bug 1421084 - part 2/4 - remove nsNSSShutDownObject::isAlreadyShutDown() r=mt,ttaubert
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 23 Jan 2018 12:22:56 -0800
changeset 441423 ecb9941ee0344bd6952724e371589c3d0834e30d
parent 441422 b2b6ca8d0f70173d7b18bca53fa4e7a57dba9a14
child 441424 0d42218045d9de6b746b09669dedb0e30e8005c3
push idunknown
push userunknown
push dateunknown
reviewersmt, ttaubert
bugs1421084
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1421084 - part 2/4 - remove nsNSSShutDownObject::isAlreadyShutDown() r=mt,ttaubert MozReview-Commit-ID: DlS16pHE0Ik
dom/crypto/CryptoKey.cpp
dom/crypto/WebCryptoTask.cpp
dom/media/webrtc/RTCCertificate.cpp
dom/webauthn/U2FSoftTokenManager.cpp
netwerk/base/BackgroundFileSaver.cpp
security/manager/ssl/ContentSignatureVerifier.cpp
security/manager/ssl/CryptoTask.cpp
security/manager/ssl/PKCS11ModuleDB.cpp
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/SecretDecoderRing.cpp
security/manager/ssl/TransportSecurityInfo.cpp
security/manager/ssl/nsCryptoHash.cpp
security/manager/ssl/nsDataSignatureVerifier.cpp
security/manager/ssl/nsKeyModule.cpp
security/manager/ssl/nsKeygenHandler.cpp
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCertHelper.cpp
security/manager/ssl/nsNSSCertValidity.cpp
security/manager/ssl/nsNSSCertificate.cpp
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsNSSShutDown.h
security/manager/ssl/nsPK11TokenDB.cpp
security/manager/ssl/nsPKCS11Slot.cpp
security/manager/ssl/nsPKCS12Blob.cpp
security/manager/ssl/nsRandomGenerator.cpp
security/manager/ssl/nsSSLStatus.cpp
services/crypto/component/IdentityCryptoService.cpp
--- a/dom/crypto/CryptoKey.cpp
+++ b/dom/crypto/CryptoKey.cpp
@@ -157,19 +157,16 @@ CryptoKey::CryptoKey(nsIGlobalObject* aG
   , mSymKey()
   , mPrivateKey(nullptr)
   , mPublicKey(nullptr)
 {
 }
 
 CryptoKey::~CryptoKey()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 JSObject*
 CryptoKey::WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto)
 {
   return CryptoKeyBinding::Wrap(aCx, this, aGivenProto);
@@ -447,29 +444,29 @@ nsresult CryptoKey::SetSymKey(const Cryp
   }
 
   return NS_OK;
 }
 
 nsresult
 CryptoKey::SetPrivateKey(SECKEYPrivateKey* aPrivateKey)
 {
-  if (!aPrivateKey || isAlreadyShutDown()) {
+  if (!aPrivateKey) {
     mPrivateKey = nullptr;
     return NS_OK;
   }
 
   mPrivateKey = UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(aPrivateKey));
   return mPrivateKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
 nsresult
 CryptoKey::SetPublicKey(SECKEYPublicKey* aPublicKey)
 {
-  if (!aPublicKey || isAlreadyShutDown()) {
+  if (!aPublicKey) {
     mPublicKey = nullptr;
     return NS_OK;
   }
 
   mPublicKey = UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(aPublicKey));
   return mPublicKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
@@ -477,26 +474,26 @@ const CryptoBuffer&
 CryptoKey::GetSymKey() const
 {
   return mSymKey;
 }
 
 UniqueSECKEYPrivateKey
 CryptoKey::GetPrivateKey() const
 {
-  if (!mPrivateKey || isAlreadyShutDown()) {
+  if (!mPrivateKey) {
     return nullptr;
   }
   return UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(mPrivateKey.get()));
 }
 
 UniqueSECKEYPublicKey
 CryptoKey::GetPublicKey() const
 {
-  if (!mPublicKey || isAlreadyShutDown()) {
+  if (!mPublicKey) {
     return nullptr;
   }
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(mPublicKey.get()));
 }
 
 void CryptoKey::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -1229,20 +1226,16 @@ CryptoKey::PublicKeyValid(SECKEYPublicKe
 
