rollbar-php icon indicating copy to clipboard operation
rollbar-php copied to clipboard
verified publisher icon rollbar

Hash collision generating the UUID4

Open letaniaferreira opened this issue 6 years ago • 5 comments

It looks like we are using a method to generate the UUID4 via this code - http://www.php.net/manual/en/function.uniqid.php#94959. This has caused UUID hash collision multiple times to the same customer. We need to look into a more standard way to generate the UUID4.

letaniaferreira avatar Dec 09 '19 22:12 letaniaferreira

https://github.com/ramsey/uuid

Mattnmoore avatar Dec 10 '19 22:12 Mattnmoore

The posted code uses mt_rand, which PHP's internal implementation before 7.2 did not generate values with equal probability: it was weighted about 2% more on the ends and at mod 65535 boundaries. What PHP version is the customer using?

That said, it's sufficient for versions 7.0+ to replace calls to mt_rand with random_bytes (or for earlier versions with ParagonIE's shim, which is effectively what Ramsey's UUID library does. While Ramsey's UUID library is defacto standard, it's not necessarily immune from collisions on v4. It may also be slower.

Would recommend using Ramsey UUID first and see if that helps. If it doesn't, or if it's slow, then other approaches could be taken.

bishopb avatar Nov 05 '20 21:11 bishopb

Customer (my co) was using 7.2 at the time iirc, now 7.3, in transition to 7.4

passcod avatar Nov 05 '20 23:11 passcod

Thanks, @passcod. With that info, we can probably eliminate issues with the Mersenne Twister implementation in the PHP engine. While it's a long shot to say it'll be reproducible, are you able to provide some sample code that demonstrates how you were able to get duplicate UUID? For example, tight loops? High concurrency? Also, what OS?

bishopb avatar Nov 05 '20 23:11 bishopb

Just normal use via rollbar error logging. No particular high usage (we hit a few thousand error logs a day at most), it was fairly random. We haven't had occurrences since early this year as we changed to generate the uuids our side (with ramsey's library) instead of relying on rollbar's internals.Servers are Ubuntu 18.04 LTS with a 5.3 kernel (using the "hwe" kernel package), with ondrej's PHP builds, running on a VMware cluster, if that matters any. ---- On Fri, 06 Nov 2020 12:54:41 +1300 [email protected] wrote ---- Thanks, @passcod. With that info, we can probably eliminate issues with the Mersenne Twister implementation in the PHP engine. While it's a long shot to say it'll be reproducible, are you able to provide some sample code that demonstrates how you were able to get duplicate UUID? For example, tight loops? High concurrency? Also, what OS?

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.

passcod avatar Nov 06 '20 00:11 passcod