[Mac] Enable CrZombie for all processes.

For the browser process, this will be overridden by
-[BrowserCrApplication init] (which raises it).

BUG=94551
TEST=Developers don't complain about zombie objects in other processes.

Review URL: http://codereview.chromium.org/7826016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@99754 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 600 insertions, 24 deletions

diff --git a/chrome/app/chrome_main.cc b/chrome/app/chrome_main.cc
index 06437b4..8b8e797 100644
--- a/chrome/app/chrome_main.cc
+++ b/chrome/app/chrome_main.cc
@@ -57,6 +57,7 @@
 #include "chrome/browser/mac/relauncher.h"
 #include "chrome/common/chrome_paths_internal.h"
 #include "chrome/common/mac/cfbundle_blocker.h"
+#include "chrome/common/mac/objc_zombie.h"
 #include "grit/chromium_strings.h"
 #include "third_party/WebKit/Source/WebKit/mac/WebCoreSupport/WebSystemInterface.h"
 #include "ui/base/l10n/l10n_util_mac.h"
@@ -361,6 +362,8 @@ class ChromeMainDelegate : public content::ContentMainDelegate {
 #endif
 
 #if defined(OS_MACOSX)
+    // TODO(shess): Enable zombies for everyone.  http://crbug.com/94551
+    DCHECK(ObjcEvilDoers::ZombieEnable(true, 1000));
     chrome_main::SetUpBundleOverrides();
     chrome::common::mac::EnableCFBundleBlocker();
 #endif
diff --git a/chrome/browser/chrome_browser_application_mac.mm b/chrome/browser/chrome_browser_application_mac.mm
index 9394767..852d2ba 100644
--- a/chrome/browser/chrome_browser_application_mac.mm
+++ b/chrome/browser/chrome_browser_application_mac.mm
@@ -12,9 +12,9 @@
 #import "chrome/app/breakpad_mac.h"
 #import "chrome/browser/app_controller_mac.h"
 #include "chrome/browser/ui/browser_list.h"
-#import "chrome/browser/ui/cocoa/objc_method_swizzle.h"
-#import "chrome/browser/ui/cocoa/objc_zombie.h"
 #include "chrome/browser/ui/tab_contents/tab_contents_wrapper.h"
+#import "chrome/common/mac/objc_method_swizzle.h"
+#import "chrome/common/mac/objc_zombie.h"
 #include "content/browser/accessibility/browser_accessibility_state.h"
 #include "content/browser/renderer_host/render_view_host.h"
 
@@ -210,7 +210,7 @@ void SwizzleInit() {
 + (void)initialize {
   // Turn all deallocated Objective-C objects into zombies, keeping
   // the most recent 10,000 of them on the treadmill.
-  ObjcEvilDoers::ZombieEnable(YES, 10000);
+  ObjcEvilDoers::ZombieEnable(true, 10000);
 }
 
 - (id)init {
diff --git a/chrome/browser/ui/cocoa/objc_zombie.mm b/chrome/browser/ui/cocoa/objc_zombie.mm
index ea892da..ef6d458 100644
--- a/chrome/browser/ui/cocoa/objc_zombie.mm
+++ b/chrome/browser/ui/cocoa/objc_zombie.mm
@@ -20,7 +20,7 @@
 #include "base/metrics/histogram.h"
 #include "base/synchronization/lock.h"
 #import "chrome/app/breakpad_mac.h"
-#import "chrome/browser/ui/cocoa/objc_method_swizzle.h"
+#import "chrome/common/mac/objc_method_swizzle.h"
 
