Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing JavaScript's Broken Random Number Generator (hackaday.com)

Posted by samzenpus on from the the-fix-is-in dept.

szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working version, if you didn't make it that far (perhaps the case with JavaScript devs) you got the bad version of the code whose fix is just now being rolled out.

5 of 136 comments (clear)

  1. Re:Obligatory XKCD by antimatter_16 · · Score: 5, Funny

    Or dilbert. http://dilbert.com/strip/2001-...

  2. Wait, what? by tibit · · Score: 5, Insightful

    What? Does the ECMA spec dictate the exact implementation of the RNG? If not, then it's not JavaScript that's broken, but the implementation(s) in question. Calling it "JavaScript's Broken RNG" is nonsense unless the language spec mandated or mandates a broken RNG.

    --
    A successful API design takes a mixture of software design and pedagogy.
    1. Re:Wait, what? by Anonymous Coward · · Score: 5, Informative

      Blame slashdot. TFA's made it pretty clear it's the V8 engine that had been broken for six years.

    2. Re:Wait, what? by Lunix+Nutcase · · Score: 5, Insightful

      Yeah, seems rather convenient that the part in the Hackaday title and in the article that mentions that this was in Google's V8 engine was left out.

      Plus I couldn't help but laugh at the comment to the commit that put in this shitty PRNG:

      This is great, I had talked to Ivan once about it before. It's good that we avoid system random for a few reasons, including thread safety / lock holding / etc.

      I know nothing of the implementation though, I would have gone with mersenne twister since it is what everyone else uses (python, ruby, etc)

      Sounds like some real quality code reviewing there, bub. *golf clap*

  3. Re:Obviously by Lennie · · Score: 5, Interesting

    He was using node.js (which using V8 Javascript engine)

    And he was using it for some security related function (in this case generating id's of sessions).

    Maybe he should have been using a cryptographically strong pseudo-random generator:
    https://nodejs.org/api/crypto....

    Why did they need to 'fix' V8 Math.random () function which everyone knows is not meant for such things ? It even says so in for example the Mozilla documentation (the organisation that created Javascript in the first place):
    "Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security."
    https://developer.mozilla.org/...

    This makes no sense to me.

    --
    New things are always on the horizon