bug 1421084 - part 2/4 - remove nsNSSShutDownObject::isAlreadyShutDown() r?ttaubert,mt draft
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 23 Jan 2018 12:22:56 -0800
changeset 749621 360b0196c4949cd1e77880458dcb46f5c82d6d83
parent 749620 270812bffa3d60d56fededdd1ca51d5212aafeb7
child 749622 53b72e499e2c2631e1ead8d5c93c2355f1de1d34
push id97464
push userbmo:dkeeler@mozilla.com
push dateWed, 31 Jan 2018 21:01:00 +0000
reviewersttaubert, mt
bugs1421084
milestone60.0a1
bug 1421084 - part 2/4 - remove nsNSSShutDownObject::isAlreadyShutDown() r?ttaubert,mt MozReview-Commit-ID: DlS16pHE0Ik
dom/crypto/CryptoKey.cpp
dom/crypto/WebCryptoTask.cpp
dom/media/webrtc/RTCCertificate.cpp
dom/webauthn/U2FSoftTokenManager.cpp
netwerk/base/BackgroundFileSaver.cpp
security/manager/ssl/ContentSignatureVerifier.cpp
security/manager/ssl/CryptoTask.cpp
security/manager/ssl/PKCS11ModuleDB.cpp
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/SecretDecoderRing.cpp
security/manager/ssl/TransportSecurityInfo.cpp
security/manager/ssl/nsCryptoHash.cpp
security/manager/ssl/nsDataSignatureVerifier.cpp
security/manager/ssl/nsKeyModule.cpp
security/manager/ssl/nsKeygenHandler.cpp
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCertHelper.cpp
security/manager/ssl/nsNSSCertValidity.cpp
security/manager/ssl/nsNSSCertificate.cpp
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsNSSShutDown.h
security/manager/ssl/nsPK11TokenDB.cpp
security/manager/ssl/nsPKCS11Slot.cpp
security/manager/ssl/nsPKCS12Blob.cpp
security/manager/ssl/nsRandomGenerator.cpp
security/manager/ssl/nsSSLStatus.cpp
services/crypto/component/IdentityCryptoService.cpp
--- a/dom/crypto/CryptoKey.cpp
+++ b/dom/crypto/CryptoKey.cpp
@@ -157,19 +157,16 @@ CryptoKey::CryptoKey(nsIGlobalObject* aG
   , mSymKey()
   , mPrivateKey(nullptr)
   , mPublicKey(nullptr)
 {
 }
 
 CryptoKey::~CryptoKey()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 JSObject*
 CryptoKey::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
 {
   return CryptoKeyBinding::Wrap(aCx, this, aGivenProto);
@@ -447,29 +444,29 @@ nsresult CryptoKey::SetSymKey(const Cryp
   }
 
   return NS_OK;
 }
 
 nsresult
 CryptoKey::SetPrivateKey(SECKEYPrivateKey* aPrivateKey)
 {
-  if (!aPrivateKey || isAlreadyShutDown()) {
+  if (!aPrivateKey) {
     mPrivateKey = nullptr;
     return NS_OK;
   }
 
   mPrivateKey = UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(aPrivateKey));
   return mPrivateKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
 nsresult
 CryptoKey::SetPublicKey(SECKEYPublicKey* aPublicKey)
 {
-  if (!aPublicKey || isAlreadyShutDown()) {
+  if (!aPublicKey) {
     mPublicKey = nullptr;
     return NS_OK;
   }
 
   mPublicKey = UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(aPublicKey));
   return mPublicKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
@@ -477,26 +474,26 @@ const CryptoBuffer&
 CryptoKey::GetSymKey() const
 {
   return mSymKey;
 }
 
 UniqueSECKEYPrivateKey
 CryptoKey::GetPrivateKey() const
 {
-  if (!mPrivateKey || isAlreadyShutDown()) {
+  if (!mPrivateKey) {
     return nullptr;
   }
   return UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(mPrivateKey.get()));
 }
 
 UniqueSECKEYPublicKey
 CryptoKey::GetPublicKey() const
 {
-  if (!mPublicKey || isAlreadyShutDown()) {
+  if (!mPublicKey) {
     return nullptr;
   }
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(mPublicKey.get()));
 }
 
 void CryptoKey::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -1229,20 +1226,16 @@ CryptoKey::PublicKeyValid(SECKEYPublicKe
 
   SECStatus rv = PK11_DestroyObject(slot.get(), id);
   return (rv == SECSuccess);
 }
 
 bool
 CryptoKey::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   // Write in five pieces
   // 1. Attributes
   // 2. Symmetric key as raw (if present)
   // 3. Private key as pkcs8 (if present)
   // 4. Public key as spki (if present)
   // 5. Algorithm in whatever form it chooses
   CryptoBuffer priv, pub;
 
@@ -1263,20 +1256,16 @@ CryptoKey::WriteStructuredClone(JSStruct
          WriteBuffer(aWriter, priv) &&
          WriteBuffer(aWriter, pub) &&
          mAlgorithm.WriteStructuredClone(aWriter);
 }
 
 bool
 CryptoKey::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   // Ensure that NSS is initialized.
   if (!EnsureNSSInitializedChromeOrContent()) {
     return false;
   }
 
   uint32_t version;
   CryptoBuffer sym, priv, pub;
 
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -400,21 +400,17 @@ WebCryptoTask::DispatchWithPromise(Promi
   MAYBE_EARLY_FAIL(mEarlyRv)
 }
 
 NS_IMETHODIMP
 WebCryptoTask::Run()
 {
   // Run heavy crypto operations on the thread pool, off the original thread.
   if (!IsOnOriginalThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      mRv = CalculateResult();
-    }
+    mRv = CalculateResult();
 
     // Back to the original thread, i.e. continue below.
     mOriginalEventTarget->Dispatch(this, NS_DISPATCH_NORMAL);
     return NS_OK;
   }
 
   // We're now back on the calling thread.
 
@@ -455,20 +451,16 @@ WebCryptoTask::FailWithError(nsresult aR
   Cleanup();
 }
 
 nsresult
 WebCryptoTask::CalculateResult()
 {
   MOZ_ASSERT(!IsOnOriginalThread());
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_DOM_UNKNOWN_ERR;
-  }
-
   return DoCrypto();
 }
 
 void
 WebCryptoTask::CallCallback(nsresult rv)
 {
   MOZ_ASSERT(IsOnOriginalThread());
   if (NS_FAILED(rv)) {
@@ -3721,19 +3713,17 @@ WebCryptoTask::WebCryptoTask()
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 WebCryptoTask::~WebCryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  if (!isAlreadyShutDown()) {
-    shutdown(ShutdownCalledFrom::Object);
-  }
+  shutdown(ShutdownCalledFrom::Object);
 
   if (mWorkerHolder) {
     NS_ProxyRelease(
       "WebCryptoTask::mWorkerHolder",
       mOriginalEventTarget, mWorkerHolder.forget());
   }
 }
 
--- a/dom/media/webrtc/RTCCertificate.cpp
+++ b/dom/media/webrtc/RTCCertificate.cpp
@@ -303,19 +303,16 @@ RTCCertificate::RTCCertificate(nsIGlobal
       mCertificate(aCertificate),
       mAuthType(aAuthType),
       mExpires(aExpires)
 {
 }
 
 RTCCertificate::~RTCCertificate()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // This creates some interesting lifecycle consequences, since the DtlsIdentity
 // holds NSS objects, but does not implement nsNSSShutDownObject.
 
 // Unfortunately, the code that uses DtlsIdentity cannot always use that lock
@@ -324,17 +321,17 @@ RTCCertificate::~RTCCertificate()
 // have a lifetime that is strictly shorter than the RTCCertificate.
 //
 // RTCPeerConnection provides this guarantee by holding a strong reference to
 // the RTCCertificate.  It will cleanup any DtlsIdentity instances that it
 // creates before the RTCCertificate reference is released.
 RefPtr<DtlsIdentity>
 RTCCertificate::CreateDtlsIdentity() const
 {
-  if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
+  if (!mPrivateKey || !mCertificate) {
     return nullptr;
   }
   UniqueSECKEYPrivateKey key(SECKEY_CopyPrivateKey(mPrivateKey.get()));
   UniqueCERTCertificate cert(CERT_DupCertificate(mCertificate.get()));
   RefPtr<DtlsIdentity> id = new DtlsIdentity(Move(key), Move(cert), mAuthType);
   return id;
 }
 
@@ -383,17 +380,17 @@ RTCCertificate::WriteCertificate(JSStruc
     return false;
   }
   return JS_WriteBytes(aWriter, certs->certs[0].data, certs->certs[0].len);
 }
 
 bool
 RTCCertificate::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
+  if (!mPrivateKey || !mCertificate) {
     return false;
   }
 
   return JS_WriteUint32Pair(aWriter, RTCCERTIFICATE_SC_VERSION, mAuthType) &&
       JS_WriteUint32Pair(aWriter, (mExpires >> 32) & 0xffffffff,
                          mExpires & 0xffffffff) &&
       WritePrivateKey(aWriter) &&
       WriteCertificate(aWriter);
@@ -427,20 +424,16 @@ RTCCertificate::ReadCertificate(JSStruct
   mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                              &der, nullptr, true, true));
   return !!mCertificate;
 }
 
 bool
 RTCCertificate::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   uint32_t version, authType;
   if (!JS_ReadUint32Pair(aReader, &version, &authType) ||
       version != RTCCERTIFICATE_SC_VERSION) {
     return false;
   }
   mAuthType = static_cast<SSLKEAType>(authType);
 
   uint32_t high, low;
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -65,21 +65,16 @@ enum SoftTokenHandle {
 
 U2FSoftTokenManager::U2FSoftTokenManager(uint32_t aCounter)
   : mInitialized(false),
     mCounter(aCounter)
 {}
 
 U2FSoftTokenManager::~U2FSoftTokenManager()
 {
-
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 U2FSoftTokenManager::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -361,20 +356,16 @@ GetAttestationCertificate(const UniquePK
 nsresult
 U2FSoftTokenManager::Init()
 {
   // If we've already initialized, just return.
   if (mInitialized) {
     return NS_OK;
   }
 
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   MOZ_ASSERT(slot.get());
 
