Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91307
Return-Path: <nikita.ppv@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32333 invoked from network); 19 Feb 2016 00:18:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Feb 2016 00:18:38 -0000
Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.173 as permitted sender)
X-PHP-List-Original-Sender: nikita.ppv@gmail.com
X-Host-Fingerprint: 209.85.161.173 mail-yw0-f173.google.com  
Received: from [209.85.161.173] ([209.85.161.173:35368] helo=mail-yw0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D2/38-27267-D5F56C65 for <internals@lists.php.net>; Thu, 18 Feb 2016 19:18:37 -0500
Received: by mail-yw0-f173.google.com with SMTP id g127so55262525ywf.2
        for <internals@lists.php.net>; Thu, 18 Feb 2016 16:18:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Yu+b0NUWZC0Jn4NaF3AEWzx+RpYCy9WbQ0KGCO8xUP8=;
        b=cGFRhgqORPF4VmgON6kjq/AxA3gBh18aOIOWpJA5SCsdNlopUANh5tMJrfsD9qGSIn
         yPyD9RUBxvqEukOx4fVbav5hjaPeUzVKf3JLJT4pedt+eQJzeGz5tf6gkuZT0KdlnmBp
         HWkp3VhyyQWFhS19mU+htrSMSNOsRJN9Uhv2EwxNBNY31HaP00TDkXvtgyzuFwyG+KLQ
         h4X+rQJ5K/52L/dTKzvsUqvmJNbfzaaGBDQcCxFrEC9HrlvcdEhuVDo6dm8MedA4Zvor
         vg3NC58bK0y7kZ0Jm8QzO1W6dZQeD7knHu3+LnvRBbs46UKRaacUXSFZhwSQElu9FT/h
         uA/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=Yu+b0NUWZC0Jn4NaF3AEWzx+RpYCy9WbQ0KGCO8xUP8=;
        b=gK2/zljVX4vpFGylgOIRfCthg20cvaPli371bhRvvgsfAntgOvtMc5ui7j2j5lhBaV
         CzHFO+hiXjVWh1YSX2l7EShXdMrJrTGyd31XbbX96MJoCwoSn7EjKLOcKQkCeSBUCXEL
         MZhYj0yYu7EEj++6CqHwpfBtXVYyl0KprqQO4lNNPk1Y29g/IY9ZOIESUGAy5m6Np+dr
         JPvsQ0R7MNVUZVKxAZOKtK0N6O1fvbCfzbAzq+/Rc2t6aBxvj3s0OuVMoFnOD/OJIVEN
         YCEJNSvTohSIY8UO4iZrYFNlEraDcJSDts6QErHe1XQB6/l51jxbyL7xio8sngo7GKRe
         CqdA==
X-Gm-Message-State: AG10YOTt/maTCAG/0x/da2PuccElVK7rYTPC2tdG2krISLExgyDtGkRBNuLBDX6br6oIUWJeTzXjWJPlRRhqOw==
MIME-Version: 1.0
X-Received: by 10.129.50.15 with SMTP id y15mr5988354ywy.305.1455841114879;
 Thu, 18 Feb 2016 16:18:34 -0800 (PST)
Received: by 10.129.148.70 with HTTP; Thu, 18 Feb 2016 16:18:34 -0800 (PST)
In-Reply-To: <97CC6432-564B-4E28-B2DE-9C496FF1984D@zend.com>
References: <CAF+90c_1zO91x-4Madqm3F8gkKDT7jZKVZSbBuYMbnDCADrv_A@mail.gmail.com>
	<56C63A8A.3030809@gmail.com>
	<97CC6432-564B-4E28-B2DE-9C496FF1984D@zend.com>
Date: Fri, 19 Feb 2016 01:18:34 +0100
Message-ID: <CAF+90c9vAC3DceGNgio57UFgABNwc8B2s+qxiPuOVQ2oMpuuxQ@mail.gmail.com>
To: Zeev Suraski <zeev@zend.com>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11408dae808112052c146ce4
Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 7.1
From: nikita.ppv@gmail.com (Nikita Popov)

--001a11408dae808112052c146ce4
Content-Type: text/plain; charset=UTF-8

On Thu, Feb 18, 2016 at 11:45 PM, Zeev Suraski <zeev@zend.com> wrote:

> > With rand functions, I don't think we need to touch them. For some
> > applications, low-key randomness is just fine - if you need to shuffle
> > array of 20 elements or randomize unit test to ensure you're not testing
> > same value all the time, low-quality randomness is completely fine. For
> > other applications, there are superior solutions and everybody who needs
> > them already uses them, but again I see no value in removing those
> > functions. It would only cause more breakage and make adoption of new
> > versions (already horrible) even slower.
>
> I think the obvious option here is to make rand() and srand() aliases to
> rand_mt() and srand_mt(), unless I'm missing something very basic, unless
> I'm missing something very basic here..?  I see zero reason to deprecate
> them and break so much code when we can simply 'upgrade' them at zero cost
> to both us and users.
>

The usual argument against aliasing rand() to mt_rand() is that it will
change the sequence that is generated for a specific srand() seed, thus
breaking code that relies on specific sequences. However, as removing the
functions in the future would break the code anyway, I think I agree with
you that just aliasing them is a better option.

We may need to discuss our non-cryptographic PRNG functionality anyway,
there's quite a number of issues:

 * rand(), the first function anyone will try, uses a potentially horrible
libc RNG
 * It was recently noticed that the mt_rand() implementation contains a
typo and our output differs from the original well-researched algorithm. As
yet it is unclear what that typo does to the quality of the output.
 * mt_getrandmax() is 2^31-1 even on 64-bit machines and numbers are scaled
using floating point multiplication. That means if you tell mt_rand() to
generate a 64-bit random numbers by specifying the range, only a tiny
fraction of numbers can actually be hit. I also strongly suspect that the
floating point scaling is inherently non-uniform even for smaller ranges.
 * Functions like array_rand() or shuffle() use rand() and not mt_rand(),
so if you're on Windows and your array is larger than some 30k elements the
output will likely be severely biased.
 * The array_rand() implementation is O(N) even if you only choose a single
key (likely by far the most common case). If you use array_rand() on a 1M
element array, we'll generate 0.5M random numbers on average.

Even though changing our PRNG implementations will break seed sequences, I
think the time has come to clean up this mess for 7.1. (We might also want
to consider to alias rand and mt_rand to an entirely new algorithm, not
MT19937. Nowadays PRNGs are available that have both better statistical
properties and are faster than MT.)

On a different note, I don't think that philosophical discussions on the
topic of how much we ought to be deprecating will be very productive --
this is one of those topics people tend to be very stubborn about ;) Some
people value stability above everything else, and for others the number one
evil in PHP is our reluctance to get rid of old ---crap--- cruft. It would
be nice if we could let voting decide that question, and keep this thread
focused on specific issues and suggestion. I.e. on one hand suggestions for
things that we may want to deprecate, together with reasoning for why we
should do it. And on the other hand alternatives to deprecation (your
suggestion for rand), reasons why something shouldn't be deprecated (e.g.
functionality not otherwise available, see hebrev; or migration would be
problematic because XYZ; or project ABC uses this heavily because ...)

Thanks,
Nikita

--001a11408dae808112052c146ce4--