 // Deallocated objects are re-classed as |CrZombie|.  No superclass
 // because then the class would have to override many/most of the
diff --git a/chrome/chrome_browser.gypi b/chrome/chrome_browser.gypi
index 20edb4d..5522926 100644
--- a/chrome/chrome_browser.gypi
+++ b/chrome/chrome_browser.gypi
@@ -2615,10 +2615,6 @@
         'browser/ui/cocoa/nsmenuitem_additions.mm',
         'browser/ui/cocoa/nsview_additions.h',
         'browser/ui/cocoa/nsview_additions.mm',
-        'browser/ui/cocoa/objc_method_swizzle.h',
-        'browser/ui/cocoa/objc_method_swizzle.mm',
-        'browser/ui/cocoa/objc_zombie.h',
-        'browser/ui/cocoa/objc_zombie.mm',
         'browser/ui/cocoa/omnibox/omnibox_popup_view_mac.h',
         'browser/ui/cocoa/omnibox/omnibox_popup_view_mac.mm',
         'browser/ui/cocoa/omnibox/omnibox_view_mac.h',
diff --git a/chrome/chrome_common.gypi b/chrome/chrome_common.gypi
index 0b20e5e..eb8bbac 100644
--- a/chrome/chrome_common.gypi
+++ b/chrome/chrome_common.gypi
@@ -208,6 +208,10 @@
         'common/mac/cfbundle_blocker.mm',
         'common/mac/launchd.h',
         'common/mac/launchd.mm',
+        'common/mac/objc_method_swizzle.h',
+        'common/mac/objc_method_swizzle.mm',
+        'common/mac/objc_zombie.h',
+        'common/mac/objc_zombie.mm',
         'common/libxml_utils.cc',
         'common/libxml_utils.h',
         'common/native_window_notification_source.h',
diff --git a/chrome/chrome_tests.gypi b/chrome/chrome_tests.gypi
index 392fe3c..999dc54 100644
--- a/chrome/chrome_tests.gypi
+++ b/chrome/chrome_tests.gypi
@@ -1819,8 +1819,6 @@
         'browser/ui/cocoa/notifications/balloon_controller_unittest.mm',
         'browser/ui/cocoa/nsimage_cache_unittest.mm',
         'browser/ui/cocoa/nsmenuitem_additions_unittest.mm',
-        'browser/ui/cocoa/objc_method_swizzle_unittest.mm',
-        'browser/ui/cocoa/objc_zombie_unittest.mm',
         'browser/ui/cocoa/omnibox/omnibox_popup_view_mac_unittest.mm',
         'browser/ui/cocoa/omnibox/omnibox_view_mac_unittest.mm',
         'browser/ui/cocoa/page_info_bubble_controller_unittest.mm',
@@ -1965,6 +1963,8 @@
         'common/json_value_serializer_unittest.cc',
         'common/multi_process_lock_unittest.cc',
         'common/mac/attributed_string_coder_unittest.mm',
+        'common/mac/objc_method_swizzle_unittest.mm',
+        'common/mac/objc_zombie_unittest.mm',
         'common/net/gaia/gaia_auth_fetcher_unittest.cc',
         'common/net/gaia/gaia_auth_fetcher_unittest.h',
         'common/net/gaia/gaia_authenticator_unittest.cc',
diff --git a/chrome/common/mac/DEPS b/chrome/common/mac/DEPS
index 77a551b..b0c96ed 100644
--- a/chrome/common/mac/DEPS
+++ b/chrome/common/mac/DEPS
@@ -1,3 +1,8 @@
 include_rules = [
+  # TODO(shess): http://crbug.com/95272
+  # This dependency needed by objc_zombie.mm.  Unfortunately, putting
+  # objc_zombie.mm in chrome/app calls into existence unspeakable horrors.
+  "+chrome/app",
+
   "+third_party/mach_override",
 ]
diff --git a/chrome/browser/ui/cocoa/objc_method_swizzle.h b/chrome/common/mac/objc_method_swizzle.h
index 2b94832..a6fd19a 100644
--- a/chrome/browser/ui/cocoa/objc_method_swizzle.h
+++ b/chrome/common/mac/objc_method_swizzle.h
@@ -1,9 +1,9 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_UI_COCOA_OBJC_METHOD_SWIZZLE_H_
-#define CHROME_BROWSER_UI_COCOA_OBJC_METHOD_SWIZZLE_H_
+#ifndef CHROME_COMMON_MAC_OBJC_METHOD_SWIZZLE_H_
+#define CHROME_COMMON_MAC_OBJC_METHOD_SWIZZLE_H_
 #pragma once
 
 #import <objc/objc-class.h>
@@ -25,4 +25,4 @@ IMP SwizzleImplementedInstanceMethods(
 