   // Search for an existing wrapping key, or create one.
   nsresult rv = GetOrCreateWrappingKey(slot);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
@@ -565,20 +556,16 @@ PrivateKeyFromKeyHandle(const UniquePK11
 }
 
 // IsRegistered determines if the provided key handle is usable by this token.
 nsresult
 U2FSoftTokenManager::IsRegistered(const nsTArray<uint8_t>& aKeyHandle,
                                   const nsTArray<uint8_t>& aAppParam,
                                   bool& aResult)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return NS_ERROR_FAILURE;
-  }
-
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
@@ -615,20 +602,16 @@ U2FSoftTokenManager::IsRegistered(const 
 //
 RefPtr<U2FRegisterPromise>
 U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                               const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
                               const nsTArray<uint8_t>& aApplication,
                               const nsTArray<uint8_t>& aChallenge,
                               uint32_t aTimeoutMS)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return U2FRegisterPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
-  }
-
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return U2FRegisterPromise::CreateAndReject(rv, __func__);
     }
   }
 
   // The U2F softtoken neither supports resident keys or
@@ -746,20 +729,16 @@ U2FSoftTokenManager::Register(const nsTA
 //
 RefPtr<U2FSignPromise>
 U2FSoftTokenManager::Sign(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                           const nsTArray<uint8_t>& aApplication,
                           const nsTArray<uint8_t>& aChallenge,
                           bool aRequireUserVerification,
                           uint32_t aTimeoutMS)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return U2FSignPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
-  }
-
   // The U2F softtoken doesn't support user verification.
   if (aRequireUserVerification) {
     return U2FSignPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR, __func__);
   }
 
   nsTArray<uint8_t> keyHandle;
   for (auto cred: aCredentials) {
     bool isRegistered = false;
--- a/netwerk/base/BackgroundFileSaver.cpp
+++ b/netwerk/base/BackgroundFileSaver.cpp
@@ -113,19 +113,16 @@ BackgroundFileSaver::BackgroundFileSaver
 , mDigestContext(nullptr)
 {
   LOG(("Created BackgroundFileSaver [this = %p]", this));
 }
 
 BackgroundFileSaver::~BackgroundFileSaver()
 {
   LOG(("Destroying BackgroundFileSaver [this = %p]", this));
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 BackgroundFileSaver::destructorSafeDestroyNSSReference()
 {
   mDigestContext = nullptr;
@@ -547,21 +544,19 @@ BackgroundFileSaver::ProcessStateChange(
     rv = mPipeInputStream->Available(&available);
     if (NS_FAILED(rv)) {
       return NS_OK;
     }
   }
 
   // Create the digest context if requested and NSS hasn't been shut down.
   if (sha256Enabled && !mDigestContext) {
-    if (!isAlreadyShutDown()) {
-      mDigestContext = UniquePK11Context(
-        PK11_CreateDigestContext(SEC_OID_SHA256));
-      NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
-    }
+    mDigestContext = UniquePK11Context(
+      PK11_CreateDigestContext(SEC_OID_SHA256));
+    NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
   }
 
   // When we are requested to append to an existing file, we should read the
   // existing data and ensure we include it as part of the final hash.
   if (mDigestContext && append && !isContinuation) {
     nsCOMPtr<nsIInputStream> inputStream;
     rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream),
                                     mActualTarget,
@@ -575,20 +570,16 @@ BackgroundFileSaver::ProcessStateChange(
         rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count);
         NS_ENSURE_SUCCESS(rv, rv);
 
         if (count == 0) {
           // We reached the end of the file.
           break;
         }
 
-        if (isAlreadyShutDown()) {
-          return NS_ERROR_NOT_AVAILABLE;
-        }
-
         nsresult rv = MapSECStatus(
           PK11_DigestOp(mDigestContext.get(),
                         BitwiseCast<unsigned char*, char*>(buffer),
                         count));
         NS_ENSURE_SUCCESS(rv, rv);
       }
 
       rv = inputStream->Close();
@@ -714,25 +705,23 @@ BackgroundFileSaver::CheckCompletion()
   // Ensure we notify completion now that the operation finished.
   // Do a best-effort attempt to remove the file if required.
   if (failed && mActualTarget && !mActualTargetKeepPartial) {
     (void)mActualTarget->Remove(false);
   }
 
   // Finish computing the hash
   if (!failed && mDigestContext) {
-    if (!isAlreadyShutDown()) {
-      Digest d;
-      rv = d.End(SEC_OID_SHA256, mDigestContext);
-      if (NS_SUCCEEDED(rv)) {
-        MutexAutoLock lock(mLock);
-        mSha256 =
-          nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data),
-                                d.get().len);
-      }
+    Digest d;
+    rv = d.End(SEC_OID_SHA256, mDigestContext);
+    if (NS_SUCCEEDED(rv)) {
+      MutexAutoLock lock(mLock);
+      mSha256 =
+        nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data),
+                              d.get().len);
     }
   }
 
   // Compute the signature of the binary. ExtractSignatureInfo doesn't do
   // anything on non-Windows platforms except return an empty nsIArray.
   if (!failed && mActualTarget) {
     nsString filePath;
     mActualTarget->GetTarget(filePath);
@@ -805,20 +794,16 @@ BackgroundFileSaver::NotifySaveComplete(
 
   return NS_OK;
 }
 
 nsresult
 BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath)
 {
   MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread");
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   {
     MutexAutoLock lock(mLock);
     if (!mSignatureInfoEnabled) {
       return NS_OK;
     }
   }
   nsresult rv;
   nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID, &rv);
@@ -1207,19 +1192,16 @@ DigestOutputStream::DigestOutputStream(n
   , mDigestContext(aContext)
 {
   MOZ_ASSERT(mDigestContext, "Can't have null digest context");
   MOZ_ASSERT(mOutputStream, "Can't have null output stream");
 }
 
 DigestOutputStream::~DigestOutputStream()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Close()
 {
   return mOutputStream->Close();
 }
@@ -1228,20 +1210,16 @@ NS_IMETHODIMP
 DigestOutputStream::Flush()
 {
   return mOutputStream->Flush();
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = MapSECStatus(
     PK11_DigestOp(mDigestContext,
                   BitwiseCast<const unsigned char*, const char*>(aBuf),
                   aCount));
   NS_ENSURE_SUCCESS(rv, rv);
 
   return mOutputStream->Write(aBuf, aCount, retval);
 }
--- a/security/manager/ssl/ContentSignatureVerifier.cpp
+++ b/security/manager/ssl/ContentSignatureVerifier.cpp
@@ -39,19 +39,16 @@ using namespace mozilla::psm;
 static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier");
 #define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args)
 
 // Content-Signature prefix
 const nsLiteralCString kPREFIX = NS_LITERAL_CSTRING("Content-Signature:\x00");
 
 ContentSignatureVerifier::~ContentSignatureVerifier()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 ContentSignatureVerifier::VerifyContentSignature(
   const nsACString& aData, const nsACString& aCSHeader,
   const nsACString& aCertChain, const nsACString& aName, bool* _retval)
@@ -138,20 +135,16 @@ ReadChainIntoCertList(const nsACString& 
 }
 
 nsresult
 ContentSignatureVerifier::CreateContextInternal(const nsACString& aData,
                                                 const nsACString& aCertChain,
                                                 const nsACString& aName)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   UniqueCERTCertList certCertList(CERT_NewCertList());
   if (!certCertList) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get());
   if (NS_FAILED(rv)) {
@@ -381,20 +374,16 @@ ContentSignatureVerifier::UpdateInternal
 
 /**
  * Add data to the context that shold be verified.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::Update(const nsACString& aData)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     MOZ_ASSERT_UNREACHABLE(
       "Someone called ContentSignatureVerifier::Update before "
       "downloading the cert chain.");
     return NS_ERROR_FAILURE;
   }
@@ -405,20 +394,16 @@ ContentSignatureVerifier::Update(const n
 /**
  * Finish signature verification and return the result in _retval.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::End(bool* _retval)
 {
   NS_ENSURE_ARG(_retval);
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     MOZ_ASSERT_UNREACHABLE(
       "Someone called ContentSignatureVerifier::End before "
       "downloading the cert chain.");
     return NS_ERROR_FAILURE;
   }
--- a/security/manager/ssl/CryptoTask.cpp
+++ b/security/manager/ssl/CryptoTask.cpp
@@ -8,19 +8,17 @@
 #include "nsNSSComponent.h"
 
 namespace mozilla {
 
 CryptoTask::~CryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  if (!isAlreadyShutDown()) {
-    shutdown(ShutdownCalledFrom::Object);
-  }
+  shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 CryptoTask::Dispatch(const nsACString& taskThreadName)
 {
   MOZ_ASSERT(taskThreadName.Length() <= 15);
 
   // Ensure that NSS is initialized, since presumably CalculateResult
@@ -40,21 +38,17 @@ CryptoTask::Dispatch(const nsACString& t
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 CryptoTask::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      mRv = CalculateResult();
-    }
+    mRv = CalculateResult();
     NS_DispatchToMainThread(this);
   } else {
     // back on the main thread
 
     // call ReleaseNSSResources now, before calling CallCallback, so that
     // CryptoTasks have consistent behavior regardless of whether NSS is shut
     // down between CalculateResult being called and CallCallback being called.
     if (!mReleasedNSSResources) {
--- a/security/manager/ssl/PKCS11ModuleDB.cpp
+++ b/security/manager/ssl/PKCS11ModuleDB.cpp
@@ -20,30 +20,23 @@ namespace mozilla { namespace psm {
 NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB)
 
 PKCS11ModuleDB::PKCS11ModuleDB()
 {
 }
 
 PKCS11ModuleDB::~PKCS11ModuleDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // Delete a PKCS11 module from the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
   NS_ConvertUTF16toUTF8 moduleName(aModuleName);
   // modType is an output variable. We ignore it.
   int32_t modType;
   SECStatus srv = SECMOD_DeleteModule(moduleName.get(), &modType);
@@ -84,20 +77,16 @@ GetModuleNameForTelemetry(/*in*/ const S
 
