tags:

views:

110

answers:

1
+2  Q: 

Random number generator returning zeros

I have an ASP.NET application that relies on the Random class to generate a pseudo-random string. It uses the following code (this is part of a larger piece of sample code provided by Google for apps SSO):

    public static class SamlUtility
{
    private static Random random = new Random();

    private static char[] charMapping =  { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p' };

    public static string CreateId()
    {
        byte[] bytes = new byte[20]; // 160 bits

        random.NextBytes(bytes);

        char[] chars = new char[40];

        for (int i = 0; i < bytes.Length; i++)
        {
            int left = (bytes[i] >> 4) & 0x0f;
            int right = bytes[i] & 0x0f;
            chars[i * 2] = charMapping[left];
            chars[i * 2 + 1] = charMapping[right];
        }

        return new string(chars);
    }
}

This normally works very well, but from time to time it starts generating a string of 'a'. From what I can tell from debugging, Random simply stops returning random numbers and instead fills bytes with the same value over and over. I've patched this by using a GUID instead, but I'm curious what happened in the original code. I'm assuming some form of entropy exhaustion, but I can't find any reference in the docs. Also, each time this has happened, performing iisreset restored the correct behavior.

Any suggestions regarding what was going wrong would be much appreciated.

+6  A: 

The Random class is not thread-safe.
If you generate random numbers on the same instance on multiple threads at once, its internal state will be corrupted and it will start returning zeroes.

You need to make the Random instance [ThreadStatic] to ensure that each instance is not shared by multiple threads.
Note that initializers for [ThreadStatic] fields will only run once, so you need to check whether it's null every time you use the field and initialize it if necessary.
It would also be a good idea to include both the thread ID and the current time in the seed to prevent seed collisions.

Note, by the way, that the Random class is not secure; consider using the RNGCryptoServiceProvider class

SLaks  2010-09-20 18:13:15
Or you could protect the single Random instance with a lock.
Jim Mischel  2010-09-20 18:18:33
@Jim: locks should be avoided where possible. (They're slow)
SLaks  2010-09-20 18:20:31
Thanks, SLaks! I am only relying on the random number to provide uniqueness; is my solution to use GUID an acceptable solution or does it make more sense to revert to the use of Random and set it ThreadStatic?
Jacob  2010-09-20 18:25:02
Somehow, I doubt that the time to obtain the lock (my testing shows that it's about 0.05 microseconds to get a lock when the resource isn't already locked) is going to matter much in the context of an ASP.NET web page. The "slow" lock is such a small amount of time compared with the time required to respond to the request, that it's of no consequence. If lock speed is really that important, use a SpinLock. "Locks are slow" is one of those bits of conventional wisdom that needs to be re-evaluated.
Jim Mischel  2010-09-20 18:33:21
@Jacob: Random number is not going to guarantee uniqueness!
Jim Mischel  2010-09-20 18:35:14
@Jim: Indeed. For most uses, locks are only slow *when they are contended*. And if the lock spends most of its time contended then *you have larger problems to solve*, namely that you have probably gated your entire program on access to a single resource.
Eric Lippert  2010-09-20 18:43:24
@Jacob, if uniqueness is a requirement then a GUID isn't just acceptable, it's almost mandatory. That's why GUIDs were invented, to provide guaranteed unique numbers across all computers and all time.
Mark Ransom  2010-09-20 18:45:30
@Jacob: Jim is right: *random numbers are not in the slightest bit unique*. The probability of a collision in random 32 bit numbers rises to over 50% after only 77000 numbers generated. See http://blogs.msdn.com/b/ericlippert/archive/2010/03/22/socks-birthdays-and-hash-collisions.aspx for details. **If you want global uniqueness then use a tool specifically designed for that job: the Globally Unique Identifier, aka GUID, is designed to solve your problem.* Hence its name.
Eric Lippert  2010-09-20 18:47:01
Thanks for the comments regarding random numbers. The period of uniqueness is extremely short, but the point is well taken that GUIDs are the way to go. Thanks for the feedback!
Jacob  2010-09-20 19:05:13

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?