 }  // namespace ObjcEvilDoers
 
-#endif  // CHROME_BROWSER_UI_COCOA_OBJC_METHOD_SWIZZLE_H_
+#endif  // CHROME_COMMON_MAC_OBJC_METHOD_SWIZZLE_H_
diff --git a/chrome/browser/ui/cocoa/objc_method_swizzle.mm b/chrome/common/mac/objc_method_swizzle.mm
index 39f3d9b..4ed4df8 100644
--- a/chrome/browser/ui/cocoa/objc_method_swizzle.mm
+++ b/chrome/common/mac/objc_method_swizzle.mm
@@ -2,11 +2,10 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#import "chrome/browser/ui/cocoa/objc_method_swizzle.h"
+#import "chrome/common/mac/objc_method_swizzle.h"
 
 #import "base/logging.h"
 #import "base/memory/scoped_nsobject.h"
-#import "chrome/app/breakpad_mac.h"
 
 namespace ObjcEvilDoers {
 
diff --git a/chrome/browser/ui/cocoa/objc_method_swizzle_unittest.mm b/chrome/common/mac/objc_method_swizzle_unittest.mm
index f56043c..261e24d 100644
--- a/chrome/browser/ui/cocoa/objc_method_swizzle_unittest.mm
+++ b/chrome/common/mac/objc_method_swizzle_unittest.mm
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#import "chrome/browser/ui/cocoa/objc_method_swizzle.h"
+#import "chrome/common/mac/objc_method_swizzle.h"
 
 #include "base/memory/scoped_nsobject.h"
 #include "testing/gtest/include/gtest/gtest.h"
diff --git a/chrome/browser/ui/cocoa/objc_zombie.h b/chrome/common/mac/objc_zombie.h
index 714409e..cca3694 100644
--- a/chrome/browser/ui/cocoa/objc_zombie.h
+++ b/chrome/common/mac/objc_zombie.h
@@ -1,12 +1,12 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef CHROME_BROWSER_UI_COCOA_NSOBJECT_ZOMBIE_H_
-#define CHROME_BROWSER_UI_COCOA_NSOBJECT_ZOMBIE_H_
+#ifndef CHROME_COMMON_MAC_OBJC_ZOMBIE_H_
+#define CHROME_COMMON_MAC_OBJC_ZOMBIE_H_
 #pragma once
 
-#import <Foundation/Foundation.h>
+#include "base/basictypes.h"
 
 // You should think twice every single time you use anything from this
 // namespace.
@@ -25,15 +25,23 @@ namespace ObjcEvilDoers {
 // |zombieCount| controls how many zombies to store before freeing the
 // oldest.  Set to 0 to free objects immediately after making them
 // zombies.
-BOOL ZombieEnable(BOOL zombieAllObjects, size_t zombieCount);
+bool ZombieEnable(bool zombieAllObjects, size_t zombieCount);
 
 // Disable zombies.
 void ZombieDisable();
 
 }  // namespace ObjcEvilDoers
 
+#if defined(OS_MACOSX)
+#if defined(__OBJC__)
+
+#import <Foundation/Foundation.h>
+
 @interface NSObject (CrZombie)
 - (BOOL)shouldBecomeCrZombie;
 @end
 