   SECStatus rv = PK11_DestroyObject(slot.get(), id);
   return (rv == SECSuccess);
 }
 
 bool
 CryptoKey::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   // Write in five pieces
   // 1. Attributes
   // 2. Symmetric key as raw (if present)
   // 3. Private key as pkcs8 (if present)
   // 4. Public key as spki (if present)
   // 5. Algorithm in whatever form it chooses
   CryptoBuffer priv, pub;
 
@@ -1263,20 +1256,16 @@ CryptoKey::WriteStructuredClone(JSStruct
          WriteBuffer(aWriter, priv) &&
          WriteBuffer(aWriter, pub) &&
          mAlgorithm.WriteStructuredClone(aWriter);
 }
 
 bool
 CryptoKey::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   // Ensure that NSS is initialized.
   if (!EnsureNSSInitializedChromeOrContent()) {
     return false;
   }
 
   uint32_t version;
   CryptoBuffer sym, priv, pub;
 
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -400,21 +400,17 @@ WebCryptoTask::DispatchWithPromise(Promi
   MAYBE_EARLY_FAIL(mEarlyRv)
 }
 
 NS_IMETHODIMP
 WebCryptoTask::Run()
 {
   // Run heavy crypto operations on the thread pool, off the original thread.
   if (!IsOnOriginalThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      mRv = CalculateResult();
-    }
+    mRv = CalculateResult();
 
     // Back to the original thread, i.e. continue below.
     mOriginalEventTarget->Dispatch(this, NS_DISPATCH_NORMAL);
     return NS_OK;
   }
 
   // We're now back on the calling thread.
 
@@ -455,20 +451,16 @@ WebCryptoTask::FailWithError(nsresult aR
   Cleanup();
 }
 
 nsresult
 WebCryptoTask::CalculateResult()
 {
   MOZ_ASSERT(!IsOnOriginalThread());
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_DOM_UNKNOWN_ERR;
-  }
-
   return DoCrypto();
 }
 
 void
 WebCryptoTask::CallCallback(nsresult rv)
 {
   MOZ_ASSERT(IsOnOriginalThread());
   if (NS_FAILED(rv)) {
@@ -3721,19 +3713,17 @@ WebCryptoTask::WebCryptoTask()
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 WebCryptoTask::~WebCryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  if (!isAlreadyShutDown()) {
-    shutdown(ShutdownCalledFrom::Object);
-  }
+  shutdown(ShutdownCalledFrom::Object);
 
   if (mWorkerHolder) {
     NS_ProxyRelease(
       "WebCryptoTask::mWorkerHolder",
       mOriginalEventTarget, mWorkerHolder.forget());
   }
 }
 
--- a/dom/media/webrtc/RTCCertificate.cpp
+++ b/dom/media/webrtc/RTCCertificate.cpp
@@ -303,19 +303,16 @@ RTCCertificate::RTCCertificate(nsIGlobal
       mCertificate(aCertificate),
       mAuthType(aAuthType),
       mExpires(aExpires)
 {
 }
 
 RTCCertificate::~RTCCertificate()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // This creates some interesting lifecycle consequences, since the DtlsIdentity
 // holds NSS objects, but does not implement nsNSSShutDownObject.
 
 // Unfortunately, the code that uses DtlsIdentity cannot always use that lock
@@ -324,17 +321,17 @@ RTCCertificate::~RTCCertificate()
 // have a lifetime that is strictly shorter than the RTCCertificate.
 //
 // RTCPeerConnection provides this guarantee by holding a strong reference to
 // the RTCCertificate.  It will cleanup any DtlsIdentity instances that it
 // creates before the RTCCertificate reference is released.
 RefPtr<DtlsIdentity>
 RTCCertificate::CreateDtlsIdentity() const
 {
-  if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
+  if (!mPrivateKey || !mCertificate) {
     return nullptr;
   }
   UniqueSECKEYPrivateKey key(SECKEY_CopyPrivateKey(mPrivateKey.get()));
   UniqueCERTCertificate cert(CERT_DupCertificate(mCertificate.get()));
   RefPtr<DtlsIdentity> id = new DtlsIdentity(Move(key), Move(cert), mAuthType);
   return id;
 }
 