 // Add a new PKCS11 module to the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::AddModule(const nsAString& aModuleName,
                           const nsAString& aLibraryFullPath,
                           int32_t aCryptoMechanismFlags,
                           int32_t aCipherFlags)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
   // "Root Certs" is the name some NSS command-line utilities will give the
   // roots module if they decide to load it when there happens to be a
   // `DLL_PREFIX "nssckbi" DLL_SUFFIX` file in the directory being operated on.
   // This causes failures, so as a workaround, the PSM initialization code will
@@ -147,20 +136,16 @@ PKCS11ModuleDB::AddModule(const nsAStrin
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::FindModuleByName(const nsACString& name,
                          /*out*/ nsIPKCS11Module** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   UniqueSECMODModule mod(SECMOD_FindModule(PromiseFlatCString(name).get()));
   if (!mod) {
     return NS_ERROR_FAILURE;
@@ -171,20 +156,16 @@ PKCS11ModuleDB::FindModuleByName(const n
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
   if (!array) {
     return NS_ERROR_FAILURE;
@@ -214,32 +195,24 @@ PKCS11ModuleDB::ListModules(nsISimpleEnu
   return array->Enumerate(_retval);
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS)
 {
   NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ToggleFIPSMode()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
   // delete the internal module, and it gets replaced with the opposite module
   // (i.e. if it was FIPS before, then it becomes non-FIPS next).
   // SECMOD_GetInternalModule() returns a pointer to a local copy of the
   // internal module stashed in NSS.  We don't want to delete it since it will
   // cause much pain in NSS.
   SECMODModule* internal = SECMOD_GetInternalModule();
   if (!internal) {
@@ -257,17 +230,13 @@ PKCS11ModuleDB::ToggleFIPSMode()
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled)
 {
   NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   *aIsFIPSEnabled = PK11_IsFIPS();
   return NS_OK;
 }
 
 } } // namespace mozilla::psm
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1559,81 +1559,77 @@ SSLServerCertVerificationJob::Run()
 {
   // Runs on a cert verification thread
 
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
 
   PRErrorCode error;
 
-  if (mInfoObject->isAlreadyShutDown()) {
-    error = SEC_ERROR_USER_CANCELLED;
-  } else {
-    Telemetry::HistogramID successTelemetry
-      = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
-    Telemetry::HistogramID failureTelemetry
-      = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
+  Telemetry::HistogramID successTelemetry
+    = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
+  Telemetry::HistogramID failureTelemetry
+    = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
-    // Reset the error code here so we can detect if AuthCertificate fails to
-    // set the error code if/when it fails.
-    PR_SetError(0, 0);
-    SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
-                                   mPeerCertChain, mStapledOCSPResponse.get(),
-                                   mSCTsFromTLSExtension.get(),
-                                   mProviderFlags, mTime);
-    MOZ_ASSERT(mPeerCertChain || rv != SECSuccess,
-               "AuthCertificate() should take ownership of chain on failure");
-    if (rv == SECSuccess) {
-      uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
-      RefPtr<SSLServerCertVerificationResult> restart(
-        new SSLServerCertVerificationResult(mInfoObject, 0,
-                                            successTelemetry, interval));
-      restart->Dispatch();
-      Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
-      return NS_OK;
-    }
+  // Reset the error code here so we can detect if AuthCertificate fails to
+  // set the error code if/when it fails.
+  PR_SetError(0, 0);
+  SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
+                                 mPeerCertChain, mStapledOCSPResponse.get(),
+                                 mSCTsFromTLSExtension.get(),
+                                 mProviderFlags, mTime);
+  MOZ_ASSERT(mPeerCertChain || rv != SECSuccess,
+             "AuthCertificate() should take ownership of chain on failure");
+  if (rv == SECSuccess) {
+    uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
+    RefPtr<SSLServerCertVerificationResult> restart(
+      new SSLServerCertVerificationResult(mInfoObject, 0,
+                                          successTelemetry, interval));
+    restart->Dispatch();
+    Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
+    return NS_OK;
+  }
 
-    // Note: the interval is not calculated once as PR_GetError MUST be called
-    // before any other  function call
-    error = PR_GetError();
+  // Note: the interval is not calculated once as PR_GetError MUST be called
+  // before any other  function call
+  error = PR_GetError();
+
+  TimeStamp now = TimeStamp::Now();
+  Telemetry::AccumulateTimeDelta(failureTelemetry, mJobStartTime, now);
 
-    TimeStamp now = TimeStamp::Now();
-    Telemetry::AccumulateTimeDelta(failureTelemetry, mJobStartTime, now);
-
-    if (error != 0) {
-      RefPtr<CertErrorRunnable> runnable(
-          CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert,
-                                  mFdForLogging, mProviderFlags, mPRTime));
-      if (!runnable) {
-        // CreateCertErrorRunnable set a new error code
-        error = PR_GetError();
-      } else {
-        // We must block the the socket transport service thread while the
-        // main thread executes the CertErrorRunnable. The CertErrorRunnable
-        // will dispatch the result asynchronously, so we don't have to block
-        // this thread waiting for it.
+  if (error != 0) {
+    RefPtr<CertErrorRunnable> runnable(
+        CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert,
+                                mFdForLogging, mProviderFlags, mPRTime));
+    if (!runnable) {
+      // CreateCertErrorRunnable set a new error code
+      error = PR_GetError();
+    } else {
+      // We must block the the socket transport service thread while the
+      // main thread executes the CertErrorRunnable. The CertErrorRunnable
+      // will dispatch the result asynchronously, so we don't have to block
+      // this thread waiting for it.
 
-        MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-                ("[%p][%p] Before dispatching CertErrorRunnable\n",
-                mFdForLogging, runnable.get()));
+      MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+              ("[%p][%p] Before dispatching CertErrorRunnable\n",
+              mFdForLogging, runnable.get()));
 
-        nsresult nrv;
-        nsCOMPtr<nsIEventTarget> stsTarget
-          = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
-        if (NS_SUCCEEDED(nrv)) {
-          nrv = stsTarget->Dispatch(new CertErrorRunnableRunnable(runnable),
-                                    NS_DISPATCH_NORMAL);
-        }
-        if (NS_SUCCEEDED(nrv)) {
-          return NS_OK;
-        }
+      nsresult nrv;
+      nsCOMPtr<nsIEventTarget> stsTarget
+        = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
+      if (NS_SUCCEEDED(nrv)) {
+        nrv = stsTarget->Dispatch(new CertErrorRunnableRunnable(runnable),
+                                  NS_DISPATCH_NORMAL);
+      }
+      if (NS_SUCCEEDED(nrv)) {
+        return NS_OK;
+      }
 
-        NS_ERROR("Failed to dispatch CertErrorRunnable");
-        error = PR_INVALID_STATE_ERROR;
-      }
+      NS_ERROR("Failed to dispatch CertErrorRunnable");
+      error = PR_INVALID_STATE_ERROR;
     }
   }
 
   if (error == 0) {
     MOZ_ASSERT_UNREACHABLE("No error set during certificate validation failure");
     error = PR_INVALID_STATE_ERROR;
   }
 
--- a/security/manager/ssl/SecretDecoderRing.cpp
+++ b/security/manager/ssl/SecretDecoderRing.cpp
@@ -61,30 +61,22 @@ void BackgroundSdrEncryptStrings(const n
 }
 
 SecretDecoderRing::SecretDecoderRing()
 {
 }
 
 SecretDecoderRing::~SecretDecoderRing()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 SecretDecoderRing::Encrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Make sure token is initialized. */
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsresult rv = setPassword(slot.get(), ctx);
@@ -111,20 +103,16 @@ SecretDecoderRing::Encrypt(const nsACStr
 
   result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len);
   return NS_OK;
 }
 
 nsresult
 SecretDecoderRing::Decrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   /* Find token with SDR key */
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Force authentication */
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
@@ -223,20 +211,16 @@ SecretDecoderRing::DecryptString(const n
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::ChangePassword()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot.get()));
 
   nsCOMPtr<nsITokenPasswordDialogs> dialogs;
@@ -250,57 +234,39 @@ SecretDecoderRing::ChangePassword()
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   bool canceled; // Ignored
   return dialogs->SetPassword(ctx, tokenName, &canceled);
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::Logout()
 {
-  static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
-
-  nsresult rv;
-  nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv))
-    return rv;
-
-  {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
-    PK11_LogoutAll();
-    SSL_ClearSessionCache();
-  }
-
+  PK11_LogoutAll();
+  SSL_ClearSessionCache();
   return NS_OK;
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::LogoutAndTeardown()
 {
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
+  PK11_LogoutAll();
+  SSL_ClearSessionCache();
+
   nsresult rv;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv))
+  if (NS_FAILED(rv)) {
     return rv;
-
-  {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
-    PK11_LogoutAll();
-    SSL_ClearSessionCache();
   }
 
   rv = nssComponent->LogoutAuthenticatedPK11();
 
   // After we just logged out, we need to prune dead connections to make
   // sure that all connections that should be stopped, are stopped. See
   // bug 517584.
   nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
-  if (os)
+  if (os) {
     os->NotifyObservers(nullptr, "net:prune-dead-connections", nullptr);
+  }
 
   return rv;
 }
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -45,19 +45,16 @@ TransportSecurityInfo::TransportSecurity
   , mErrorCode(0)
   , mErrorMessageType(SSLErrorMessageType::Plain)
   , mPort(0)
 {
 }
 
 TransportSecurityInfo::~TransportSecurityInfo()
 {
-  if (isAlreadyShutDown())
-    return;
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 TransportSecurityInfo::virtualDestroyNSSReference()
 {
 }
 
@@ -1035,19 +1032,15 @@ TransportSecurityInfo::GetFailedCertChai
   NS_IF_ADDREF(*_result);
 
   return NS_OK;
 }
 
 nsresult
 TransportSecurityInfo::SetFailedCertChain(UniqueCERTCertList certList)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // nsNSSCertList takes ownership of certList
   mFailedCertChain = new nsNSSCertList(Move(certList));
 
   return NS_OK;
 }
 
 } } // namespace mozilla::psm
--- a/security/manager/ssl/nsCryptoHash.cpp
+++ b/security/manager/ssl/nsCryptoHash.cpp
@@ -33,19 +33,16 @@ static const uint64_t STREAM_BUFFER_SIZE
 nsCryptoHash::nsCryptoHash()
   : mHashContext(nullptr)
   , mInitialized(false)
 {
 }
 
 nsCryptoHash::~nsCryptoHash()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsCryptoHash::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -57,20 +54,16 @@ nsCryptoHash::destructorSafeDestroyNSSRe
   mHashContext = nullptr;
 }
 