-#endif  // CHROME_BROWSER_UI_COCOA_NSOBJECT_ZOMBIE_H_
+#endif  // __OBJC__
+#endif  // OS_MACOSX
+
+#endif  // CHROME_COMMON_MAC_OBJC_ZOMBIE_H_
diff --git a/chrome/common/mac/objc_zombie.mm b/chrome/common/mac/objc_zombie.mm
new file mode 100644
index 0000000..c60981b
--- /dev/null
+++ b/chrome/common/mac/objc_zombie.mm
@@ -0,0 +1,561 @@
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#import "chrome/common/mac/objc_zombie.h"
+
+#include <dlfcn.h>
+#include <execinfo.h>
+#include <mach-o/dyld.h>
+#include <mach-o/nlist.h>
+
+#import <objc/objc-class.h>
+
+#include <algorithm>
+#include <iostream>
+
+#include "base/debug/stack_trace.h"
+#include "base/logging.h"
+#include "base/mac/mac_util.h"
+#include "base/metrics/histogram.h"
+#include "base/synchronization/lock.h"
+#import "chrome/app/breakpad_mac.h"
+#import "chrome/common/mac/objc_method_swizzle.h"
+
+// Deallocated objects are re-classed as |CrZombie|.  No superclass
+// because then the class would have to override many/most of the
+// inherited methods (|NSObject| is like a category magnet!).
+@interface CrZombie {
+  Class isa;
+}
+@end
+
+// Objects with enough space are made into "fat" zombies, which
+// directly remember which class they were until reallocated.
+@interface CrFatZombie : CrZombie {
+ @public
+  Class wasa;
+}
+@end
+
+namespace {
+
+// The depth of backtrace to store with zombies.  This directly influences
+// the amount of memory required to track zombies, so should be kept as
+// small as is useful.  Unfortunately, too small and it won't poke through
+// deep autorelease and event loop stacks.
+// NOTE(shess): Breakpad currently restricts values to 255 bytes.  The
+// trace is hex-encoded with "0x" prefix and " " separators, meaning
+// the maximum number of 32-bit items which can be encoded is 23.
+const size_t kBacktraceDepth = 20;
+
+// Function which destroys the contents of an object without freeing
+// the object.  On 10.5 this is |object_cxxDestruct()|, which
+// traverses the class hierarchy to run the C++ destructors.  On 10.6
+// this is |objc_destructInstance()| which calls
+// |object_cxxDestruct()| and removes associative references.
+// |objc_destructInstance()| returns |void*| but pretending it has no
+// return value makes the code simpler.
+typedef void DestructFn(id obj);
+DestructFn* g_objectDestruct = NULL;
+
+// The original implementation for |-[NSObject dealloc]|.
+IMP g_originalDeallocIMP = NULL;
+
+// Classes which freed objects become.  |g_fatZombieSize| is the
+// minimum object size which can be made into a fat zombie (which can
+// remember which class it was before free, even after falling off the
+// treadmill).
+Class g_zombieClass = Nil;  // cached [CrZombie class]
+Class g_fatZombieClass = Nil;  // cached [CrFatZombie class]
+size_t g_fatZombieSize = 0;
+
+// Whether to zombie all freed objects, or only those which return YES
+// from |-shouldBecomeCrZombie|.
+BOOL g_zombieAllObjects = NO;
+
+// Protects |g_zombieCount|, |g_zombieIndex|, and |g_zombies|.
+base::Lock lock_;
+
+// How many zombies to keep before freeing, and the current head of
+// the circular buffer.
+size_t g_zombieCount = 0;
+size_t g_zombieIndex = 0;
+
+typedef struct {
+  id object;   // The zombied object.
+  Class wasa;  // Value of |object->isa| before we replaced it.
+  void* trace[kBacktraceDepth];  // Backtrace at point of deallocation.
+  size_t traceDepth;             // Actual depth of trace[].
+} ZombieRecord;
+
+ZombieRecord* g_zombies = NULL;
+
+const char* LookupObjcRuntimePath() {
+  const void* addr = reinterpret_cast<void*>(&object_getClass);
+  Dl_info info;
+
+  // |dladdr()| doesn't document how long |info| will stay valid...
+  if (dladdr(addr, &info))
+    return info.dli_fname;
+
+  return NULL;
+}
+