@@ -383,17 +380,17 @@ RTCCertificate::WriteCertificate(JSStruc
     return false;
   }
   return JS_WriteBytes(aWriter, certs->certs[0].data, certs->certs[0].len);
 }
 
 bool
 RTCCertificate::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
+  if (!mPrivateKey || !mCertificate) {
     return false;
   }
 
   return JS_WriteUint32Pair(aWriter, RTCCERTIFICATE_SC_VERSION, mAuthType) &&
       JS_WriteUint32Pair(aWriter, (mExpires >> 32) & 0xffffffff,
                          mExpires & 0xffffffff) &&
       WritePrivateKey(aWriter) &&
       WriteCertificate(aWriter);
@@ -427,20 +424,16 @@ RTCCertificate::ReadCertificate(JSStruct
   mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                              &der, nullptr, true, true));
   return !!mCertificate;
 }
 
 bool
 RTCCertificate::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  if (isAlreadyShutDown()) {
-    return false;
-  }
-
   uint32_t version, authType;
   if (!JS_ReadUint32Pair(aReader, &version, &authType) ||
       version != RTCCERTIFICATE_SC_VERSION) {
     return false;
   }
   mAuthType = static_cast<SSLKEAType>(authType);
 
   uint32_t high, low;
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -65,21 +65,16 @@ enum SoftTokenHandle {
 
 U2FSoftTokenManager::U2FSoftTokenManager(uint32_t aCounter)
   : mInitialized(false),
     mCounter(aCounter)
 {}
 
 U2FSoftTokenManager::~U2FSoftTokenManager()
 {
-
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 U2FSoftTokenManager::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -361,20 +356,16 @@ GetAttestationCertificate(const UniquePK
 nsresult
 U2FSoftTokenManager::Init()
 {
   // If we've already initialized, just return.
   if (mInitialized) {
     return NS_OK;
   }
 
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   MOZ_ASSERT(slot.get());
 
   // Search for an existing wrapping key, or create one.
   nsresult rv = GetOrCreateWrappingKey(slot);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
@@ -565,20 +556,16 @@ PrivateKeyFromKeyHandle(const UniquePK11
 }
 
 // IsRegistered determines if the provided key handle is usable by this token.
 nsresult
 U2FSoftTokenManager::IsRegistered(const nsTArray<uint8_t>& aKeyHandle,
                                   const nsTArray<uint8_t>& aAppParam,
                                   bool& aResult)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return NS_ERROR_FAILURE;
-  }
-
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
     }
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
@@ -615,20 +602,16 @@ U2FSoftTokenManager::IsRegistered(const 
 //
 RefPtr<U2FRegisterPromise>
 U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                               const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
                               const nsTArray<uint8_t>& aApplication,
                               const nsTArray<uint8_t>& aChallenge,
                               uint32_t aTimeoutMS)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return U2FRegisterPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
-  }
-
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return U2FRegisterPromise::CreateAndReject(rv, __func__);
     }
   }
 
   // The U2F softtoken neither supports resident keys or
@@ -746,20 +729,16 @@ U2FSoftTokenManager::Register(const nsTA
 //
 RefPtr<U2FSignPromise>
 U2FSoftTokenManager::Sign(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                           const nsTArray<uint8_t>& aApplication,
                           const nsTArray<uint8_t>& aChallenge,
                           bool aRequireUserVerification,
                           uint32_t aTimeoutMS)
 {
-  if (NS_WARN_IF(isAlreadyShutDown())) {
-    return U2FSignPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
-  }
-
   // The U2F softtoken doesn't support user verification.
   if (aRequireUserVerification) {
     return U2FSignPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR, __func__);
   }
 
   nsTArray<uint8_t> keyHandle;
   for (auto cred: aCredentials) {
     bool isRegistered = false;
--- a/netwerk/base/BackgroundFileSaver.cpp
+++ b/netwerk/base/BackgroundFileSaver.cpp
@@ -113,19 +113,16 @@ BackgroundFileSaver::BackgroundFileSaver
 , mDigestContext(nullptr)
 {
   LOG(("Created BackgroundFileSaver [this = %p]", this));
 }
 
 BackgroundFileSaver::~BackgroundFileSaver()
 {
   LOG(("Destroying BackgroundFileSaver [this = %p]", this));
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 BackgroundFileSaver::destructorSafeDestroyNSSReference()
 {
   mDigestContext = nullptr;
@@ -547,21 +544,19 @@ BackgroundFileSaver::ProcessStateChange(
     rv = mPipeInputStream->Available(&available);
     if (NS_FAILED(rv)) {
       return NS_OK;
     }
   }
 
