ANTS Performance Profiler 9

Profiling SecurityTransparent and partially-trusted assemblies

This page describes a change in the behavior of ANTS Performance Profiler, effective from version 8.1.

If you are using ANTS Performance Profiler 7.x or 8.0, see Enabling line-level timings for SecurityTransparent code for more information for your version.

 

Problem

  • A partially-trusted trusted assembly crashes with a VerificationException
  • You don't see line-level timings for .NET 4.0 and .NET 4.5 assemblies that have the SecurityTransparent attribute.
  • You don't see line-level timings for the log4net and JSON.NET assemblies.
     

In .NET 3.5 and earlier, an assembly (Assembly A) can become marked as partially-trusted if it calls another assembly (Assembly B) and Assembly B responds with SecurityAction.RequestRefuse or SecurityAction.RequestOptional .

 

Cause

Partially-trusted code and code with the SecurityTransparent attribute sets a restriction in the .NET CLR that prevent ANTS Performance Profiler from changing your code during profiling. ANTS Performance Profiler needs to change your code to collect line-level timings, but it can collect method-level timings without changing your code.

In ANTS Performance Profiler 8.0 and earlier, the security restriction would typically have the following effect:

  • Applications running in IIS would crash with a VerificationException
  • Other types of application often showed method-level timings only

In ANTS Performance Profiler 8.1, we've tried to reduce the risk of crashing applications in IIS by altering the default behavior:

  • For all types of application, ANTS Performance Profiler only shows method-level timings for SecurityTransparent and partially-trusted assemblies

Additionally, some popular third-party assemblies (like log4net and JSON.NET) contain some individual modules that are SecurityTransparent or partially-trusted.  To stop these particular assemblies from crashing your application during profiling, the profiler always profiles these assemblies with method-level timings only. The list of known third-party assemblies is controlled by an editable block list. (For more information, see About the block list.)

These changes might mean that some assemblies that had line-level timings in previous versions of the profiler now only show method-level timings. See Displaying line-level timings for SecurityTransparent / partially-trusted assemblies for information about how to restore line-level timings to these assemblies.

If ANTS Performance Profiler crashes with line-level timings enabled and you have a SecurityTransparent / partially-trusted assembly in your code

In some cases, ANTS Performance Profiler might not correctly identify SecurityTransparent or partially-trusted code. For example, if you create permission levels programmatically in your code, ANTS Performance Profiler will not be able to switch to method-level timings to avoid the VerificationException, and so your application may crash.

If your application crashes with a VerificationException because you have used SecurityTransparent or you have partially-trusted code, you should add the name of every assembly with these security features to the ANTS Performance Profiler block list. You will then be able to profile the application but you'll only see method-level timings for the blocked assemblies.

  1. Open the ANTS Performance Profiler block list in an XML editor.
    See About the block list for the block list's location.
  2. Inside the <lineLevelBlacklist> element, add a new line containing your assembly name:
    <assemblyName>My.Company.AssemblyName</assemblyName>
    If you don't know the assembly name, it is normally the same as the assembly's filename, without the file extension. 
  3. Save the block list and restart ANTS Performance Profiler.

Displaying line-level timings for SecurityTransparent / partially-trusted assemblies

In most cases, you can override the default bahavior described above, so the profiler will show line-level timings.

Following the steps below increases the risk that ANTS Performance Profiler will crash your application during profiling.

To display line-level timings for SecurityTransparent code and partially-trusted code

If your assembly is not running in an IIS site with partial trust, you can force ANTS Performance Profiler to try displaying line-level timings for SecurityTransparent and partially-trusted code. To do this:

  1. Open the ANTS Performance Profiler block list in an XML editor.
    (See About the block list for more information)
  2. Change the alwaysApply attribute to false
  3. Save the block list and restart ANTS Performance Profiler.

If your assembly is running in an IIS site with partial trust, the block list is always used, because there is too much risk that the profiler will crash your code. We recommend changing the site to be fully-trusted during profiling.

To display line-level timings for JSON.NET

To force ANTS Performance Profiler to show line-level timings for JSON.NET:

  1. In the JSON.NET library, comment out [assembly:System.Security.SecurityTransparent] wherever it occurs.

  2. Expand the Properties folder
  3. In the #if !SILVERLIGHT region, comment out [assembly:AllowPartiallyTrustedCallers]
  4. Rebuild the solution
  5. In the ANTS Performance Profiler block list, comment out
    <assemblyName>Newtonsoft.Json</assemblyName>
    (See About the block list for more information)
  6. Restart ANTS Performance Profiler and profile the application as normal

If the steps above don't solve your problem

If you still can't see line-level timings, you'll need to modify the assembly to remove the security restrictions so the profiler can modify your code:

  1. Remove the AllowPartiallyTrustedCallers attribute from the profiled assembly and from any of its dependencies.
  2. Increase the code's trust level:
  3. Rebuild and profile the application again.

 

About the block list

ANTS Performance Profiler doesn't profile assemblies in the block list with line-level timings, because this might crash the application being profiled.

If you need to edit the block list, you can edit it with an XML editor. The block list is located at:

  • On Windows Vista and later: %LocalAppData%\Red Gate\ANTS Performance Profiler 8\LineLevelBlacklist.xml
  • On Windows XP / Windows Server 2003: %Userprofile%\Local Settings\Application Data\Red Gate\ANTS Performance Profiler 8\LineLevelBlacklist.xml

 

If you continue to experience problems, please contact Red Gate Support.


Didn't find what you were looking for?