noop_apc, slot.thread_handle, 0);
+  }
+#endif
+}
+
+/* Releases any OS resource tied to the slot (currently: CloseHandle on
+ * Windows). Called by the Go side when a phpThread is torn down. */
+void frankenphp_release_thread_for_kill(force_kill_slot slot) {
+#ifdef PHP_WIN32
+  if (slot.thread_handle != NULL) {
+    CloseHandle(slot.thread_handle);
+  }
+#else
+  (void)slot;
+#endif
+}
+
 void frankenphp_update_local_thread_context(bool is_worker) {
   is_worker_thread = is_worker;
 
@@ -253,8 +382,14 @@ static frankenphp_thread_metrics *thread_metrics = NULL;
 
 /* Adapted from php_request_shutdown */
 static void frankenphp_worker_request_shutdown() {
-  __atomic_store_n(&thread_metrics[thread_index].last_memory_usage,
-                   zend_memory_usage(0), __ATOMIC_RELAXED);
+  /* thread_metrics can be NULL if the Go side already ran
+   * frankenphp_destroy_thread_metrics because Shutdown timed out waiting
+   * for this thread: tolerate the race rather than dereferencing freed
+   * memory when the blocked call finally unwinds. */
+  if (thread_metrics != NULL) {
+    __atomic_store_n(&thread_metrics[thread_index].last_memory_usage,
+                     zend_memory_usage(0), __ATOMIC_RELAXED);
+  }
 
   /* Flush all output buffers */
   zend_try { php_output_end_all(); }
@@ -1073,6 +1208,11 @@ static void *php_thread(void *arg) {
 #endif
 #endif
 
+  /* Register this thread's vm_interrupt/timed_out addresses so the Go side
+   * can force-kill it after the graceful-drain grace period if it gets stuck
+   * in a busy PHP loop. */
+  frankenphp_register_thread_for_kill(thread_index);
+
   bool thread_is_healthy = true;
   bool has_attempted_shutdown = false;
 
@@ -1108,9 +1248,12 @@ static void *php_thread(void *arg) {
       zend_destroy_file_handle(&file_handle);
       reset_sandboxed_environment();
 
-      /* Update the last memory usage for metrics */
-      __atomic_store_n(&thread_metrics[thread_index].last_memory_usage,
-                       zend_memory_usage(0), __ATOMIC_RELAXED);
+      /* Update the last memory usage for metrics (see
+       * frankenphp_worker_request_shutdown for the NULL-check rationale). */
+      if (thread_metrics != NULL) {
+        __atomic_store_n(&thread_metrics[thread_index].last_memory_usage,
+                         zend_memory_usage(0), __ATOMIC_RELAXED);
+      }
 
       has_attempted_shutdown = true;
 
@@ -1150,6 +1293,15 @@ static void *php_thread(void *arg) {
   }
   zend_end_try();
 
+  /* Clear the force-kill slot BEFORE ts_free_thread: that call frees
+   * the TSRM storage that &EG(vm_interrupt) / &EG(timed_out) point at.
+   * Clearing afterwards (even under a write lock) would leave a window
+   * where a concurrent delivery reads the still-populated slot and
+   * writes into freed memory. Applies to both the healthy exit and the
+   * unhealthy-restart path below so every call to force_kill_thread
+   * sees either a valid or a zero-valued slot. */
+  go_frankenphp_clear_force_kill_slot(thread_index);
+
   /* free all global PHP memory reserved for this thread */
 #ifdef ZTS
   ts_free_thread();
@@ -1163,7 +1315,16 @@ static void *php_thread(void *arg) {
   }
 
   /* Thread is unhealthy, PHP globals might be in a bad state after a bailout,
-   * restart the entire thread */
+   * restart the entire thread - unless we're already past Shutdown (detected
+   * via thread_metrics having been freed). Respawning after Shutdown would
+   * hand a fresh pthread a nil phpThreads slice on the Go side and a freed
+   * thread_metrics array on the C side, so we simply drop the restart. */
+  if (thread_metrics == NULL) {
+    frankenphp_log_message(
+        "Unhealthy thread unwinding after Shutdown; not restarting",
+        LOG_WARNING);
+    return NULL;
+  }
   frankenphp_log_message("Restarting unhealthy thread", LOG_WARNING);
 
   if (!frankenphp_new_php_thread(thread_index)) {
 
@@ -46,6 +46,28 @@ static inline HRESULT LongLongSub(LONGLONG llMinuend, LONGLONG llSubtrahend,
 #include <stdbool.h>
 #include <stdint.h>
 
+#ifndef PHP_WIN32
+#include <pthread.h>
+#include <signal.h>
+#endif
+
+/* Platform capabilities for the force-kill primitive; declared in the
+ * header so Go (via CGo) gets the correct struct layout too. */
+#if !defined(PHP_WIN32) && defined(SIGRTMIN)
+#define FRANKENPHP_HAS_KILL_SIGNAL 1
+#define FRANKENPHP_KILL_SIGNAL (SIGRTMIN + 3)
+#endif
+
+typedef struct {
+  zend_atomic_bool *vm_interrupt;
+  zend_atomic_bool *timed_out;
+#ifdef FRANKENPHP_HAS_KILL_SIGNAL
+  pthread_t tid;
+#elif defined(PHP_WIN32)
+  HANDLE thread_handle;
+#endif
+} force_kill_slot;
+
 #ifndef FRANKENPHP_VERSION
 #define FRANKENPHP_VERSION dev
 #endif
@@ -193,6 +215,18 @@ void frankenphp_init_thread_metrics(int max_threads);
 void frankenphp_destroy_thread_metrics(void);
 size_t frankenphp_get_thread_memory_usage(uintptr_t thread_index);
 
+/* Best-effort force-kill primitives. The slot is populated by each PHP
+ * thread at boot (frankenphp_register_thread_for_kill calls back into Go
+ * via go_frankenphp_store_force_kill_slot) and lives in the Go-side
+ * phpThread. force_kill_thread interrupts the Zend VM at the next opcode
+ * boundary; on POSIX it also delivers SIGRTMIN+3 to the target thread,
+ * on Windows it calls CancelSynchronousIo + QueueUserAPC. release_thread
+ * drops any OS-owned resource tied to the slot (currently the Windows
+ * thread handle). */
+void frankenphp_register_thread_for_kill(uintptr_t thread_index);
+void frankenphp_force_kill_thread(force_kill_slot slot);
+void frankenphp_release_thread_for_kill(force_kill_slot slot);
+
 void register_extensions(zend_module_entry **m, int len);
 
 #endif
@@ -97,6 +97,14 @@ func drainPHPThreads() {
 	}
 
 	doneWG.Wait()
+	// Slots are released by the PHP threads themselves, under the
+	// per-thread write lock, right before ts_free_thread() runs (see
+	// go_frankenphp_clear_force_kill_slot). A second release here would
+	// be a double-CloseHandle on Windows (potentially on a reused handle)
+	// and bypass the lock discipline on every platform, so we rely on
+	// the thread-exit path instead. Threads that were abandoned by
+	// phpThread.shutdown() still hold their slot; the OS reclaims the
+	// handle when the process exits.
 	mainThread.state.Set(state.Done)
 	mainThread.state.WaitFor(state.Reserved)
 	C.frankenphp_destroy_thread_metrics()