[Bug] v5.4 performance regression: information_schema queries and unbounded collision loop cause 503 errors #155
Description
Source: wp.org support thread
Validation Result: Confirmed Bug
Verdict: VALID_BUG | Confidence: HIGH | Severity: Critical
Summary
The v5.4 visit_id generation mechanism queries information_schema.TABLES on every pageview and includes an unbounded collision-detection loop, causing database saturation under moderate-to-high traffic.
Root Cause
Fault Location: src/Tracker/Session.php:101-122, src/Tracker/Processor.php:532-553, src/Tracker/Tracker.php:102-124
Mechanism: AUTO_INCREMENT lookup via information_schema.TABLES (slow metadata query) + unbounded do...while loop for collision detection generates O(n) DB queries per request.
Causal Chain:
- Visitor pageview →
Tracker::slimtrack()(priority 5, blocks rendering)
→Session::ensureVisitId()→ queriesinformation_schema.TABLES(metadata lock)
→ checks for ID collision → loops incrementing + querying until free ID found
→ under concurrent traffic: many requests loop simultaneously → DB connection exhaustion → 503
5 Whys:
- 503 errors → DB connection pool exhausted
- Pool exhausted → each request holds connection during sequential queries
- Sequential queries → visit_id collision loop fires multiple queries per request
- Loop fires often →
AUTO_INCREMENTreturns stale values under concurrent inserts (ROOT CAUSE)
Reproduction Steps
Preconditions: WP Slimstat 5.4+, server-side tracking (default), 10k+ rows in slim_stats
- Activate WP Slimstat with default settings
- Generate 20+ concurrent pageviews (load test or real traffic)
- Observe degraded response times and eventual 503 errors
- Confirm via
SHOW PROCESSLIST: multipleinformation_schemaandslim_statsqueries queued
Expected: Tracking doesn't impact page load
Actual: 3-5+ DB queries per pageview minimum; unbounded loop under collisions
Code References
| File | Lines | Description |
|---|---|---|
src/Tracker/Session.php |
101-122 | information_schema query + unbounded collision loop |
src/Tracker/Processor.php |
532-553 | Identical pattern in consent upgrade path |
src/Tracker/Tracker.php |
102-124 | Identical pattern in legacy tracker |
src/Tracker/Ajax.php |
208-254 | FOR UPDATE transaction locking |
wp-slimstat.php |
227 | Synchronous tracking at wp priority 5 |
Security Note
If implementing a fix based on this analysis:
- Verify the fix doesn't introduce new vulnerabilities
- Run security linting (SAST) on changed code
- Check for OWASP Top 10 in any new code paths
Validated via qa-issue-validate skill (jaan.to plugin)