XorShift128Plus
XorShift128Plus copied to clipboard
TACIXAT
v8 implementation details
Hi there. There's an implementation detail of v8 that means that this only works for the first 1000 numbers generated or so, then itll start randomly encountering failures to work
The reason for this is a bug filed over here https://bugs.chromium.org/p/v8/issues/detail?id=8212 which probably explains it better
The tl;dr is that seeds in v8 are taken in a roundtrip through doubles (basically a reinterpret_cast), and every double is checked if its nan and the payload removed if it is nan (nan packing). This means that when the seeds are stored in the array at the end of each 62 long cycle, for this code to work correctly you actually need to check if they're any nan, and if they are, remove the payload (or set it to the default nan)
It does lead to a much shorter method to crack the rng though, which is while(Math.random() != 0.15567932943235995857);
@20k That is interesting. I remember one of the implementations did a pre generation of values to a buffer then went backward through it. For this we only needed to collect a handful of values from math.random() so I didn't run into any issues.
@Izmoqwy I have not used it in a long time. It may need some tweaking.
Indeed, the implementation still does exactly that (v8), it just also contains that bug which flushes any uint64 which is a nan when interpreted as double to the same nan
Its generally not an issue unless you need to predict Math.random() values very far into the future (> 1000 or if an inevitable failure is acceptable), although it does expose some interesting statistical flaws in Math.random(). Thought I'd mention it because it took me a lot of digging to realise why this method didn't quite work as reliably as I expected
It doesn't work on chrome just as @Izmoqwy say.
It even couldn't able to restore those numbers that takes as input (see attachment).
Chrome updated their implementation after I reported the nan issue, it no longer uses xorshift128+ but a variant instead