Hash collision generating the UUID4

[letaniaferreira]

It looks like we are using a method to generate the UUID4 via this code - http://www.php.net/manual/en/function.uniqid.php#94959. This has caused UUID hash collision multiple times to the same customer. We need to look into a more standard way to generate the UUID4.

[Mattnmoore]

https://github.com/ramsey/uuid

[bishopb]

The posted code uses mt_rand, which PHP's internal implementation before 7.2 did not generate values with equal probability: it was weighted about 2% more on the ends and at mod 65535 boundaries. What PHP version is the customer using?

That said, it's sufficient for versions 7.0+ to replace calls to mt_rand with random_bytes (or for earlier versions with ParagonIE's shim, which is effectively what Ramsey's UUID library does. While Ramsey's UUID library is defacto standard, it's not necessarily immune from collisions on v4. It may also be slower.

Would recommend using Ramsey UUID first and see if that helps. If it doesn't, or if it's slow, then other approaches could be taken.

[passcod]

Customer (my co) was using 7.2 at the time iirc, now 7.3, in transition to 7.4

[bishopb]

Thanks, @passcod. With that info, we can probably eliminate issues with the Mersenne Twister implementation in the PHP engine. While it's a long shot to say it'll be reproducible, are you able to provide some sample code that demonstrates how you were able to get duplicate UUID? For example, tight loops? High concurrency? Also, what OS?

[passcod]

Just normal use via rollbar error logging. No particular high usage (we hit a few thousand error logs a day at most), it was fairly random. We haven't had occurrences since early this year as we changed to generate the uuids our side (with ramsey's library) instead of relying on rollbar's internals.Servers are Ubuntu 18.04 LTS with a 5.3 kernel (using the "hwe" kernel package), with ondrej's PHP builds, running on a VMware cluster, if that matters any. ---- On Fri, 06 Nov 2020 12:54:41 +1300 notifications@github.com wrote ---- Thanks, @passcod. With that info, we can probably eliminate issues with the Mersenne Twister implementation in the PHP engine. While it's a long shot to say it'll be reproducible, are you able to provide some sample code that demonstrates how you were able to get duplicate UUID? For example, tight loops? High concurrency? Also, what OS? —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.