 NS_IMPL_ISUPPORTS(nsCryptoHash, nsICryptoHash)
 
 NS_IMETHODIMP
 nsCryptoHash::Init(uint32_t algorithm)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   HASH_HashType hashType;
   switch (algorithm) {
     case nsICryptoHash::MD2:
       hashType = HASH_AlgMD2; break;
     case nsICryptoHash::MD5:
       hashType = HASH_AlgMD5; break;
     case nsICryptoHash::SHA1:
       hashType = HASH_AlgSHA1; break;
@@ -129,35 +122,27 @@ nsCryptoHash::InitWithString(const nsACS
     return Init(nsICryptoHash::SHA512);
 
   return NS_ERROR_INVALID_ARG;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Update(const uint8_t *data, uint32_t len)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   HASH_Update(mHashContext.get(), data, len);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::UpdateFromStream(nsIInputStream *data, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!data)
     return NS_ERROR_INVALID_ARG;
 
   uint64_t n;
   nsresult rv = data->Available(&n);
@@ -200,20 +185,16 @@ nsCryptoHash::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Finish(bool ascii, nsACString & _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   uint32_t hashLen = 0;
   unsigned char buffer[HASH_LENGTH_MAX];
   HASH_End(mHashContext.get(), buffer, &hashLen, HASH_LENGTH_MAX);
 
@@ -236,19 +217,16 @@ NS_IMPL_ISUPPORTS(nsCryptoHMAC, nsICrypt
 
 nsCryptoHMAC::nsCryptoHMAC()
   : mHMACContext(nullptr)
 {
 }
 
 nsCryptoHMAC::~nsCryptoHMAC()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsCryptoHMAC::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -258,20 +236,16 @@ void
 nsCryptoHMAC::destructorSafeDestroyNSSReference()
 {
   mHMACContext = nullptr;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Init(uint32_t aAlgorithm, nsIKeyObject *aKeyObject)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (mHMACContext) {
     mHMACContext = nullptr;
   }
 
   CK_MECHANISM_TYPE mechType;
   switch (aAlgorithm) {
     case nsICryptoHMAC::MD5:
       mechType = CKM_MD5_HMAC; break;
@@ -314,40 +288,32 @@ nsCryptoHMAC::Init(uint32_t aAlgorithm, 
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Update(const uint8_t *aData, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aData)
     return NS_ERROR_INVALID_ARG;
 
   if (PK11_DigestOp(mHMACContext.get(), aData, aLen) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::UpdateFromStream(nsIInputStream *aStream, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aStream)
     return NS_ERROR_INVALID_ARG;
 
   uint64_t n;
   nsresult rv = aStream->Available(&n);
@@ -393,20 +359,16 @@ nsCryptoHMAC::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Finish(bool aASCII, nsACString & _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   uint32_t hashLen = 0;
   unsigned char buffer[HASH_LENGTH_MAX];
   SECStatus srv = PK11_DigestFinal(mHMACContext.get(), buffer, &hashLen,
                                    HASH_LENGTH_MAX);
   if (srv != SECSuccess) {
@@ -420,18 +382,14 @@ nsCryptoHMAC::Finish(bool aASCII, nsACSt
 
   _retval.Assign(BitwiseCast<char*>(buffer), hashLen);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Reset()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (PK11_DigestBegin(mHMACContext.get()) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
--- a/security/manager/ssl/nsDataSignatureVerifier.cpp
+++ b/security/manager/ssl/nsDataSignatureVerifier.cpp
@@ -26,35 +26,27 @@ const SEC_ASN1Template CERT_SignatureDat
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), },
     { SEC_ASN1_BIT_STRING,
         offsetof(CERTSignedData,signature), },
     { 0, }
 };
 
 nsDataSignatureVerifier::~nsDataSignatureVerifier()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsDataSignatureVerifier::VerifyData(const nsACString& aData,
                                     const nsACString& aSignature,
                                     const nsACString& aPublicKey,
                                     bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // Allocate an arena to handle the majority of the allocations
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   // Base 64 decode the key
   // For compatibility reasons we need to remove all whitespace first, since
--- a/security/manager/ssl/nsKeyModule.cpp
+++ b/security/manager/ssl/nsKeyModule.cpp
@@ -14,19 +14,16 @@ NS_IMPL_ISUPPORTS(nsKeyObject, nsIKeyObj
 
 nsKeyObject::nsKeyObject()
   : mSymKey(nullptr)
 {
 }
 
 nsKeyObject::~nsKeyObject()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsKeyObject::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -43,37 +40,29 @@ nsKeyObject::destructorSafeDestroyNSSRef
 
 NS_IMETHODIMP
 nsKeyObject::InitKey(int16_t aAlgorithm, PK11SymKey* aKey)
 {
   if (!aKey || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   mSymKey.reset(aKey);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsKeyObject::GetKeyObj(PK11SymKey** _retval)
 {
   if (!_retval) {
     return NS_ERROR_INVALID_ARG;
   }
 
   *_retval = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mSymKey) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   *_retval = mSymKey.get();
   return NS_OK;
 }
 
@@ -93,34 +82,27 @@ nsKeyObject::GetType(int16_t *_retval)
 NS_IMPL_ISUPPORTS(nsKeyObjectFactory, nsIKeyObjectFactory)
 
 nsKeyObjectFactory::nsKeyObjectFactory()
 {
 }
 
 nsKeyObjectFactory::~nsKeyObjectFactory()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString& aKey,
                                   nsIKeyObject** _retval)
 {
   if (!_retval || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   CK_MECHANISM_TYPE cipherMech = CKM_GENERIC_SECRET_KEY_GEN;
   CK_ATTRIBUTE_TYPE cipherOperation = CKA_SIGN;
 
   nsresult rv;
   nsCOMPtr<nsIKeyObject> key(
     do_CreateInstance(NS_KEYMODULEOBJECT_CONTRACTID, &rv));
   if (NS_FAILED(rv)) {
     return rv;
--- a/security/manager/ssl/nsKeygenHandler.cpp
+++ b/security/manager/ssl/nsKeygenHandler.cpp
@@ -217,20 +217,16 @@ NS_IMPL_ISUPPORTS(nsKeygenFormProcessor,
 
 nsKeygenFormProcessor::nsKeygenFormProcessor()
 {
    m_ctx = new PipUIContext();
 }
 
 nsKeygenFormProcessor::~nsKeygenFormProcessor()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 nsKeygenFormProcessor::Create(nsISupports* aOuter, const nsIID& aIID, void* *aResult)
 {
   if (GeckoProcessType_Content == XRE_GetProcessType()) {
     nsCOMPtr<nsISupports> contentProcessor = new nsKeygenFormProcessorContent();
@@ -269,20 +265,16 @@ nsKeygenFormProcessor::Init()
   mSECKeySizeChoiceList[1].size = 1024;
 
   return NS_OK;
 }
 
 nsresult
 nsKeygenFormProcessor::GetSlot(uint32_t aMechanism, PK11SlotInfo** aSlot)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return GetSlotWithMechanism(aMechanism, m_ctx, aSlot);
 }
 
 uint32_t MapGenMechToAlgoMech(uint32_t mechanism)
 {
     uint32_t searchMech;
 
     /* We are interested in slots based on the ability to perform
@@ -419,20 +411,16 @@ loser:
 
 nsresult
 nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
                                     const nsAString& aChallenge,
                                     const nsString& aKeyType,
                                     nsAString& aOutPublicKey,
                                     const nsAString& aKeyParams)
 {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
     nsresult rv = NS_ERROR_FAILURE;
     nsAutoCString keystring;
     char *keyparamsString = nullptr;
     uint32_t keyGenMechanism;
     PK11SlotInfo *slot = nullptr;
     PK11RSAGenParams rsaParams;
     mozilla::UniqueSECItem ecParams;
     SECOidTag algTag;
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -748,30 +748,22 @@ public:
   virtual void RunOnTargetThread() override;
 private:
   PK11SlotInfo* const mSlot; // in
   nsIInterfaceRequestor* const mIR; // in
 };
 
 PK11PasswordPromptRunnable::~PK11PasswordPromptRunnable()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 PK11PasswordPromptRunnable::RunOnTargetThread()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   nsresult rv;
   nsCOMPtr<nsIPrompt> prompt;
   if (!mIR) {
     rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt));
     if (NS_FAILED(rv)) {
       return;
     }
   } else {
@@ -993,22 +985,16 @@ CanFalseStartCallback(PRFileDesc* fd, vo
   nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
   if (!infoObject) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   infoObject->SetFalseStartCallbackCalled();
 
-  if (infoObject->isAlreadyShutDown()) {
-    MOZ_CRASH("SSL socket used after NSS shut down");
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-    return SECFailure;
-  }
-
   PreliminaryHandshakeDone(fd);
 
   uint32_t reasonsForNotFalseStarting = 0;
 
   SSLChannelInfo channelInfo;
   if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) {
     return SECSuccess;
   }
--- a/security/manager/ssl/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/nsNSSCertHelper.cpp
@@ -1829,19 +1829,16 @@ RegisterDynamicOids()
   }
   registered = true;
   return rv;
 }
 
 nsresult
 nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (RegisterDynamicOids() != SECSuccess)
     return NS_ERROR_FAILURE;
 
   //
   //   TBSCertificate  ::=  SEQUENCE  {
   //        version         [0]  EXPLICIT Version DEFAULT v1,
   //        serialNumber         CertificateSerialNumber,
   //        signature            AlgorithmIdentifier,
@@ -1976,19 +1973,16 @@ nsNSSCertificate::CreateTBSCertificateAS
   }
   sequence.forget(retSequence);
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::CreateASN1Struct(nsIASN1Object** aRetVal)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsCOMPtr<nsIASN1Sequence> sequence = new nsNSSASN1Sequence();
 
   nsCOMPtr<nsIMutableArray> asn1Objects;
   sequence->GetASN1Objects(getter_AddRefs(asn1Objects));
 
   nsAutoString displayName;
   nsresult rv = GetDisplayName(displayName);
   if (NS_FAILED(rv)) {
--- a/security/manager/ssl/nsNSSCertValidity.cpp
+++ b/security/manager/ssl/nsNSSCertValidity.cpp
@@ -17,31 +17,23 @@ nsX509CertValidity::nsX509CertValidity(c
   , mNotAfter(0)
   , mTimesInitialized(false)
 {
   MOZ_ASSERT(cert);
   if (!cert) {
     return;
   }
 