+// Lookup |objc_destructInstance()| dynamically because it isn't
+// available on 10.5, but we link with the 10.5 SDK.
+DestructFn* LookupObjectDestruct_10_6() {
+  const char* objc_runtime_path = LookupObjcRuntimePath();
+  if (!objc_runtime_path)
+    return NULL;
+
+  void* handle = dlopen(objc_runtime_path, RTLD_LAZY | RTLD_LOCAL);
+  if (!handle)
+    return NULL;
+
+  void* fn = dlsym(handle, "objc_destructInstance");
+
+  // |fn| would normally be expected to become invalid after this
+  // |dlclose()|, but since the |dlopen()| was on a library
+  // containing an already-mapped symbol, it will remain valid.
+  dlclose(handle);
+  return reinterpret_cast<DestructFn*>(fn);
+}
+
+// Under 10.5 |object_cxxDestruct()| is used but unfortunately it is
+// |__private_extern__| in the runtime, meaning |dlsym()| cannot reach it.
+DestructFn* LookupObjectDestruct_10_5() {
+  // |nlist()| is only present for 32-bit.
+#if ARCH_CPU_32_BITS
+  const char* objc_runtime_path = LookupObjcRuntimePath();
+  if (!objc_runtime_path)
+    return NULL;
+
+  struct nlist nl[3];
+  bzero(&nl, sizeof(nl));
+
+  nl[0].n_un.n_name = const_cast<char*>("_object_cxxDestruct");
+
+  // My ability to calculate the base for offsets is apparently poor.
+  // Use |class_addIvar| as a known reference point.
+  nl[1].n_un.n_name = const_cast<char*>("_class_addIvar");
+
+  if (nlist(objc_runtime_path, nl) < 0 ||
+      nl[0].n_type == N_UNDF || nl[1].n_type == N_UNDF)
+    return NULL;
+
+  // Back out offset to |class_addIvar()| to get the baseline, then
+  // add back offset to |object_cxxDestruct()|.
+  uintptr_t reference_addr = reinterpret_cast<uintptr_t>(&class_addIvar);
+  reference_addr -= nl[1].n_value;
+  reference_addr += nl[0].n_value;
+
+  return reinterpret_cast<DestructFn*>(reference_addr);
+#endif
+
+  return NULL;
+}
+
+// Replacement |-dealloc| which turns objects into zombies and places
+// them into |g_zombies| to be freed later.
+void ZombieDealloc(id self, SEL _cmd) {
+  // This code should only be called when it is implementing |-dealloc|.
+  DCHECK_EQ(_cmd, @selector(dealloc));
+
+  // Use the original |-dealloc| if the object doesn't wish to be
+  // zombied.
+  if (!g_zombieAllObjects && ![self shouldBecomeCrZombie]) {
+    g_originalDeallocIMP(self, _cmd);
+    return;
+  }
+
+  // Use the original |-dealloc| if |g_objectDestruct| was never
+  // initialized, because otherwise C++ destructors won't be called.
+  // This case should be impossible, but doing it wrong would cause
+  // terrible problems.
+  DCHECK(g_objectDestruct);
+  if (!g_objectDestruct) {
+    g_originalDeallocIMP(self, _cmd);
+    return;
+  }
+
+  Class wasa = object_getClass(self);
+  const size_t size = class_getInstanceSize(wasa);
+
+  // Destroy the instance by calling C++ destructors and clearing it
+  // to something unlikely to work well if someone references it.
+  // NOTE(shess): |object_dispose()| will call this again when the
+  // zombie falls off the treadmill!  But by then |isa| will be a
+  // class without C++ destructors or associative references, so it
+  // won't hurt anything.
+  (*g_objectDestruct)(self);
+  memset(self, '!', size);
+
+  // If the instance is big enough, make it into a fat zombie and have
+  // it remember the old |isa|.  Otherwise make it a regular zombie.
+  // Setting |isa| rather than using |object_setClass()| because that
+  // function is implemented with a memory barrier.  The runtime's
+  // |_internal_object_dispose()| (in objc-class.m) does this, so it
+  // should be safe (messaging free'd objects shouldn't be expected to
+  // be thread-safe in the first place).
+  if (size >= g_fatZombieSize) {
+    self->isa = g_fatZombieClass;
+    static_cast<CrFatZombie*>(self)->wasa = wasa;
+  } else {
+    self->isa = g_zombieClass;
