php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #66728 gmp_random is obsolete, switch to gmp_urandomm
Submitted: 2014-02-17 20:52 UTC Modified: 2016-03-27 11:36 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: asphp at dsgml dot com Assigned: nikic (profile)
Status: Closed Package: GNU MP related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: asphp at dsgml dot com
New email:
PHP Version: OS:

 

 [2014-02-17 20:52 UTC] asphp at dsgml dot com
Description:
------------
According to the docs mpz_random (i.e. gmp_random) is obsolete. It's also pretty useless since it returns digits in an undefined range.

Instead switch to mpz_urandomm which lets you specify the max directly.

PHP could either expose it as is and let people subtract to get the min, or PHP could make it easier and let people specify a min and max.

PHP could require that people manually initialize the random state, or just go ahead and do it for them with gmp_randinit_mt.

Also once this is a done a PHP warning should be emitted for use of gmp_random.

See: https://gmplib.org/manual/Integer-Random-Numbers.html


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-24 20:51 UTC] rainer dot jung at kippdata dot de
IMHO this issue can be closed: starting with PHP 5.6 there is gmp_random_range() which uses mpz_urandomm() and the old gmp_random() uses mpz_urandomb(). Both should be fine.
 [2016-03-26 11:23 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2016-03-26 11:23 UTC] nikic@php.net
Closing per previous comment.
 [2016-03-27 03:40 UTC] asphp at dsgml dot com
I'm not sure this should be closed.

The gmp_random function is very confusing and basically useless.

The documentation says:

The number will be between zero and the number of bits per limb multiplied by limiter.

But the code actually uses mpz_urandomb which states:

 0 to 2^n-1, inclusive.

And the code does:

limiter * GMP_LIMB_BITS

So you end up with:

2^(limiter * GMP_LIMB_BITS) which is enormous and worse doesn't match the documentation.

The code for the function should stop multiplying by GMP_LIMB_BITS and the documentation should be updated to say it's simply 2^n.
 [2016-03-27 03:44 UTC] asphp at dsgml dot com
It seems to me that actually gmp_random should be removed.

gmp_random_bits() does the 2^n, and gmp_random_range() does a regular range.

gmp_random does nothing of any value at all.

See also bug: #62375 - gmp_random does actually use that constant.
 [2016-03-27 11:36 UTC] nikic@php.net
To clarify, I closed this issue because PHP 5.6 introduced gmp_random_bits() and gmp_random_range(), which supersede the gmp_random() function.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 30 21:01:23 2021 UTC