Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash collision generating the UUID4 #476

Open
letaniaferreira opened this issue Dec 9, 2019 · 5 comments
Open

Hash collision generating the UUID4 #476

letaniaferreira opened this issue Dec 9, 2019 · 5 comments
Labels
Rank: 3 - Minor Tackle when there are no actionable Critical or Major requests. Status: 2 - Accepted The scope and characteristics of the request are defined and ready to be worked. Type: Enhancement Changes that add to, improve upon, enhance, or extend the existing component.

Comments

@letaniaferreira
Copy link

It looks like we are using a method to generate the UUID4 via this code - http:https://www.php.net/manual/en/function.uniqid.php#94959. This has caused UUID hash collision multiple times to the same customer. We need to look into a more standard way to generate the UUID4.
@Mattnmoore
Copy link

https://github.com/ramsey/uuid

@bishopb
Copy link
Contributor

bishopb commented Nov 5, 2020

The posted code uses mt_rand, which PHP's internal implementation before 7.2 did not generate values with equal probability: it was weighted about 2% more on the ends and at mod 65535 boundaries. What PHP version is the customer using?

That said, it's sufficient for versions 7.0+ to replace calls to mt_rand with random_bytes (or for earlier versions with ParagonIE's shim, which is effectively what Ramsey's UUID library does. While Ramsey's UUID library is defacto standard, it's not necessarily immune from collisions on v4. It may also be slower.

Would recommend using Ramsey UUID first and see if that helps. If it doesn't, or if it's slow, then other approaches could be taken.

@passcod
Copy link

passcod commented Nov 5, 2020

Customer (my co) was using 7.2 at the time iirc, now 7.3, in transition to 7.4

@bishopb
Copy link
Contributor

bishopb commented Nov 5, 2020

Thanks, @passcod. With that info, we can probably eliminate issues with the Mersenne Twister implementation in the PHP engine. While it's a long shot to say it'll be reproducible, are you able to provide some sample code that demonstrates how you were able to get duplicate UUID? For example, tight loops? High concurrency? Also, what OS?

@passcod
Copy link

passcod commented Nov 6, 2020 via email

@bishopb bishopb added Rank: 3 - Minor Tackle when there are no actionable Critical or Major requests. Status: 2 - Accepted The scope and characteristics of the request are defined and ready to be worked. Type: Enhancement Changes that add to, improve upon, enhance, or extend the existing component. labels Dec 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Rank: 3 - Minor Tackle when there are no actionable Critical or Major requests. Status: 2 - Accepted The scope and characteristics of the request are defined and ready to be worked. Type: Enhancement Changes that add to, improve upon, enhance, or extend the existing component.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@passcod @Mattnmoore @bishopb @letaniaferreira