+  }
+
+  // The new record to swap into |g_zombies|.  If |g_zombieCount| is
+  // zero, then |self| will be freed immediately.
+  ZombieRecord zombieToFree = {self, wasa};
+  zombieToFree.traceDepth =
+      std::max(backtrace(zombieToFree.trace, kBacktraceDepth), 0);
+
+  // Don't involve the lock when creating zombies without a treadmill.
+  if (g_zombieCount > 0) {
+    base::AutoLock pin(lock_);
+
+    // Check the count again in a thread-safe manner.
+    if (g_zombieCount > 0) {
+      // Put the current object on the treadmill and keep the previous
+      // occupant.
+      std::swap(zombieToFree, g_zombies[g_zombieIndex]);
+
+      // Bump the index forward.
+      g_zombieIndex = (g_zombieIndex + 1) % g_zombieCount;
+    }
+  }
+
+  // Do the free out here to prevent any chance of deadlock.
+  if (zombieToFree.object)
+    object_dispose(zombieToFree.object);
+}
+
+// Search the treadmill for |object| and fill in |*record| if found.
+// Returns YES if found.
+BOOL GetZombieRecord(id object, ZombieRecord* record) {
+  // Holding the lock is reasonable because this should be fast, and
+  // the process is going to crash presently anyhow.
+  base::AutoLock pin(lock_);
+  for (size_t i = 0; i < g_zombieCount; ++i) {
+    if (g_zombies[i].object == object) {
+      *record = g_zombies[i];
+      return YES;
+    }
+  }
+  return NO;
+}
+
+// Dump the symbols.  This is pulled out into a function to make it
+// easy to use DCHECK to dump only in debug builds.
+BOOL DumpDeallocTrace(const void* const* array, int size) {
+  // |cerr| because that's where PrintBacktrace() sends output.
+  std::cerr << "Backtrace from -dealloc:\n";
+  base::debug::StackTrace(array, size).PrintBacktrace();
+
+  return YES;
+}
+
+// Log a message to a freed object.  |wasa| is the object's original
+// class.  |aSelector| is the selector which the calling code was
+// attempting to send.  |viaSelector| is the selector of the
+// dispatch-related method which is being invoked to send |aSelector|
+// (for instance, -respondsToSelector:).
+void ZombieObjectCrash(id object, SEL aSelector, SEL viaSelector) {
+  ZombieRecord record;
+  BOOL found = GetZombieRecord(object, &record);
+
+  // The object's class can be in the zombie record, but if that is
+  // not available it can also be in the object itself (in most cases).
+  Class wasa = Nil;
+  if (found) {
+    wasa = record.wasa;
+  } else if (object_getClass(object) == g_fatZombieClass) {
+    wasa = static_cast<CrFatZombie*>(object)->wasa;
+  }
+  const char* wasaName = (wasa ? class_getName(wasa) : "<unknown>");
+
+  NSString* aString =
+      [NSString stringWithFormat:@"Zombie <%s: %p> received -%s",
+                                 wasaName, object, sel_getName(aSelector)];
+  if (viaSelector != NULL) {
+    const char* viaName = sel_getName(viaSelector);
+    aString = [aString stringByAppendingFormat:@" (via -%s)", viaName];
+  }
+
+  // Set a value for breakpad to report.
+  SetCrashKeyValue(@"zombie", aString);
+
+  // Hex-encode the backtrace and tuck it into a breakpad key.
+  NSString* deallocTrace = @"<unknown>";
+  if (found && record.traceDepth) {
+    NSMutableArray* hexBacktrace =
+        [NSMutableArray arrayWithCapacity:record.traceDepth];
+    for (size_t i = 0; i < record.traceDepth; ++i) {
+      NSString* s = [NSString stringWithFormat:@"%p", record.trace[i]];
+      [hexBacktrace addObject:s];
+    }
+    deallocTrace = [hexBacktrace componentsJoinedByString:@" "];
+
+    // Warn someone if this exceeds the breakpad limits.
+    DCHECK_LE(strlen([deallocTrace UTF8String]), 255U);
+  }
+  SetCrashKeyValue(@"zombie_dealloc_bt", deallocTrace);
+
+  // Log -dealloc backtrace in debug builds then crash with a useful
+  // stack trace.
+  if (found && record.traceDepth) {
