Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing JavaScript's Broken Random Number Generator (hackaday.com)

Posted by samzenpus on from the the-fix-is-in dept.

szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working version, if you didn't make it that far (perhaps the case with JavaScript devs) you got the bad version of the code whose fix is just now being rolled out.

18 of 136 comments (clear)

  1. Obligatory XKCD by psergiu · · Score: 4, Informative

    https://xkcd.com/221/

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    1. Re:Obligatory XKCD by antimatter_16 · · Score: 5, Funny

      Or dilbert. http://dilbert.com/strip/2001-...

  2. Javascript? lol! by Anonymous Coward · · Score: 4, Insightful

    Is there anything about Javascript that isn't shitty and broken? Can we please just take this language behind the barn, shoot it and move on with our lives?

    1. Re:Javascript? lol! by ickleberry · · Score: 4, Insightful

      We could but all the startup hipsters would be so disappointed

    2. Re:Javascript? lol! by dshk · · Score: 4, Insightful

      We are using JavaScript for performance critical code and I can confirm that it is the most buggiest, immature technology by far that I have ever seen in my 30 years old carrier. Every second month there is a new browser version for each browser, each with a different set of new critical bugs. We even find JIT compiler bugs regularly!

      I simply do not understand why they do not take the free, open source, mature, very fast Java virtual machine, and let the browsers run Java bytecode directly, and let software engineers chose any programming language which best suits their task.

    3. Re:Javascript? lol! by dshk · · Score: 4, Insightful

      What is the difference between bytecode and obfuscated or simply just complex JavaScript? Do you verify all or even 1% of JavaScript your browser runs? Bytecode can be disassembled into its source language if it is not obfuscated. But JavaScript can be obfuscated as well. Not to mention automatically generated JavaScript, cross compiled from another language. I do not see a difference. Why do you want to verify either bytecode or JavaScript? Bytecode runners wouldn't have more permissions then the JavaScript just in time compilers already have. We rely on the sandboxing in both cases.

  3. Wait, what? by tibit · · Score: 5, Insightful

    What? Does the ECMA spec dictate the exact implementation of the RNG? If not, then it's not JavaScript that's broken, but the implementation(s) in question. Calling it "JavaScript's Broken RNG" is nonsense unless the language spec mandated or mandates a broken RNG.

    --
    A successful API design takes a mixture of software design and pedagogy.
    1. Re:Wait, what? by Anonymous Coward · · Score: 5, Informative

      Blame slashdot. TFA's made it pretty clear it's the V8 engine that had been broken for six years.

    2. Re:Wait, what? by Lunix+Nutcase · · Score: 5, Insightful

      Yeah, seems rather convenient that the part in the Hackaday title and in the article that mentions that this was in Google's V8 engine was left out.

      Plus I couldn't help but laugh at the comment to the commit that put in this shitty PRNG:

      This is great, I had talked to Ivan once about it before. It's good that we avoid system random for a few reasons, including thread safety / lock holding / etc.

      I know nothing of the implementation though, I would have gone with mersenne twister since it is what everyone else uses (python, ruby, etc)

      Sounds like some real quality code reviewing there, bub. *golf clap*

    3. Re:Wait, what? by Lunix+Nutcase · · Score: 4, Interesting

      Well at least knowing that the guy who wrote this shitty PRNG is a designer of Google's Dart gives you one more reason to avoid it the plague.

  4. V8 == the only JavaScript engine? by BitZtream · · Score: 4, Insightful

    Because JavaScript doesn't specify the RNG implementation details, and V8 is the only engine mentioned ass affected in the article ...

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  5. Re:It was noticed at least 3 years ago, possibly m by Lunix+Nutcase · · Score: 4, Informative

    The article doesn't claim it's new information. The article is about the fact that Google has finally fixed it and the backstory behind the broken code.

  6. Oh yeah? by U2xhc2hkb3QgU3Vja3M · · Score: 3, Funny

    Well if you don't like RNG you should try WHM, BML or THF.

  7. Re:Obviously by Lennie · · Score: 5, Interesting

    He was using node.js (which using V8 Javascript engine)

    And he was using it for some security related function (in this case generating id's of sessions).

    Maybe he should have been using a cryptographically strong pseudo-random generator:
    https://nodejs.org/api/crypto....

    Why did they need to 'fix' V8 Math.random () function which everyone knows is not meant for such things ? It even says so in for example the Mozilla documentation (the organisation that created Javascript in the first place):
    "Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security."
    https://developer.mozilla.org/...

    This makes no sense to me.

    --
    New things are always on the horizon
  8. Happened, not designed. by QuietLagoon · · Score: 3, Insightful

    JavaScript was not designed by any regular use of that word. JavaScript happened.

  9. Re:More code audits needed? by U2xhc2hkb3QgU3Vja3M · · Score: 3, Funny

    What would be the point of wasting time fixing something that nobody uses?

  10. Random functions... by Kazoo+the+Clown · · Score: 3, Informative

    I've seen some pretty bad "random number" generators in my time. In one case, it was implemented by a pointer that would walk through the processes memory space and use whatever it found as-is. And another where the coder clearly thought that if you multiply something by enough made up crap and take the remainder, you get randomness. An understanding of random numbers in computing is not something the classrooms ever cover as far as I can tell.

  11. Every browser since IE10 has had secure RNG by Scorpinox · · Score: 3, Informative

    See this table for support: http://caniuse.com/#feat=getra...

    It's great that they're finally improving Math.random(), but node.js should've had crypto.getRandomValues() from the start.