From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: After upgrading from php-4.3.2-14.ent to php-4.3.2-19.ent our intranet pages slowed down to a crawl. The load also increased. Reverting to the previous version fixed the problems. Version-Release number of selected component (if applicable): php-4.3.2-19.ent How reproducible: Always Steps to Reproduce: Upgrade php to php-4.3.2-19.ent Actual Results: PHP pages slow down to a crawl. The load also increases. Expected Results: Normal performance, with closed security holes Additional info: ab -n 5 -c 1 http://our.server.com/ reported Requests per second: 0.20 [#/sec] (mean) Time per request: 5058.570 [ms] (mean) Time per request: 5058.570 [ms] (mean, across all concurrent requests) After reverting to php-4.3.2-14.ent performance went back to what I would consider more acceptable: Requests per second: 0.77 [#/sec] (mean) Time per request: 1295.457 [ms] (mean) Time per request: 1295.457 [ms] (mean, across all concurrent requests) I tested the newest version of php both with APC and ZendOptimizer without any improvements. The server is running a content management system called mysource classic. (http://www.squiz.net/).
Thanks for the report. There were some performance regressions in the "unserializer" code introduced as a side-effect of the security fixes in the recent PHP update. Patches have been produced upstream which correct the issue. Experimental test packages are now available from the URL below which contain these patches. These packages are unsupported and have not gone through the Red Hat QA process. http://people.redhat.com/jorton/Taroon-php/ Any feedback from testing these packages out is very welcome.
I just tested the packages. Seems like performance is good now! Great! ab -n 5 -c 1 outputs: Requests per second: 0.71 [#/sec] (mean) Time per request: 1403.734 [ms] (mean) Time per request: 1403.734 [ms] (mean, across all concurrent requests) I'm reverting to 4.3.2-14.ent since these experimental packes aren't boss-proof. Cheers
The performance regression is rather bad. Using phpGedView-3.00-1 that heavily relies on unserialize(), rendering of index.php deteriorates from a couple of secs to > 2 minutes (this is on a SuSE 9.0 box, both plain as well as with a patch that updates var_unserialize.c to 4.3.10, but that shouldn't matter for the issue involved). http://bugs.php.net/bug.php?id=31332 suggest this issue is fixed in CVS for rev 1.47 and 1.48 of that particular file. However it seems some other files are affected as well.
A more appropriate CVS revision would be 1.18.4.15.
Update of var_unserialize.c to CVS rev. 1.18.4.15 and php_var.h to CVS rev. 1.21.4.5 indeed fixes the issue for me. Note that that http://cvs.php.net is a bit sloppy about white space (no space on empty lines for diffs and removed white space at end of line) and these revisions contain some ^#line comments that should be removed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-405.html