+    DCHECK(DumpDeallocTrace(record.trace, record.traceDepth));
+  } else {
+    DLOG(INFO) << "Unable to generate backtrace from -dealloc.";
+  }
+  DLOG(FATAL) << [aString UTF8String];
+
+  // This is how about:crash is implemented.  Using instead of
+  // |base::debug::BreakDebugger()| or |LOG(FATAL)| to make the top of
+  // stack more immediately obvious in crash dumps.
+  int* zero = NULL;
+  *zero = 0;
+}
+
+// For monitoring failures in |ZombieInit()|.
+enum ZombieFailure {
+  FAILED_10_5,
+  FAILED_10_6,
+
+  // Add new versions before here.
+  FAILED_MAX,
+};
+
+void RecordZombieFailure(ZombieFailure failure) {
+  UMA_HISTOGRAM_ENUMERATION("OSX.ZombieInitFailure", failure, FAILED_MAX);
+}
+
+// Initialize our globals, returning YES on success.
+BOOL ZombieInit() {
+  static BOOL initialized = NO;
+  if (initialized)
+    return YES;
+
+  // Whitelist releases that are compatible with objc zombies.
+  if (base::mac::IsOSLeopard()) {
+    g_objectDestruct = LookupObjectDestruct_10_5();
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_10_5);
+      return NO;
+    }
+  } else if (base::mac::IsOSSnowLeopard()) {
+    g_objectDestruct = LookupObjectDestruct_10_6();
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_10_6);
+      return NO;
+    }
+  } else if (base::mac::IsOSLionOrLater()) {
+    // Assume the future looks like the present.
+    g_objectDestruct = LookupObjectDestruct_10_6();
+
+    // Put all future failures into the MAX bin.  New OS releases come
+    // out infrequently enough that this should always correspond to
+    // "Next release", and once the next release happens that bin will
+    // get an official name.
+    if (!g_objectDestruct) {
+      RecordZombieFailure(FAILED_MAX);
+      return NO;
+    }
+  } else {
+    return NO;
+  }
+
+  Class rootClass = [NSObject class];
+  g_originalDeallocIMP =
+      class_getMethodImplementation(rootClass, @selector(dealloc));
+  // objc_getClass() so CrZombie doesn't need +class.
+  g_zombieClass = objc_getClass("CrZombie");
+  g_fatZombieClass = objc_getClass("CrFatZombie");
+  g_fatZombieSize = class_getInstanceSize(g_fatZombieClass);
+
+  if (!g_objectDestruct || !g_originalDeallocIMP ||
+      !g_zombieClass || !g_fatZombieClass)
+    return NO;
+
+  initialized = YES;
+  return YES;
+}
+
+}  // namespace
+
+@implementation CrZombie
+
+// The Objective-C runtime needs to be able to call this successfully.
++ (void)initialize {
+}
+
+// Any method not explicitly defined will end up here, forcing a
+// crash.
+- (id)forwardingTargetForSelector:(SEL)aSelector {
+  ZombieObjectCrash(self, aSelector, NULL);
+  return nil;
+}
+
+// Override a few methods often used for dynamic dispatch to log the
+// message the caller is attempting to send, rather than the utility
+// method being used to send it.
+- (BOOL)respondsToSelector:(SEL)aSelector {
+  ZombieObjectCrash(self, aSelector, _cmd);
+  return NO;
+}
+
+- (id)performSelector:(SEL)aSelector {
+  ZombieObjectCrash(self, aSelector, _cmd);
+  return nil;
+}
+
+- (id)performSelector:(SEL)aSelector withObject:(id)anObject {
+  ZombieObjectCrash(self, aSelector, _cmd);
+  return nil;
+}
+
+- (id)performSelector:(SEL)aSelector
+           withObject:(id)anObject
+           withObject:(id)anotherObject {
+  ZombieObjectCrash(self, aSelector, _cmd);
+  return nil;
+}
+
+- (void)performSelector:(SEL)aSelector
+             withObject:(id)anArgument
+             afterDelay:(NSTimeInterval)delay {
+  ZombieObjectCrash(self, aSelector, _cmd);
+}
+
+@end
+
+@implementation CrFatZombie
+
+// This implementation intentionally left empty.
+
+@end
+
+@implementation NSObject (CrZombie)
+
+- (BOOL)shouldBecomeCrZombie {
+  return NO;
+}
+
+@end
+
+namespace ObjcEvilDoers {
+
+bool ZombieEnable(bool zombieAllObjects,
