Better would be ssize_t.

The declaration should also be moved into the while loop, otherwise this will likely generate a warning on BSD systems with arc4random.

Probably that should be RETURN_FALSE as well? Same in random_int.

Nice catch! I'll fix.

@SammyK Since both parameters are required, we don't need these defaults any more.

since you already have LONG_MIN and LONG_MAX, so if only minimum value min is given. then simply assume it means min to LONG_MAX?

@laruence: I thought about the same thing but then I realize that reading:
random_int(10);
might be understood as 10 being the max.

hmm, that could be a doc issue.. but it's not a big deal :)

Oops - this is a dingleberry left over from when min and max were optional args. They are both required in the current spec that's being voted on. I'll remove this check. :)

I would change >= to be >.
Reason: If I need a number between a and b, I expect that it could possibly return either a or b, if the range is inclusive (note that it isn't clear in the RFC).
In the case a == b, I would expect that this method returns a or b.
If that isn't particularly useful with fixed value being passed to the function, it is in the case of variables.

Well, if min == max, then there's nothing random about the answer (it's min). Hence there's no reason for the function to return a valid value (in fact, returning a value could mask bugs where you thought it was random but it wasn't).

maybe something like: 1st arg must be less than 2nd arg is more obvious for user?

We need to make sure the min & max values weren't the same.

You're already checking this on line 126.

Oh snap. Not. Enough. Coffee! Oh wait, I'm drinking decaf for some reason today. :/

What is the principal difference of this move from casting some garbage into integer? Could someone point to a theory behind this?

What do you mean? How else would you do it?

Yeah, that was actually my question :) Maybe I'm too fixed on LCG, so just making a stab on finding some system. In a LCG one would have a seed and a kind of formula. Here, we read some sequence of bits which are then inclined to be an integer.

Probably right, at the end those bits are glued together. At the end, the integer is in the exact range of how much bits was requested. But just wondering, no further shuffling, endianness difference, etc., just taking them as is? Are there some tests on the quality of the outcome? That's basically what I was asking.

@weltling There is no need. If the input to the algorithm is a sequence of independent, uniformly-distributed random bytes then the its output is guaranteed to be independent, uniformly-distributed over the requested range and have the same "kind" of randomness as the input. In this case, since we are using trusted sources of crypto-secure pseudo-random bytes, the output is a crypto-secure pseudo-random integer.

Try thinking of it this way. Say you need random numbers in the range 0 to 13 and all you have as a source of randomness is a friend with a 20-sided die. The only way (that I know) to get the numbers you need without bias or skewing the distribution is to ask your friend to keep rolling the die until it gives a number in the desired range.

Now, say you need numbers in the range 0 to 8. You can map two disjoint subsets of the die's 0 to 19 range to the desired range and this improves the algorithm's efficiency.

I believe this is exactly analogous to how this algorithm is supposed to work. (I am making no comment about the correctness of the implementation.)

It's an old algorithm we can trust.

@weltling There's no need for any extra work. If an integer occupies 64 bits of memory, and we use a random source to set every one of those bits, the result is a random integer with the same quality as the random source.

Endianness does not matter since every byte is independently random. If the bytes are ordered AB they are equally random to being ordered BA.

There are tools that can test the quality of the random output, but you'll literally be testing the underlying source. We're putting our faith in the Linux/Windows/BSD APIs here. If it turns out that these sources are in fact low quality, then civilisation itself will collapse :)

@tom--

I believe this is exactly analogous to how this algorithm is supposed to work.

Indeed. Find the ceiling under RAND_MAX where upper_bound % ceiling == 0, and discard all values greater than that ceiling.

@lt the world is concurrent enough to not to break because of whichever virtual RNG :) But ok, so the presumption of innocence is applied to the OS randomness sources.

@tom-- yeah, maybe also an improvement could be to ask the friend to throw more than one die at once. Possibly it could reduce the whole circles count. However not sure how reliable it would be with this method (i mean how many uniform random data one can get at once), for LCG i can say it could be done with something like AVX/SSE vectorization capabilities. Here it's probably only to be spotted empirically.

Thanks for the answers, guys.

I'm pretty sure this is dead code - an ULONG_MAX is always higher than LONG_MAX, and therefore even if you have umax = ZEND_LONG_MAX - 0, it can never be as high ...

Also, for some reason random_int(0, PHP_INT_MAX) results in umax = -1 ...

@narfbg I don't think it's dead code. If you take the absolute minimum value, (unsigned) umax = (signed) PHP_INT_MAX - (signed) PHP_INT_MIN (full negative). Which should be the same as ZEND_ULONG_MAX.

Not sure how umax is equal to -1 under those conditions either. It's unsigned...

use braces make it more readable

So the random_int() function:

• has a non-deterministic execution time (actually, it's quite random)
• that doesn't have any limit
• so the function isn't guaranteed to return at all, ever.

Naturally I understand that the likelihood of these characteristics causing problems in PHP applications is small but I think reviewers should be aware of it.

Let bw = sizeof(zend_ulong) * 8. ZEND_ULONG_MAX % umax will take its largest value for umax = 2 ** (bw - 1), in which case limit = 2 ** (bw - 1) - 1. This means that all results with top bit 1 will be discarded here. For every result the probability for a set top bit is 1/2. As such the worst case probability that this loop has not stopped after generating n random numbers is 1 / 2**n.

@nikic That looks correct.

Why can't we just use the RAND_RANGE macro (or something similar) for this? It seems to me that fighting against the modulo problem is a wasted effort.

@datibbaw Because RAND_RANGE is highly biased. It's not an option for crypto-quality randomness. I'm not aware of algorithms for this that don't use a form of rejection sampling.

It seems to me that fighting against the modulo problem is a wasted effort.

Get out! :)

In rand() or mt_rand() I completely agree, it would be wasted effort. In a function that is advertised as crypto-quality it's important.

Well, that's fair enough; I shall read more into this, thanks :)