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) {
     mTimesInitialized = true;
   }
 }
 
 nsX509CertValidity::~nsX509CertValidity()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsX509CertValidity::GetNotBefore(PRTime* aNotBefore)
 {
   NS_ENSURE_ARG(aNotBefore);
 
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -85,19 +85,16 @@ nsNSSCertificate::ConstructFromDER(char*
   }
 
   return newObject;
 }
 
 bool
 nsNSSCertificate::InitFromDER(char* certDER, int derLen)
 {
-  if (isAlreadyShutDown())
-    return false;
-
   if (!certDER || !derLen)
     return false;
 
   CERTCertificate* aCert = CERT_DecodeCertFromPackage(certDER, derLen);
 
   if (!aCert)
     return false;
 
@@ -110,36 +107,30 @@ nsNSSCertificate::InitFromDER(char* cert
   return true;
 }
 
 nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert)
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
-  if (isAlreadyShutDown())
-    return;
-
   if (cert) {
     mCert.reset(CERT_DupCertificate(cert));
   }
 }
 
 nsNSSCertificate::nsNSSCertificate()
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
 }
 
 nsNSSCertificate::~nsNSSCertificate()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertificate::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -172,44 +163,35 @@ nsNSSCertificate::GetCertType(uint32_t* 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsSelfSigned(bool* aIsSelfSigned)
 {
   NS_ENSURE_ARG(aIsSelfSigned);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *aIsSelfSigned = mCert->isRoot;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot)
 {
   NS_ENSURE_ARG(aIsBuiltInRoot);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot);
   if (rv != pkix::Result::Success) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::MarkForPermDeletion()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // make sure user is logged in to the token
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
 
   if (mCert->slot && PK11_NeedLogin(mCert->slot) &&
       !PK11_NeedUserInit(mCert->slot) && !PK11_IsInternal(mCert->slot)) {
     if (SECSuccess != PK11_Authenticate(mCert->slot, true, ctx)) {
       return NS_ERROR_FAILURE;
     }
@@ -298,19 +280,16 @@ nsNSSCertificate::GetKeyUsages(nsAString
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDbKey(nsACString& aDbKey)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   return GetDbKey(mCert, aDbKey);
 }
 
 nsresult
 nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey)
 {
   static_assert(sizeof(uint64_t) == 8, "type size sanity check");
   static_assert(sizeof(uint32_t) == 4, "type size sanity check");
@@ -338,20 +317,16 @@ nsNSSCertificate::GetDbKey(const UniqueC
              cert->derIssuer.len);
 
   return Base64Encode(buf, aDbKey);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDisplayName(nsAString& aDisplayName)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aDisplayName.Truncate();
 
   MOZ_ASSERT(mCert, "mCert should not be null in GetDisplayName");
   if (!mCert) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));
@@ -406,38 +381,32 @@ nsNSSCertificate::GetDisplayName(nsAStri
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mCert->emailAddr) {
     CopyUTF8toUTF16(mCert->emailAddr, aEmailAddress);
   } else {
     nsresult rv;
     nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
     if (NS_FAILED(rv) || !nssComponent) {
       return NS_ERROR_FAILURE;
     }
     nssComponent->GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddresses(uint32_t* aLength, char16_t*** aAddresses)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aAddresses);
 
   *aLength = 0;
 
   const char* aAddr;
   for (aAddr = CERT_GetFirstEmailAddress(mCert.get())
        ;
@@ -464,19 +433,16 @@ nsNSSCertificate::GetEmailAddresses(uint
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress,
                                        bool* result)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(result);
   *result = false;
 
   const char* aAddr = nullptr;
   for (aAddr = CERT_GetFirstEmailAddress(mCert.get())
        ;
        aAddr
        ;
@@ -497,99 +463,81 @@ nsNSSCertificate::ContainsEmailAddress(c
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetCommonName(nsAString& aCommonName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganization(nsAString& aOrganization)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->subject));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->issuer));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->issuer));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganizationUnit.Truncate();
   if (mCert) {
     UniquePORTString organizationUnit(CERT_GetOrgUnitName(&mCert->issuer));
     if (organizationUnit) {
       aOrganizationUnit = NS_ConvertUTF8toUTF16(organizationUnit.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuer(nsIX509Cert** aIssuer)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aIssuer);
   *aIssuer = nullptr;
 
   nsCOMPtr<nsIArray> chain;
   nsresult rv;
   rv = GetChain(getter_AddRefs(chain));
   NS_ENSURE_SUCCESS(rv, rv);
   uint32_t length;
@@ -606,19 +554,16 @@ nsNSSCertificate::GetIssuer(nsIX509Cert*
   }
   cert.forget(aIssuer);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganizationalUnit.Truncate();
   if (mCert) {
     UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject));
     if (orgunit) {
       aOrganizationalUnit = NS_ConvertUTF8toUTF16(orgunit.get());
     }
   }
   return NS_OK;
@@ -650,19 +595,16 @@ UniqueCERTCertListToMutableArray(/*in*/ 
 
   array.forget(x509CertArray);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetChain(nsIArray** _rvChain)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(_rvChain);
 
   mozilla::pkix::Time now(mozilla::pkix::Now());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
   UniqueCERTCertList nssChain;
@@ -694,61 +636,48 @@ nsNSSCertificate::GetChain(nsIArray** _r
     return NS_ERROR_FAILURE;
   }
   return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSubjectName(nsAString& _subjectName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _subjectName.Truncate();
   if (mCert->subjectName) {
     _subjectName = NS_ConvertUTF8toUTF16(mCert->subjectName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerName(nsAString& _issuerName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _issuerName.Truncate();
   if (mCert->issuerName) {
     _issuerName = NS_ConvertUTF8toUTF16(mCert->issuerName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _serialNumber.Truncate();
   UniquePORTString tmpstr(CERT_Hexify(&mCert->serialNumber, 1));
   if (tmpstr) {
     _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get());
     return NS_OK;
   }
   return NS_ERROR_FAILURE;
 }
 
 nsresult
 nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aFingerprint.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data,
                                  mCert->derCert.len);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
@@ -772,19 +701,16 @@ NS_IMETHODIMP
 nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
 {
   return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetTokenName(nsAString& aTokenName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aTokenName.Truncate();
   if (mCert) {
     // HACK alert
     // When the trust of a builtin cert is modified, NSS copies it into the
     // cert db.  At this point, it is now "managed" by the user, and should
     // not be listed with the builtins.  However, in the collection code
     // used by PK11_ListCerts, the cert is found in the temp db, where it
     // has been loaded from the token.  Though the trust is correct (grabbed
@@ -806,20 +732,16 @@ nsNSSCertificate::GetTokenName(nsAString
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(nsACString& aSha256SPKIDigest)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aSha256SPKIDigest.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(SEC_OID_SHA256, mCert->derPublicKey.data,
                                  mCert->derPublicKey.len);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
   rv = Base64Encode(nsDependentCSubstring(
@@ -830,19 +752,16 @@ nsNSSCertificate::GetSha256SubjectPublic
     return rv;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetRawDER(uint32_t* aLength, uint8_t** aArray)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mCert) {
     *aArray = (uint8_t*)moz_xmalloc(mCert->derCert.len);
     if (*aArray) {
       memcpy(*aArray, mCert->derCert.data, mCert->derCert.len);
       *aLength = mCert->derCert.len;
       return NS_OK;
     }
   }
@@ -852,19 +771,16 @@ nsNSSCertificate::GetRawDER(uint32_t* aL
 
 NS_IMETHODIMP
 nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
                               uint32_t* aLength, uint8_t** aArray)
 {
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aArray);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   if (!mCert)
     return NS_ERROR_FAILURE;
 
@@ -977,28 +893,22 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   memcpy(*aArray, certP7.data, certP7.len);
   *aLength = certP7.len;
   return NS_OK;
 }
 
 CERTCertificate*
 nsNSSCertificate::GetCert()
 {
-  if (isAlreadyShutDown())
-    return nullptr;
-
   return (mCert) ? CERT_DupCertificate(mCert.get()) : nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aValidity);
 
   if (!mCert) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509CertValidity> validity = new nsX509CertValidity(mCert);
   validity.forget(aValidity);
@@ -1013,19 +923,16 @@ nsNSSCertificate::GetASN1Structure(nsIAS
     return NS_ERROR_NOT_SAME_THREAD;
   }
   return CreateASN1Struct(aASN1Structure);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::Equals(nsIX509Cert* other, bool* result)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
   UniqueCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
   return NS_OK;
 }
 
@@ -1088,19 +995,16 @@ nsNSSCertList::nsNSSCertList(UniqueCERTC
 
 nsNSSCertList::nsNSSCertList()
 {
   mCertList = UniqueCERTCertList(CERT_NewCertList());
 }
 
 nsNSSCertList::~nsNSSCertList()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertList::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -1114,19 +1018,16 @@ nsNSSCertList*
 nsNSSCertList::GetCertList()
 {
   return this;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert* aCert)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   // We need an owning handle when calling nsIX509Cert::GetCert().
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
@@ -1167,29 +1068,22 @@ nsNSSCertList::DupCertList(const UniqueC
     Unused << cert.release(); // Ownership transferred to the cert list.
   }
   return newList;
 }
 