+                  size_t zombieCount) {
+  // Only allow enable/disable on the main thread, just to keep things
+  // simple.
+  CHECK([NSThread isMainThread]);
+
+  if (!ZombieInit())
+    return false;
+
+  g_zombieAllObjects = zombieAllObjects;
+
+  // Replace the implementation of -[NSObject dealloc].
+  Method m = class_getInstanceMethod([NSObject class], @selector(dealloc));
+  if (!m)
+    return false;
+
+  const IMP prevDeallocIMP = method_setImplementation(m, (IMP)ZombieDealloc);
+  DCHECK(prevDeallocIMP == g_originalDeallocIMP ||
+         prevDeallocIMP == (IMP)ZombieDealloc);
+
+  // Grab the current set of zombies.  This is thread-safe because
+  // only the main thread can change these.
+  const size_t oldCount = g_zombieCount;
+  ZombieRecord* oldZombies = g_zombies;
+
+  {
+    base::AutoLock pin(lock_);
+
+    // Save the old index in case zombies need to be transferred.
+    size_t oldIndex = g_zombieIndex;
+
+    // Create the new zombie treadmill, disabling zombies in case of
+    // failure.
+    g_zombieIndex = 0;
+    g_zombieCount = zombieCount;
+    g_zombies = NULL;
+    if (g_zombieCount) {
+      g_zombies =
+          static_cast<ZombieRecord*>(calloc(g_zombieCount, sizeof(*g_zombies)));
+      if (!g_zombies) {
+        NOTREACHED();
+        g_zombies = oldZombies;
+        g_zombieCount = oldCount;
+        g_zombieIndex = oldIndex;
+        ZombieDisable();
+        return false;
+      }
+    }
+
+    // If the count is changing, allow some of the zombies to continue
+    // shambling forward.
+    const size_t sharedCount = std::min(oldCount, zombieCount);
+    if (sharedCount) {
+      // Get index of the first shared zombie.
+      oldIndex = (oldIndex + oldCount - sharedCount) % oldCount;
+
+      for (; g_zombieIndex < sharedCount; ++ g_zombieIndex) {
+        DCHECK_LT(g_zombieIndex, g_zombieCount);
+        DCHECK_LT(oldIndex, oldCount);
+        std::swap(g_zombies[g_zombieIndex], oldZombies[oldIndex]);
+        oldIndex = (oldIndex + 1) % oldCount;
+      }
+      g_zombieIndex %= g_zombieCount;
+    }
+  }
+
+  // Free the old treadmill and any remaining zombies.
+  if (oldZombies) {
+    for (size_t i = 0; i < oldCount; ++i) {
+      if (oldZombies[i].object)
+        object_dispose(oldZombies[i].object);
+    }
+    free(oldZombies);
+  }
+
+  return true;
+}
+
+void ZombieDisable() {
+  // Only allow enable/disable on the main thread, just to keep things
+  // simple.
+  CHECK([NSThread isMainThread]);
+
+  // |ZombieInit()| was never called.
+  if (!g_originalDeallocIMP)
+    return;
+
+  // Put back the original implementation of -[NSObject dealloc].
+  Method m = class_getInstanceMethod([NSObject class], @selector(dealloc));
+  CHECK(m);
+  method_setImplementation(m, g_originalDeallocIMP);
+
+  // Can safely grab this because it only happens on the main thread.
+  const size_t oldCount = g_zombieCount;
+  ZombieRecord* oldZombies = g_zombies;
+
+  {
+    base::AutoLock pin(lock_);  // In case any |-dealloc| are in-progress.
+    g_zombieCount = 0;
+    g_zombies = NULL;
+  }
+
+  // Free any remaining zombies.
+  if (oldZombies) {
+    for (size_t i = 0; i < oldCount; ++i) {
+      if (oldZombies[i].object)
+        object_dispose(oldZombies[i].object);
+    }
+    free(oldZombies);
+  }
+}
+
+}  // namespace ObjcEvilDoers
diff --git a/chrome/browser/ui/cocoa/objc_zombie_unittest.mm b/chrome/common/mac/objc_zombie_unittest.mm
index 1cadf4a..df91d53 100644
--- a/chrome/browser/ui/cocoa/objc_zombie_unittest.mm
+++ b/chrome/common/mac/objc_zombie_unittest.mm
@@ -7,7 +7,7 @@
 
 #include "base/logging.h"
 #import "base/memory/scoped_nsobject.h"
-#import "chrome/browser/ui/cocoa/objc_zombie.h"
+#import "chrome/common/mac/objc_zombie.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"