   // Create the digest context if requested and NSS hasn't been shut down.
   if (sha256Enabled && !mDigestContext) {
-    if (!isAlreadyShutDown()) {
-      mDigestContext = UniquePK11Context(
-        PK11_CreateDigestContext(SEC_OID_SHA256));
-      NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
-    }
+    mDigestContext = UniquePK11Context(
+      PK11_CreateDigestContext(SEC_OID_SHA256));
+    NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
   }
 
   // When we are requested to append to an existing file, we should read the
   // existing data and ensure we include it as part of the final hash.
   if (mDigestContext && append && !isContinuation) {
     nsCOMPtr<nsIInputStream> inputStream;
     rv = NS_NewLocalFileInputStream(getter_AddRefs(inputStream),
                                     mActualTarget,
@@ -575,20 +570,16 @@ BackgroundFileSaver::ProcessStateChange(
         rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count);
         NS_ENSURE_SUCCESS(rv, rv);
 
         if (count == 0) {
           // We reached the end of the file.
           break;
         }
 
-        if (isAlreadyShutDown()) {
-          return NS_ERROR_NOT_AVAILABLE;
-        }
-
         nsresult rv = MapSECStatus(
           PK11_DigestOp(mDigestContext.get(),
                         BitwiseCast<unsigned char*, char*>(buffer),
                         count));
         NS_ENSURE_SUCCESS(rv, rv);
       }
 
       rv = inputStream->Close();
@@ -714,25 +705,23 @@ BackgroundFileSaver::CheckCompletion()
   // Ensure we notify completion now that the operation finished.
   // Do a best-effort attempt to remove the file if required.
   if (failed && mActualTarget && !mActualTargetKeepPartial) {
     (void)mActualTarget->Remove(false);
   }
 
   // Finish computing the hash
   if (!failed && mDigestContext) {
-    if (!isAlreadyShutDown()) {
-      Digest d;
-      rv = d.End(SEC_OID_SHA256, mDigestContext);
-      if (NS_SUCCEEDED(rv)) {
-        MutexAutoLock lock(mLock);
-        mSha256 =
-          nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data),
-                                d.get().len);
-      }
+    Digest d;
+    rv = d.End(SEC_OID_SHA256, mDigestContext);
+    if (NS_SUCCEEDED(rv)) {
+      MutexAutoLock lock(mLock);
+      mSha256 =
+        nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data),
+                              d.get().len);
     }
   }
 
   // Compute the signature of the binary. ExtractSignatureInfo doesn't do
   // anything on non-Windows platforms except return an empty nsIArray.
   if (!failed && mActualTarget) {
     nsString filePath;
     mActualTarget->GetTarget(filePath);
@@ -805,20 +794,16 @@ BackgroundFileSaver::NotifySaveComplete(
 
   return NS_OK;
 }
 
 nsresult
 BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath)
 {
   MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread");
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   {
     MutexAutoLock lock(mLock);
     if (!mSignatureInfoEnabled) {
       return NS_OK;
     }
   }
   nsresult rv;
   nsCOMPtr<nsIX509CertDB> certDB = do_GetService(NS_X509CERTDB_CONTRACTID, &rv);
@@ -1207,19 +1192,16 @@ DigestOutputStream::DigestOutputStream(n
   , mDigestContext(aContext)
 {
   MOZ_ASSERT(mDigestContext, "Can't have null digest context");
   MOZ_ASSERT(mOutputStream, "Can't have null output stream");
 }
 
 DigestOutputStream::~DigestOutputStream()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Close()
 {
   return mOutputStream->Close();
 }
@@ -1228,20 +1210,16 @@ NS_IMETHODIMP
 DigestOutputStream::Flush()
 {
   return mOutputStream->Flush();
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = MapSECStatus(
     PK11_DigestOp(mDigestContext,
                   BitwiseCast<const unsigned char*, const char*>(aBuf),
                   aCount));
   NS_ENSURE_SUCCESS(rv, rv);
 
   return mOutputStream->Write(aBuf, aCount, retval);
 }
--- a/security/manager/ssl/ContentSignatureVerifier.cpp
+++ b/security/manager/ssl/ContentSignatureVerifier.cpp
@@ -39,19 +39,16 @@ using namespace mozilla::psm;
 static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier");
 #define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args)
 
