On Tue, Feb 23, 2016 at 7:46 AM, Pierre Joye <pierre....@gmail.com> wrote: > hi, > > On Tue, Feb 23, 2016 at 5:41 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> Hi all, >> >> On Tue, Feb 23, 2016 at 6:30 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >>> >>> We have issue on pseudo random generators generates only odd/even >>> numbers. >>> >>> https://bugs.php.net/bug.php?id=63174 >>> https://news.ycombinator.com/item?id=9941364 >>> >>> We should raise E_WARNING/E_NOTICE if user supplies random number >>> range that generated random number cannot be random at least. >>> Patch for rand/mt_rand. >>> https://gist.github.com/yohgaki/1519f65dffd66735bafe >>> >>> It seems we need more reliable(fool proof) pseudo random generator. >>> Anyone working on this? >>> >>> We may extends rand()/mt_rand() so that they work with larger range by >>> calling random generators multiple times. If this is implemented, the >>> patch raises errors is not required. mt_rand() extension breaks >>> compatibility >>> with other MT rand implementations, but we already broke it. Therefore, it >>> should not matter. (This was the reason why mt_rand() wasn't made to support >>> 64bit int, IIRC) >>> >>> IMO, we should provide better pseudo random generators than now. >>> >>> Any comments? >> >> This is edge case that produces odd/even numbers only. >> https://3v4l.org/kYpAF >> This is the worst case. Current implementation uses 32bit int for >> generating random numbers and any number exceeds the range could be >> biased because the result is computed by RAND_RANGE() which uses >> double for arithmetic. PHP allows huge min/max without any >> warning/error under 64bit OS. >> >> Limiting range can prevent this and we can be sure rand()/mt_rand() >> produce the same random numbers on both 32/64 bit platform. (If rand() >> uses the same algorithm, of course) >> https://gist.github.com/yohgaki/1519f65dffd66735bafe >> Valid range is limited to 2^31 according to current implementation. >> >> Actual range could be determined by PHP_RAND_MAX/PHP_MT_RAND_MAX, but >> I heard Windows' PHP_RAND_MAX is only 2^15. Is this correct? I don't >> prefer to have strict range error for these systems. I'll write patch >> that does not raise warning for smaller PHP_RAND_MAX. It's unreliable >> pseudo random generator anyway. It should not matter much. >> >> >> Any comments for adding out of range warnings to rand()/mt_rand()? If >> nobody has comment on this, I'll write RFC for additional warnings. >> Anyone prefer to extend rand()/mt_rand() for 64bit OSes? > > Thing is the MT algorithm may not be design to do that, at all but was > designed for 32-bit integers. I won't be in favor of changing (again) > the implementation without any safety about the results (safety means > compliance or be even more different from the MT algorithms). > > Adding warning when the given ranges are out of bounds sound good, and > reduce them within the maximum range. > > I joined the other person proposing not to change anything else in our > MT implementation as there is little to no benefit. > > If we need pure implementation of one pseudo RNG or another, we can > provide new implementations. But changing again this one may bring > more troubles than what we are trying to solve. > > > Cheers, > -- > Pierre > > @pierrejoye | http://www.libgd.org > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
If we're going to consider new non-cryptographic random number generators, PCG is worth considering. ;) http://www.pcg-random.org/ Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php