2

As i wrote in the title.

If its not safe to use getHashCode() in your application, why use it? (for string and integer) I want to use it to intersect methods and except metods in Linq models or create my own IEqualityCompare class. It feels like a chance - if its not 100% secure?

Or have i missed something?

As quoted in String.GetHashCode Method in https://learn.microsoft.com/

Important

If two string objects are equal, the GetHashCode method returns identical values. However, there is not a unique hash code value for each unique string value. Different strings can return the same hash code.

The hash code itself is not guaranteed to be stable. Hash codes for identical strings can differ across .NET implementations, across .NET versions, and across .NET platforms (such as 32-bit and 64-bit) for a single version of .NET. In some cases, they can even differ by application domain. This implies that two subsequent runs of the same program may return different hash codes.

As a result, hash codes should never be used outside of the application domain in which they were created, they should never be used as key fields in a collection, and they should never be persisted.

Finally, don't use the hash code instead of a value returned by a cryptographic hashing function if you need a cryptographically strong hash. For cryptographic hashes, use a class derived from the System.Security.Cryptography.HashAlgorithm or System.Security.Cryptography.KeyedHashAlgorithm class.

For more information about hash codes, see Object.GetHashCode.

Niklas
  • 1,753
  • 4
  • 16
  • 35
  • The hashes from `GetHashCode` are not secure hashes, but you probably don't need secure hashes for `Except` and `Intersect` anyway. – Sweeper Dec 07 '19 at 12:39
  • I guess the point is "two subsequent runs" where i never observed that two string.GetHashCode calls in the same AppDomain have every returned two different HashCodes. I Recently tried to use GetHashCode to evaluate if my serialized object graph and the deserialized one are the same based on its values GetHashCode they where not the same as i have restarted my application. Only in my unittests they where the same as the process from calling in serialization and deserialization. – Venson Dec 07 '19 at 12:39
  • `GetHashCode` is not meant for security. The only purpose is to generate an index. The documentation you quoted specifically says *not* to use `GetHashCode` for secure hashes, but to use classes from the `System.Security.Cryptography` namespace. – Dennis_E Dec 07 '19 at 12:43
  • 4
    You never use *only* GetHashCode(), you next use Equals() to test for equality. The point is that the hash can significantly cut down on the number of equality tests you have to do. How that can produce a major speedup of code is demonstrated quite well in [this Q+A](https://stackoverflow.com/questions/46142734/why-is-hashsetpoint-so-much-slower-than-hashsetstring). – Hans Passant Dec 07 '19 at 12:43
  • If i remember correctly the underlying GetHashCode implimentation in .net Framework was to take the Pointer value into account and for Primitive values its position in its Table of strings (forgot how the table was called) – Venson Dec 07 '19 at 12:44

2 Answers2

5

I think what makes you confused is that you think that, that hash code maps to an address of a value, but it's not exactly like that.

Imagine it like bookshelves, and Hash Code maps to address of a shelf. If two of them have the same HashCode will be placed in the same Shelf, and having the address of a shelf with 3 books in it, dictionary only checks the three books on the shelf and not all the books. So the more unique hash codes are, the faster the dictionary lookup is.

When you create IEqualityComparer if you can make the GetHashCode() to return unique values, the Dictionary or HashSet using it will perform faster than when there are many duplicates.

Check This example:

public int GetShashCode(string ojb)
{
     return obj.Length;
}

although it makes it much faster than looping through the whole strings, but it is not very unique (although it is valid)

This example is also valid but even a worse choice:

public int GetShashCode(string ojb)
{
     return (int)obj[0];
}

Based on the content of the string that you can guess, you can make much better hashcodes (for example you know that that it is a social security number in this format: "XXX-XX-XXXX" which each X represent a digit) will be a great choice:

public int GetShashCode(string ojb)
{
     return int.Parse(obj.Replace("-",""));
}
Ashkan Mobayen Khiabani
  • 33,575
  • 33
  • 102
  • 171
4

If its not safe to use getHashCode() in your application, why use it?

GetHashCode has a different purpose. If you need an equality test for strings you should probably use String.Equals or == operator, these are guaranteed to work correctly.

Hash code isn't meant to be a way to generate a unique number for each possible string, this is impossible. Here's the definition of hash function:

A hash function is any function that can be used to map data of arbitrary size to fixed-size values.

It just maps a nearly infinite set of strings to a (comparatively) very limited set of integers. You might want to use a hash code if you need to uniformly spread a large number of strings to smaller "buckets". Hash codes are used extensively in hash-based collections, e.g. HashSet.

The documentation for GetHashCode mentions different issues with this method:

  • The method can generate a different result for the same string on different domains/machines/versions of .Net. This means that it's not a good idea to store the hash externally as some sort of unique identifier for later use;
  • The result is not cryptographically strong, so you shouldn't use it if you need an unbreakable password salt.

Surely, it looks scary, but still, GetHashCode is good enough for in-memory collections, such as HashSet or Dictionary.

Also, see this question: Why is it important to override GetHashCode when Equals method is overridden?

default locale
  • 13,035
  • 13
  • 56
  • 62