 // Content-Signature prefix
 const nsLiteralCString kPREFIX = NS_LITERAL_CSTRING("Content-Signature:\x00");
 
 ContentSignatureVerifier::~ContentSignatureVerifier()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 ContentSignatureVerifier::VerifyContentSignature(
   const nsACString& aData, const nsACString& aCSHeader,
   const nsACString& aCertChain, const nsACString& aName, bool* _retval)
@@ -141,20 +138,16 @@ ReadChainIntoCertList(const nsACString& 
 }
 
 nsresult
 ContentSignatureVerifier::CreateContextInternal(const nsACString& aData,
                                                 const nsACString& aCertChain,
                                                 const nsACString& aName)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   UniqueCERTCertList certCertList(CERT_NewCertList());
   if (!certCertList) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get());
   if (NS_FAILED(rv)) {
@@ -401,20 +394,16 @@ ContentSignatureVerifier::UpdateInternal
 
 /**
  * Add data to the context that shold be verified.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::Update(const nsACString& aData)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     MOZ_ASSERT_UNREACHABLE(
       "Someone called ContentSignatureVerifier::Update before "
       "downloading the cert chain.");
     return NS_ERROR_FAILURE;
   }
@@ -425,20 +414,16 @@ ContentSignatureVerifier::Update(const n
 /**
  * Finish signature verification and return the result in _retval.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::End(bool* _retval)
 {
   NS_ENSURE_ARG(_retval);
   MOZ_ASSERT(NS_IsMainThread());
-  if (isAlreadyShutDown()) {
-    CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
-    return NS_ERROR_FAILURE;
-  }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 2);
     MOZ_ASSERT_UNREACHABLE(
       "Someone called ContentSignatureVerifier::End before "
       "downloading the cert chain.");
     return NS_ERROR_FAILURE;
--- a/security/manager/ssl/CryptoTask.cpp
+++ b/security/manager/ssl/CryptoTask.cpp
@@ -8,19 +8,17 @@
 #include "nsNSSComponent.h"
 
 namespace mozilla {
 
 CryptoTask::~CryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  if (!isAlreadyShutDown()) {
-    shutdown(ShutdownCalledFrom::Object);
-  }
+  shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 CryptoTask::Dispatch(const nsACString& taskThreadName)
 {
   MOZ_ASSERT(taskThreadName.Length() <= 15);
 
   // Ensure that NSS is initialized, since presumably CalculateResult
@@ -40,21 +38,17 @@ CryptoTask::Dispatch(const nsACString& t
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 CryptoTask::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      mRv = CalculateResult();
-    }
+    mRv = CalculateResult();
     NS_DispatchToMainThread(this);
   } else {
     // back on the main thread
 
     // call ReleaseNSSResources now, before calling CallCallback, so that
     // CryptoTasks have consistent behavior regardless of whether NSS is shut
     // down between CalculateResult being called and CallCallback being called.
     if (!mReleasedNSSResources) {
--- a/security/manager/ssl/PKCS11ModuleDB.cpp
+++ b/security/manager/ssl/PKCS11ModuleDB.cpp
@@ -20,30 +20,23 @@ namespace mozilla { namespace psm {
 NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB)
 
 PKCS11ModuleDB::PKCS11ModuleDB()
 {
 }
 
 PKCS11ModuleDB::~PKCS11ModuleDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // Delete a PKCS11 module from the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
   NS_ConvertUTF16toUTF8 moduleName(aModuleName);
   // modType is an output variable. We ignore it.
   int32_t modType;
   SECStatus srv = SECMOD_DeleteModule(moduleName.get(), &modType);
@@ -84,20 +77,16 @@ GetModuleNameForTelemetry(/*in*/ const S
 
