The variables system prior to Drupal 8 is one of the simplest, most central, and most commonly used APIs, to the point where it’s very rare to find a module that doesn’t use it. It’s also one of the most frequently abused APIs, including in Drupal core, so it provides a good example of how a simple API can come to be misused over time as use cases change. As you’ll see, this API no longer exists in Drupal 8.

We’ll start with a brief explanation of the API and its implementation in Drupal core.

Variables are stored in a single table with a name and a serialized value. Early in each page request, every variable is loaded into the $conf global from the cache (or the cache item is rebuilt if it’s missing). Individual variables are accessed, set, or deleted via the variable_get(), variable_set(), and variable_del() functions. system_settings_form() provides a degree of automation between administrative configuration pages and the variables they control.

Over the years, as well as storing configuration, the variables system has been used for storing other things as well:

Prior to Drupal 8, core did not provide a dedicated key/value store, so the variables system was reused for this as the next closest thing.

Examples of where variables are used to store state in Drupal core include for tracking whether outgoing HTTP requests are failing, the time of the last cron run, and the filenames and file collections for generated CSS and JavaScript aggregates.

When a variable is set, three things can happen:

If variable_set() ends up being called very frequently, this can result in either a cache stampede, where dozens of requests are constantly updating the cache entry, or a lock stampede, where processes are constantly waiting for a new variable cache entry that may be invalidated again before they’re able to retrieve it from the cache.

What makes this problem worse is that it can be relatively hard to track down the cause, for a few reasons:

If you find a module doing this in Drupal 7, consider checking that the value of the variable has changed before saving it, converting the code to use the cache system if that’s feasible, saving the value in a dedicated table if it’s not requested frequently, or, like drupal_http_request(), just logging the change via watchdog().

In Drupal 8, the variables system has been completely removed and replaced with three distinct APIs:

Increasingly, site development includes interacting with external APIs, whether for social sharing, login, content sharing, or similar purposes. When making HTTP requests from PHP code, it’s easy to introduce a single point of failure in your architecture, and in the case of requests to an external API, it’s one that you will have no control over if the service happens to be sluggish or go down due to network or infrastructure issues.

Examples of where this can go wrong include features such as allowing users to specify an RSS feed in their profile pages and then displaying it in a block, or using the PHP APIs for services such as Facebook and Twitter. If the request to the external service takes several seconds, times out, or returns a bad status code, will your page still be served in a timely manner, or at all?

External HTTP requests can also be a hidden cause of performance issues on a site, since they may be intermittent and will not cause high CPU or disk load in the same way poorly optimized PHP algorithms or slow database queries can.

There are several steps that can be taken to reduce the potential for catastrophic failure. We’ll use a user-specific RSS feed displayed in a block on the user’s profile page as an example:

Since Drupal 7, sessions are only created for unauthenticated users once something is actually put into $_SESSION. Once a user has a session, page caching is disabled to avoid serving incorrect content based on the contents of the user’s session, such as the contents of a shopping cart, or status messages. This happens when using both the internal page cache and a reverse proxy, if using a standard configuration.

$_SESSION should therefore only be used for situations where storing the information for the anonymous user should also prevent pages being cached for that user. An example would be a user’s shopping cart choices, where the shopping cart contents may be displayed on each page, and the site may want to preserve the choices in the session when the user logs in. While adding items to a shopping cart is a valid reason to disable caching, attention should be paid if a user removes an item from the cart. A common mistake is to set $_SESSION['foo'] ='' or $_SESSION['foo'] = array() when emptying out a session variable; using anything other than unset($_SESSION['foo']) will leave the session open.

When you’re working on a project, requests may come in to make particular content user specific (per user, geolocated), or to vary things on every page—for example, excluding the article in the main content area from a list of featured articles in the sidebar. Often these requests are unavoidable, but the details of how this extra information is added to or removed from pages can have profound effects on a site’s performance.