 CERTCertList*
 nsNSSCertList::GetRawCertList()
 {
-  if (isAlreadyShutDown()) {
-    return nullptr;
-  }
   return mCertList.get();
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Write(nsIObjectOutputStream* aStream)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   // First, enumerate the certs to get the length of the list
   uint32_t certListLen = 0;
   CERTCertListNode* node = nullptr;
   for (node = CERT_LIST_HEAD(mCertList);
        !CERT_LIST_END(node, mCertList);
@@ -1219,20 +1113,16 @@ nsNSSCertList::Write(nsIObjectOutputStre
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Read(nsIObjectInputStream* aStream)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   uint32_t certListLen;
   rv = aStream->Read32(&certListLen);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -1252,38 +1142,30 @@ nsNSSCertList::Read(nsIObjectInputStream
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::GetEnumerator(nsISimpleEnumerator** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mCertList) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsISimpleEnumerator> enumerator =
     new nsNSSCertListEnumerator(mCertList);
 
   enumerator.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Equals(nsIX509CertList* other, bool* result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_ARG(result);
   *result = true;
 
   nsresult rv;
 
   nsCOMPtr<nsISimpleEnumerator> selfEnumerator;
   rv = GetEnumerator(getter_AddRefs(selfEnumerator));
   if (NS_FAILED(rv)) {
@@ -1428,19 +1310,16 @@ nsNSSCertListEnumerator::nsNSSCertListEn
   const UniqueCERTCertList& certList)
 {
   MOZ_ASSERT(certList);
   mCertList = nsNSSCertList::DupCertList(certList);
 }
 
 nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertListEnumerator::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -1448,33 +1327,25 @@ void nsNSSCertListEnumerator::virtualDes
 void nsNSSCertListEnumerator::destructorSafeDestroyNSSReference()
 {
   mCertList = nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::HasMoreElements(bool* _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   *_retval = !CERT_LIST_EMPTY(mCertList);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::GetNext(nsISupports** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   CERTCertListNode* node = CERT_LIST_HEAD(mCertList);
   if (CERT_LIST_END(node, mCertList)) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(node->cert);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -54,38 +54,30 @@ using namespace mozilla::psm;
 using mozilla::psm::SharedSSLState;
 
 extern LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey,
                             /*out*/ nsIX509Cert** _cert)
 {
   NS_ENSURE_ARG_POINTER(_cert);
   *_cert = nullptr;
 
   if (aDBKey.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   UniqueCERTCertificate cert;
   rv = FindCertByDBKey(aDBKey, cert);
   if (NS_FAILED(rv)) {
@@ -428,20 +420,16 @@ nsNSSCertificateDB::handleCACertDownload
   return ImportCertsIntoPermanentStorage(certList);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
                                        uint32_t type,
                                        nsIInterfaceRequestor* ctx)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // We currently only handle CA certificates.
   if (type != nsIX509Cert::CA_CERT) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -535,20 +523,16 @@ ImportCertsIntoTempStorage(int numcerts,
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
                                            nsIInterfaceRequestor* ctx)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length);
   if (!certCollection) {
     return NS_ERROR_FAILURE;
@@ -624,20 +608,16 @@ NS_IMETHODIMP
 nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length,
                                           nsIInterfaceRequestor* ctx)
 {
   if (!NS_IsMainThread()) {
     NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread");
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length);
   if (!collectArgs) {
     return NS_ERROR_FAILURE;
@@ -693,19 +673,16 @@ nsNSSCertificateDB::ImportUserCertificat
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   NS_ENSURE_ARG_POINTER(aCert);
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     return NS_ERROR_FAILURE;
   }
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
   aCert->GetCertType(&certType);
@@ -738,20 +715,16 @@ nsNSSCertificateDB::DeleteCertificate(ns
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
                                  uint32_t type,
                                  uint32_t trusted)
 {
   NS_ENSURE_ARG_POINTER(cert);
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSCertTrust trust;
   switch (type) {
     case nsIX509Cert::CA_CERT:
       trust.SetValidCA();
       trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
                        !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
       break;
     case nsIX509Cert::SERVER_CERT:
@@ -778,20 +751,16 @@ NS_IMETHODIMP
 nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
                                   uint32_t certType,
                                   uint32_t trustType,
                                   bool *_isTrusted)
 {
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   SECStatus srv;
   UniqueCERTCertificate nsscert(cert->GetCert());
   CERTCertTrust nsstrust;
@@ -827,20 +796,16 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   } /* user: ignore */
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_ARG(aFile);
   switch (aType) {
     case nsIX509Cert::CA_CERT:
     case nsIX509Cert::EMAIL_CERT:
       // good
       break;
 
     default:
@@ -886,19 +851,16 @@ nsNSSCertificateDB::ImportCertsFromFile(
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   NS_ENSURE_ARG(aFile);
   nsPKCS12Blob blob;
   rv = blob.ImportFromFile(aFile);
@@ -914,19 +876,16 @@ nsNSSCertificateDB::ImportPKCS12File(nsI
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ExportPKCS12File(nsIFile* aFile, uint32_t count,
                                      nsIX509Cert** certs)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   NS_ENSURE_ARG(aFile);
   if (count == 0) {
     return NS_OK;
@@ -934,20 +893,16 @@ nsNSSCertificateDB::ExportPKCS12File(nsI
   nsPKCS12Blob blob;
   return blob.ExportToFile(aFile, certs, count);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByEmailAddress(const nsACString& aEmailAddress,
                                            nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
@@ -994,19 +949,16 @@ nsNSSCertificateDB::FindCertByEmailAddre
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64,
                                     /*out*/ nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (!_retval) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   // Base64Decode() doesn't consider a zero length input as an error, and just
   // returns the empty string. We don't want this behavior, so the below check
   // catches this case.
   if (base64.Length() < 1) {
@@ -1021,19 +973,16 @@ nsNSSCertificateDB::ConstructX509FromBas
 
   return ConstructX509(certDER, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509(const nsACString& certDER,
                                   nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (NS_WARN_IF(!_retval)) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   SECItem certData;
   certData.type = siDERCertBuffer;
   certData.data = BitwiseCast<unsigned char*, const char*>(certDER.BeginReading());
   certData.len = certDER.Length();
@@ -1164,20 +1113,16 @@ nsNSSCertificateDB::AddCertFromBase64(co
                                       nsIX509Cert** addedCertificate)
 {
   MOZ_ASSERT(addedCertificate);
   if (!addedCertificate) {
     return NS_ERROR_INVALID_ARG;
   }
   *addedCertificate = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSCertTrust trust;
   if (CERT_DecodeTrustString(&trust.GetTrust(), PromiseFlatCString(aTrust).get())
         != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509Cert> newCert;
   nsresult rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
@@ -1248,20 +1193,16 @@ nsNSSCertificateDB::SetCertTrustFromStri
 
   srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr);
   return MapSECStatus(srv);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
@@ -1284,20 +1225,16 @@ nsNSSCertificateDB::GetEnterpriseRoots(n
 {
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
 #ifdef XP_WIN
   nsCOMPtr<nsINSSComponent> psm(do_GetService(PSM_COMPONENT_CONTRACTID));
   if (!psm) {
     return NS_ERROR_FAILURE;
   }
   return psm->GetEnterpriseRoots(enterpriseRoots);
 #else
   return NS_ERROR_NOT_IMPLEMENTED;
@@ -1379,39 +1316,31 @@ NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
                                   int64_t /*SECCertificateUsage*/ aUsage,
                                   uint32_t aFlags,
                                   const nsACString& aHostname,
                                   nsIX509CertList** aVerifiedChain,
                                   bool* aHasEVPolicy,
                                   int32_t* /*PRErrorCode*/ _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::Now(),
                             aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert,
                                      int64_t /*SECCertificateUsage*/ aUsage,
                                      uint32_t aFlags,
                                      const nsACString& aHostname,
                                      uint64_t aTime,
                                      nsIX509CertList** aVerifiedChain,
                                      bool* aHasEVPolicy,
                                      int32_t* /*PRErrorCode*/ _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::TimeFromEpochInSeconds(aTime),
                             aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 class VerifyCertAtTimeTask final : public CryptoTask
 {
 public:
@@ -1471,29 +1400,22 @@ private:
 NS_IMETHODIMP
 nsNSSCertificateDB::AsyncVerifyCertAtTime(nsIX509Cert* aCert,
                                           int64_t /*SECCertificateUsage*/ aUsage,
                                           uint32_t aFlags,
                                           const nsACString& aHostname,
                                           uint64_t aTime,
                                           nsICertVerificationCallback* aCallback)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(aCert, aUsage,
                                                              aFlags, aHostname,
                                                              aTime, aCallback));
   return task->Dispatch("VerifyCert");
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ClearOCSPCache()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
   certVerifier->ClearOCSPCache();
   return NS_OK;
 }
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -817,21 +817,16 @@ nsNSSComponent::GetEnterpriseRoots(nsIX5
 {
   MutexAutoLock nsNSSComponentLock(mMutex);
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
-  // nsNSSComponent isn't a nsNSSShutDownObject, so we can't check
-  // isAlreadyShutDown(). However, since mEnterpriseRoots is cleared when NSS
-  // shuts down, we can use that as a proxy for checking for NSS shutdown.
-  // (Of course, it may also be the case that no enterprise roots were imported,
-  // so we should just return a null list and NS_OK in this case.)
   if (!mEnterpriseRoots) {
     *enterpriseRoots = nullptr;
     return NS_OK;
   }
   UniqueCERTCertList enterpriseRootsCopy(
     nsNSSCertList::DupCertList(mEnterpriseRoots));
   if (!enterpriseRootsCopy) {
     return NS_ERROR_FAILURE;
@@ -998,19 +993,16 @@ private:
   NS_IMETHOD Run() override;
   nsresult LoadLoadableRoots();
   RefPtr<nsNSSComponent> mNSSComponent;
   nsCOMPtr<nsIThread> mThread;
 };
 
 LoadLoadableRootsTask::~LoadLoadableRootsTask()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 LoadLoadableRootsTask::Dispatch()
 {
   // Can't add 'this' as the event to run, since mThread may not be set yet
   nsresult rv = NS_NewNamedThread("LoadRoots", getter_AddRefs(mThread),
@@ -1022,20 +1014,16 @@ LoadLoadableRootsTask::Dispatch()
 
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 LoadLoadableRootsTask::Run()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = LoadLoadableRoots();
   if (NS_FAILED(rv)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed"));
     // We don't return rv here because then BlockUntilLoadableRootsLoaded will
     // just wait forever. Instead we'll save its value (below) so we can inform
     // code that relies on the roots module being present that loading it
     // failed.
   }
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -353,20 +353,16 @@ nsNSSSocketInfo::GetNegotiatedNPN(nsACSt
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::GetAlpnEarlySelection(nsACString& aAlpnSelected)
 {
   aAlpnSelected.Truncate();
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   SSLPreliminaryChannelInfo info;
   SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info));
   if (rv != SECSuccess || !info.canSendEarlyData) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SSLNextProtoState alpnState;
   unsigned char chosenAlpn[MAX_ALPN_LENGTH];
@@ -397,19 +393,16 @@ void
 nsNSSSocketInfo::SetEarlyDataAccepted(bool aAccepted)
 {
   mEarlyDataAccepted = aAccepted;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::DriveHandshake()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (!mFd) {
     return NS_ERROR_FAILURE;
   }
   PRErrorCode errorCode = GetErrorCode();
   if (errorCode) {
     return GetXPCOMFromNSSError(errorCode);
   }
 