Let’s take for example a snippet that shows the latest three articles added to a site. A simplified version of the block on a Drupal 7 site might look like:

<?php
  $nids = db_query_range('
  SELECT nid
  FROM {node}
  WHERE status = 1
  ORDER BY created DESC', 0, 3)->fetchCol();
  $nodes = node_load_multiple($nids);
  return node_view_multiple($nodes, 'block_listing');
?>

However, when you’re on the node/n page for one of the nodes in this block, you might want to exclude it from the list and show the fourth-most-recent node instead:

<?php
  $current_node = menu_get_object();
  $nids = db_query_range('
  SELECT nid
  FROM {node}
  WHERE status = 1
  AND nid <> :nid
  ORDER BY created DESC', 0, 3, array(‘:nid’ => $current_node->nid))->fetchCol();
  $nodes = node_load_multiple($nids);
  return node_view_multiple($nodes, 'block_listing');
?>

Only one condition was added, but this fundamentally changes the performance of this block. With the first version, despite potentially being displayed on tens of thousands of node pages across the site, the query was always exactly the same. This allowed it to be cached in a single cache entry, both by the MySQL query cache and in Drupal’s cache API if desired. With the second version of the query, however, a different version will be run on every node page. A million node pages might mean a million variations on the query, vastly reducing the effectiveness of both the MySQL query cache and Drupal’s own cache layer.

Rather than excluding the current node ID in SQL, we could do it in PHP:

<?php
  $current_node = menu_get_object();
  // This time load four nodes.
  $nids = db_query_range('
  SELECT nid
  FROM {node}
  WHERE status = 1
  ORDER BY created DESC', 0, 4)->fetchCol();

  foreach ($nids as $key => $nid) {
    // If one of the nodes is the current one, remove it.
    if ($nid == $current_node->nid) {
      unset($nids[$key]);
    }
  }
  // Ensure only three nodes are loaded.
  array_splice($nids, 3);
  $nodes = node_load_multiple($nids);
  return node_view_multiple($nodes, 'block_listing');
?>

This allows the same query to be cached across the whole site again, but still the markup will need to be cached per page. A further optimization in terms of cacheability would be to render four nodes every time, then implement the same logic for removing either the current node or the fourth-most-recent node in JavaScript, allowing the block to be safely cached in a reverse proxy via edge-side or client-side includes. At this point, it’s a trade-off between caching the rendered output and the additional JavaScript requirement.

A similar issue exists with per-user markup. Drupal traditionally adds per-user markup to many site elements: for example, “new” or “updated” markers on nodes and comments based on the last time the user visited a node, or quick administration links such as contextual links. Drupal 8 will continue to add user-specific markup in these places, but it does so via JavaScript replacement so that the markup generated for the blocks themselves is the same regardless of the user. For examples of this implementation, see the Comment and History modules in Drupal 8.

While Drupal core complies with E_STRICT by default and has fairly comprehensive test coverage, it is common when reviewing a live site to find PHP notices and warnings logged on every request (in some cases, tens per request). When using Drupal’s default database logging (dblog) module for logging, this means potentially hundreds of additional database writes per second on a high-traffic site. Even if using syslog or another alternative log implementation, PHP error handling is expensive and should be avoided. PHP errors and notices may well be a sign of underlying functional bugs, but even if they’re not, there’s no excuse for writing and deploying code that’s not E_ALL compliant.

Code review as part of the development process should prevent this, but “emergency” fixes can result in debug code being committed to the live code base. This could include things like clearing the entity cache before loading entities, disabling the theme registry or locale caching, excessive logging, and various other operations that are both expensive and unnecessary on a production site.

While not strictly a “coding” matter, a common issue on live websites is leaving one of the many debug features provided by modules and themes enabled, such as rebuilding the theme registry on every request. Settings like this should never, ever be enabled in the user interface, but rather overwritten by settings.local.php in $conf, which can be different for development, staging, and live environments (see Chapter 9). Similarly, development modules should be enabled locally by developers after each database refresh and never enabled on a live environment. While this may be standard practice for some readers, others may recognize the frustration of discovering that a downtime issue was due to a forgotten development setting that was never switched off.