@@ -579,18 +572,16 @@ NS_IMETHODIMP
 nsNSSSocketInfo::StartTLS()
 {
   return ActivateSSL();
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::SetNPNList(nsTArray<nsCString>& protocolArray)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
   if (!mFd)
     return NS_ERROR_FAILURE;
 
   // the npn list is a concatenated list of 8 bit byte strings.
   nsCString npnList;
 
   for (uint32_t index = 0; index < protocolArray.Length(); ++index) {
     if (protocolArray[index].IsEmpty() ||
@@ -608,19 +599,16 @@ nsNSSSocketInfo::SetNPNList(nsTArray<nsC
     return NS_ERROR_FAILURE;
 
   return NS_OK;
 }
 
 nsresult
 nsNSSSocketInfo::ActivateSSL()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true))
     return NS_ERROR_FAILURE;
   if (SECSuccess != SSL_ResetHandshake(mFd, false))
     return NS_ERROR_FAILURE;
 
   mHandshakePending = true;
 
   return NS_OK;
@@ -752,21 +740,16 @@ getSocketInfoIfRunning(PRFileDesc* fd, O
       fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) {
     NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning");
     PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0);
     return nullptr;
   }
 
   nsNSSSocketInfo* socketInfo = (nsNSSSocketInfo*) fd->secret;
 
-  if (socketInfo->isAlreadyShutDown()) {
-    PR_SetError(PR_SOCKET_SHUTDOWN_ERROR, 0);
-    return nullptr;
-  }
-
   if (socketInfo->GetErrorCode()) {
     PRErrorCode err = socketInfo->GetErrorCode();
     PR_SetError(err, 0);
     if (op == reading || op == writing) {
       // We must do TLS intolerance checks for reads and writes, for timeouts
       // in particular.
       (void) checkHandshake(-1, op == reading, fd, socketInfo);
     }
--- a/security/manager/ssl/nsNSSShutDown.h
+++ b/security/manager/ssl/nsNSSShutDown.h
@@ -19,15 +19,13 @@ public:
   };
 
   nsNSSShutDownObject() {}
 
   virtual ~nsNSSShutDownObject() {}
 
   void shutdown(ShutdownCalledFrom) {}
 
-  bool isAlreadyShutDown() const { return false; }
-
 protected:
   virtual void virtualDestroyNSSReference() = 0;
 };
 
 #endif // nsNSSShutDown_h
--- a/security/manager/ssl/nsPK11TokenDB.cpp
+++ b/security/manager/ssl/nsPK11TokenDB.cpp
@@ -21,20 +21,16 @@
 extern mozilla::LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token)
 
 nsPK11Token::nsPK11Token(PK11SlotInfo* slot)
   : mUIContext(new PipUIContext())
 {
   MOZ_ASSERT(slot);
-
-  if (isAlreadyShutDown())
-    return;
-
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
 
   Unused << refreshTokenInfo();
 }
 
 nsresult
 nsPK11Token::refreshTokenInfo()
@@ -79,19 +75,16 @@ nsPK11Token::refreshTokenInfo()
                          strnlen(ccSerial, sizeof(tokInfo.serialNumber)));
   mTokenSerialNum.Trim(" ", false, true);
 
   return NS_OK;
 }
 
 nsPK11Token::~nsPK11Token()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPK11Token::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -102,20 +95,16 @@ nsPK11Token::destructorSafeDestroyNSSRef
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPK11Token::GetAttributeHelper(const nsACString& attribute,
                         /*out*/ nsACString& xpcomOutParam)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // Handle removals/insertions.
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshTokenInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
@@ -158,31 +147,23 @@ nsPK11Token::GetTokenSerialNumber(/*out*
 {
   return GetAttributeHelper(mTokenSerialNum, tokenSerialNum);
 }
 
 NS_IMETHODIMP
 nsPK11Token::IsLoggedIn(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *_retval = PK11_IsLoggedIn(mSlot.get(), 0);
-
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::Login(bool force)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsresult rv;
   bool test;
   rv = this->NeedsLogin(&test);
   if (NS_FAILED(rv)) return rv;
   if (test && force) {
     rv = this->LogoutSimple();
     if (NS_FAILED(rv)) return rv;
   }
@@ -190,19 +171,16 @@ nsPK11Token::Login(bool force)
   if (NS_FAILED(rv)) return rv;
 
   return MapSECStatus(PK11_Authenticate(mSlot.get(), true, mUIContext));
 }
 
 NS_IMETHODIMP
 nsPK11Token::LogoutSimple()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // PK11_Logout() can fail if the user wasn't logged in beforehand. We want
   // this method to succeed even in this case, so we ignore the return value.
   Unused << PK11_Logout(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::LogoutAndDropAuthenticatedResources()
@@ -219,42 +197,31 @@ nsPK11Token::LogoutAndDropAuthenticatedR
     return rv;
 
   return nssComponent->LogoutAuthenticatedPK11();
 }
 
 NS_IMETHODIMP
 nsPK11Token::Reset()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   return MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit)
 {
   NS_ENSURE_ARG_POINTER(aNeedsUserInit);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::CheckPassword(const nsACString& password, bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   SECStatus srv =
     PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get());
   if (srv != SECSuccess) {
     *_retval =  false;
     PRErrorCode error = PR_GetError();
     if (error != SEC_ERROR_BAD_PASSWORD) {
       /* something really bad happened - throw an exception */
       return mozilla::psm::GetXPCOMFromNSSError(error);
@@ -263,20 +230,16 @@ nsPK11Token::CheckPassword(const nsACStr
     *_retval =  true;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::InitPassword(const nsACString& initialPassword)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
   // PSM initializes the sqlite-backed softoken with an empty password. The
   // implementation considers this not to be a password (GetHasPassword returns
   // false), but we can't actually call PK11_InitPin again. Instead, we call
   // PK11_ChangePW with the empty password.
   bool hasPassword;
   nsresult rv = GetHasPassword(&hasPassword);
   if (NS_FAILED(rv)) {
@@ -287,105 +250,78 @@ nsPK11Token::InitPassword(const nsACStri
   }
   return MapSECStatus(PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::ChangePassword(const nsACString& oldPassword,
                             const nsACString& newPassword)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // PK11_ChangePW() has different semantics for the empty string and for
   // nullptr. In order to support this difference, we need to check IsVoid() to
   // find out if our caller supplied null/undefined args or just empty strings.
   // See Bug 447589.
   return MapSECStatus(PK11_ChangePW(
     mSlot.get(),
     oldPassword.IsVoid() ? nullptr : PromiseFlatCString(oldPassword).get(),
     newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetHasPassword(bool* hasPassword)
 {
   NS_ENSURE_ARG_POINTER(hasPassword);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // PK11_NeedLogin returns true if the token is currently configured to require
   // the user to log in (whether or not the user is actually logged in makes no
   // difference).
   *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::NeedsLogin(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *_retval = PK11_NeedLogin(mSlot.get());
-
   return NS_OK;
 }
 
 /*=========================================================*/
 
 NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB)
 
 nsPK11TokenDB::nsPK11TokenDB()
 {
 }
 
 nsPK11TokenDB::~nsPK11TokenDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get());
   token.forget(_retval);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::FindTokenByName(const nsACString& tokenName,
                        /*out*/ nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   if (tokenName.IsEmpty()) {
     return NS_ERROR_ILLEGAL_VALUE;
   }
--- a/security/manager/ssl/nsPKCS11Slot.cpp
+++ b/security/manager/ssl/nsPKCS11Slot.cpp
@@ -21,20 +21,16 @@ using mozilla::LogLevel;
 
 extern mozilla::LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot)
 
 nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot)
 {
   MOZ_ASSERT(slot);
-
-  if (isAlreadyShutDown())
-    return;
-
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
   Unused << refreshSlotInfo();
 }
 
 nsresult
 nsPKCS11Slot::refreshSlotInfo()
 {
@@ -70,19 +66,16 @@ nsPKCS11Slot::refreshSlotInfo()
   mSlotFWVersion.Append('.');
   mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor);
 
   return NS_OK;
 }
 
 nsPKCS11Slot::~nsPKCS11Slot()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPKCS11Slot::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -93,37 +86,30 @@ nsPKCS11Slot::destructorSafeDestroyNSSRe
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute,
                          /*out*/ nsACString& xpcomOutParam)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
   xpcomOutParam = attribute;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetName(/*out*/ nsACString& name)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // |csn| is non-owning.
   char* csn = PK11_GetSlotName(mSlot.get());
   if (csn && *csn) {
     name = csn;
   } else if (PK11_HasRootCerts(mSlot.get())) {
     // This is a workaround to an Root Module bug - the root certs module has
     // no slot name.  Not bothering to localize, because this is a workaround
     // and for now all the slot names returned by NSS are char * anyway.
@@ -159,31 +145,24 @@ nsPKCS11Slot::GetFWVersion(/*out*/ nsACS
 {
   return GetAttributeHelper(mSlotFWVersion, fwVersion);
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get());
   token.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (!PK11_IsPresent(mSlot.get())) {
     tokenName.SetIsVoid(true);
     return NS_OK;
   }
 
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
@@ -194,20 +173,16 @@ nsPKCS11Slot::GetTokenName(/*out*/ nsACS
   tokenName = PK11_GetTokenName(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetStatus(uint32_t* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (PK11_IsDisabled(mSlot.get())) {
     *_retval = SLOT_DISABLED;
   } else if (!PK11_IsPresent(mSlot.get())) {
     *_retval = SLOT_NOT_PRESENT;
   } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) {
     *_retval = SLOT_UNINITIALIZED;
   } else if (PK11_NeedLogin(mSlot.get()) &&
              !PK11_IsLoggedIn(mSlot.get(), nullptr)) {
@@ -220,28 +195,21 @@ nsPKCS11Slot::GetStatus(uint32_t* _retva
   return NS_OK;
 }
 
 NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module)
 
 nsPKCS11Module::nsPKCS11Module(SECMODModule* module)
 {
   MOZ_ASSERT(module);
-
-  if (isAlreadyShutDown())
-    return;
-
   mModule.reset(SECMOD_ReferenceModule(module));
 }
 
 nsPKCS11Module::~nsPKCS11Module()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPKCS11Module::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -251,46 +219,37 @@ void
 nsPKCS11Module::destructorSafeDestroyNSSReference()
 {
   mModule = nullptr;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetName(/*out*/ nsACString& name)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   name = mModule->commonName;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetLibName(/*out*/ nsACString& libName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mModule->dllName) {
     libName = mModule->dllName;
   } else {
     libName.SetIsVoid(true);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::FindSlotByName(const nsACString& name,
                        /*out*/ nsIPKCS11Slot** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   const nsCString& flatName = PromiseFlatCString(name);
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"", flatName.get()));
   UniquePK11SlotInfo slotInfo;
   UniquePK11SlotList slotList(PK11_FindSlotsByNames(mModule->dllName,
                                                     flatName.get() /*slotName*/,
                                                     nullptr /*tokenName*/,
                                                     false));
   if (!slotList) {
@@ -316,19 +275,16 @@ nsPKCS11Module::FindSlotByName(const nsA
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
   if (!array) {
     return NS_ERROR_FAILURE;
--- a/security/manager/ssl/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@@ -37,20 +37,16 @@ nsPKCS12Blob::nsPKCS12Blob()
   , mTmpFile(nullptr)
 {
   mUIContext = new PipUIContext();
 }
 
 // destructor
 nsPKCS12Blob::~nsPKCS12Blob()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // nsPKCS12Blob::ImportFromFile
 //
 // Given a file handle, read a PKCS#12 blob from that file, decode it, and
 // import the results into the internal database.
 nsresult
--- a/security/manager/ssl/nsRandomGenerator.cpp
+++ b/security/manager/ssl/nsRandomGenerator.cpp
@@ -14,20 +14,16 @@ NS_IMPL_ISUPPORTS(nsRandomGenerator, nsI
 
 NS_IMETHODIMP
 nsRandomGenerator::GenerateRandomBytes(uint32_t aLength,
                                        uint8_t** aBuffer)
 {
   NS_ENSURE_ARG_POINTER(aBuffer);
   *aBuffer = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
 
   auto buf = static_cast<uint8_t*>(moz_xmalloc(aLength));
   if (!buf) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -41,13 +37,10 @@ nsRandomGenerator::GenerateRandomBytes(u
 
   *aBuffer = buf;
 
   return NS_OK;
 }
 
 nsRandomGenerator::~nsRandomGenerator()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
--- a/security/manager/ssl/nsSSLStatus.cpp
+++ b/security/manager/ssl/nsSSLStatus.cpp
@@ -390,39 +390,32 @@ nsSSLStatus::nsSSLStatus()
 , mHaveCertErrorBits(false)
 {
 }
 
 NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
 
 nsSSLStatus::~nsSSLStatus()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus)
 {
   MOZ_ASSERT(aServerCert);
 
   mServerCert = aServerCert;
   mIsEV = (aEVStatus == EVStatus::EV);
   mHasIsEVStatus = true;
 }
 
 nsresult
 nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // nsNSSCertList takes ownership of certList
   mSucceededCertChain = new nsNSSCertList(Move(aCertList));
 
   return NS_OK;
 }
 
 void
 nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList)
--- a/services/crypto/component/IdentityCryptoService.cpp
+++ b/services/crypto/component/IdentityCryptoService.cpp
@@ -54,19 +54,16 @@ public:
   NS_DECL_NSIIDENTITYKEYPAIR
 
   KeyPair(SECKEYPrivateKey* aPrivateKey, SECKEYPublicKey* aPublicKey,
           nsIEventTarget* aOperationThread);
 
 private:
   ~KeyPair() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -95,19 +92,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   KeyGenRunnable(KeyType keyType, nsIIdentityKeyGenCallback * aCallback,
                  nsIEventTarget* aOperationThread);
 
 private:
   ~KeyGenRunnable() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -132,19 +126,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   SignRunnable(const nsACString & textToSign, SECKEYPrivateKey * privateKey,
                nsIIdentitySignCallback * aCallback);
 
 private:
   ~SignRunnable() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -433,47 +424,43 @@ GenerateDSAKeyPair(PK11SlotInfo * slot,
   return GenerateKeyPair(slot, privateKey, publicKey, CKM_DSA_KEY_PAIR_GEN,
                          &pqgParams);
 }
 
 NS_IMETHODIMP
 KeyGenRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
+    // We always want to use the internal slot for BrowserID; in particular,
+    // we want to avoid smartcard slots.
+    PK11SlotInfo *slot = PK11_GetInternalSlot();
+    if (!slot) {
+      mRv = NS_ERROR_UNEXPECTED;
     } else {
-      // We always want to use the internal slot for BrowserID; in particular,
-      // we want to avoid smartcard slots.
-      PK11SlotInfo *slot = PK11_GetInternalSlot();
-      if (!slot) {
-        mRv = NS_ERROR_UNEXPECTED;
-      } else {
-        SECKEYPrivateKey *privk = nullptr;
-        SECKEYPublicKey *pubk = nullptr;
+      SECKEYPrivateKey *privk = nullptr;
+      SECKEYPublicKey *pubk = nullptr;
 
-        switch (mKeyType) {
-        case rsaKey:
-          mRv = GenerateRSAKeyPair(slot, &privk, &pubk);
-          break;
-        case dsaKey:
-          mRv = GenerateDSAKeyPair(slot, &privk, &pubk);
-          break;
-        default:
-          MOZ_CRASH("unknown key type");
-        }
+      switch (mKeyType) {
+      case rsaKey:
+        mRv = GenerateRSAKeyPair(slot, &privk, &pubk);
+        break;
+      case dsaKey:
+        mRv = GenerateDSAKeyPair(slot, &privk, &pubk);
+        break;
+      default:
+        MOZ_CRASH("unknown key type");
+      }
 
-        PK11_FreeSlot(slot);
+      PK11_FreeSlot(slot);
 
-        if (NS_SUCCEEDED(mRv)) {
-          MOZ_ASSERT(privk);
-          MOZ_ASSERT(pubk);
-      // mKeyPair will take over ownership of privk and pubk
-          mKeyPair = new KeyPair(privk, pubk, mThread);
-        }
+      if (NS_SUCCEEDED(mRv)) {
+        MOZ_ASSERT(privk);
+        MOZ_ASSERT(pubk);
+    // mKeyPair will take over ownership of privk and pubk
+        mKeyPair = new KeyPair(privk, pubk, mThread);
       }
     }
 
     NS_DispatchToMainThread(this);
   } else {
     // Back on Main Thread
     (void) mCallback->GenerateKeyPairFinished(mRv, mKeyPair);
   }
@@ -491,49 +478,45 @@ SignRunnable::SignRunnable(const nsACStr
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 NS_IMETHODIMP
 SignRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      // We need the output in PKCS#11 format, not DER encoding, so we must use
-      // PK11_HashBuf and PK11_Sign instead of SEC_SignData.
+    // We need the output in PKCS#11 format, not DER encoding, so we must use
+    // PK11_HashBuf and PK11_Sign instead of SEC_SignData.
 
-      SECItem sig = { siBuffer, nullptr, 0 };
-      int sigLength = PK11_SignatureLen(mPrivateKey);
-      if (sigLength <= 0) {
-        mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
-      } else if (!SECITEM_AllocItem(nullptr, &sig, sigLength)) {
-        mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
-      } else {
-        uint8_t hash[32]; // big enough for SHA-1 or SHA-256
-        SECOidTag hashAlg = mPrivateKey->keyType == dsaKey ? SEC_OID_SHA1
-                                                           : SEC_OID_SHA256;
-        SECItem hashItem = { siBuffer, hash,
-                             hashAlg == SEC_OID_SHA1 ? 20u : 32u };
+    SECItem sig = { siBuffer, nullptr, 0 };
+    int sigLength = PK11_SignatureLen(mPrivateKey);
+    if (sigLength <= 0) {
+      mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    } else if (!SECITEM_AllocItem(nullptr, &sig, sigLength)) {
+      mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    } else {
+      uint8_t hash[32]; // big enough for SHA-1 or SHA-256
+      SECOidTag hashAlg = mPrivateKey->keyType == dsaKey ? SEC_OID_SHA1
+                                                         : SEC_OID_SHA256;
+      SECItem hashItem = { siBuffer, hash,
+                           hashAlg == SEC_OID_SHA1 ? 20u : 32u };
 
-        mRv = MapSECStatus(PK11_HashBuf(hashAlg, hash,
-                    const_cast<uint8_t*>(reinterpret_cast<const uint8_t *>(
-                                            mTextToSign.get())),
-                                      mTextToSign.Length()));
-        if (NS_SUCCEEDED(mRv)) {
-          mRv = MapSECStatus(PK11_Sign(mPrivateKey, &sig, &hashItem));
-        }
-        if (NS_SUCCEEDED(mRv)) {
-          mRv = Base64URLEncode(sig.len, sig.data,
-                                Base64URLEncodePaddingPolicy::Include,
-                                mSignature);
-        }
-        SECITEM_FreeItem(&sig, false);
+      mRv = MapSECStatus(PK11_HashBuf(hashAlg, hash,
+                  const_cast<uint8_t*>(reinterpret_cast<const uint8_t *>(
+                                          mTextToSign.get())),
+                                    mTextToSign.Length()));
+      if (NS_SUCCEEDED(mRv)) {
+        mRv = MapSECStatus(PK11_Sign(mPrivateKey, &sig, &hashItem));
       }
+      if (NS_SUCCEEDED(mRv)) {
+        mRv = Base64URLEncode(sig.len, sig.data,
+                              Base64URLEncodePaddingPolicy::Include,
+                              mSignature);
+      }
+      SECITEM_FreeItem(&sig, false);
     }
 
     NS_DispatchToMainThread(this);
   } else {
     // Back on Main Thread
     (void) mCallback->SignFinished(mRv, mSignature);
   }