 // Add a new PKCS11 module to the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::AddModule(const nsAString& aModuleName,
                           const nsAString& aLibraryFullPath,
                           int32_t aCryptoMechanismFlags,
                           int32_t aCipherFlags)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
   // "Root Certs" is the name some NSS command-line utilities will give the
   // roots module if they decide to load it when there happens to be a
   // `DLL_PREFIX "nssckbi" DLL_SUFFIX` file in the directory being operated on.
   // This causes failures, so as a workaround, the PSM initialization code will
@@ -147,20 +136,16 @@ PKCS11ModuleDB::AddModule(const nsAStrin
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::FindModuleByName(const nsACString& name,
                          /*out*/ nsIPKCS11Module** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   UniqueSECMODModule mod(SECMOD_FindModule(PromiseFlatCString(name).get()));
   if (!mod) {
     return NS_ERROR_FAILURE;
@@ -171,20 +156,16 @@ PKCS11ModuleDB::FindModuleByName(const n
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
   if (!array) {
     return NS_ERROR_FAILURE;
@@ -214,32 +195,24 @@ PKCS11ModuleDB::ListModules(nsISimpleEnu
   return array->Enumerate(_retval);
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS)
 {
   NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ToggleFIPSMode()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
   // delete the internal module, and it gets replaced with the opposite module
   // (i.e. if it was FIPS before, then it becomes non-FIPS next).
   // SECMOD_GetInternalModule() returns a pointer to a local copy of the
   // internal module stashed in NSS.  We don't want to delete it since it will
   // cause much pain in NSS.
   SECMODModule* internal = SECMOD_GetInternalModule();
   if (!internal) {
@@ -257,17 +230,13 @@ PKCS11ModuleDB::ToggleFIPSMode()
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled)
 {
   NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   *aIsFIPSEnabled = PK11_IsFIPS();
   return NS_OK;
 }
 
 } } // namespace mozilla::psm
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1559,81 +1559,77 @@ SSLServerCertVerificationJob::Run()
 {
   // Runs on a cert verification thread
 
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
 
   PRErrorCode error;
 
-  if (mInfoObject->isAlreadyShutDown()) {
-    error = SEC_ERROR_USER_CANCELLED;
-  } else {
-    Telemetry::HistogramID successTelemetry
-      = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
-    Telemetry::HistogramID failureTelemetry
-      = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
+  Telemetry::HistogramID successTelemetry
+    = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
+  Telemetry::HistogramID failureTelemetry
+    = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
-    // Reset the error code here so we can detect if AuthCertificate fails to
-    // set the error code if/when it fails.
-    PR_SetError(0, 0);
-    SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
-                                   mPeerCertChain, mStapledOCSPResponse.get(),
-                                   mSCTsFromTLSExtension.get(),
-                                   mProviderFlags, mTime);
-    MOZ_ASSERT(mPeerCertChain || rv != SECSuccess,
-               "AuthCertificate() should take ownership of chain on failure");
-    if (rv == SECSuccess) {
-      uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
-      RefPtr<SSLServerCertVerificationResult> restart(
-        new SSLServerCertVerificationResult(mInfoObject, 0,
-                                            successTelemetry, interval));
-      restart->Dispatch();
-      Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
-      return NS_OK;
-    }
+  // Reset the error code here so we can detect if AuthCertificate fails to
+  // set the error code if/when it fails.
+  PR_SetError(0, 0);
+  SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
+                                 mPeerCertChain, mStapledOCSPResponse.get(),
+                                 mSCTsFromTLSExtension.get(),
+                                 mProviderFlags, mTime);
+  MOZ_ASSERT(mPeerCertChain || rv != SECSuccess,
+             "AuthCertificate() should take ownership of chain on failure");
+  if (rv == SECSuccess) {
+    uint32_t interval = (uint32_t) ((TimeStamp::Now() - mJobStartTime).ToMilliseconds());
+    RefPtr<SSLServerCertVerificationResult> restart(
+      new SSLServerCertVerificationResult(mInfoObject, 0,
+                                          successTelemetry, interval));
+    restart->Dispatch();
+    Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1);
+    return NS_OK;
+  }
 
-    // Note: the interval is not calculated once as PR_GetError MUST be called
-    // before any other  function call
-    error = PR_GetError();
+  // Note: the interval is not calculated once as PR_GetError MUST be called
+  // before any other  function call
+  error = PR_GetError();
+
+  TimeStamp now = TimeStamp::Now();
+  Telemetry::AccumulateTimeDelta(failureTelemetry, mJobStartTime, now);
 
-    TimeStamp now = TimeStamp::Now();
-    Telemetry::AccumulateTimeDelta(failureTelemetry, mJobStartTime, now);
-
-    if (error != 0) {
-      RefPtr<CertErrorRunnable> runnable(
-          CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert,
-                                  mFdForLogging, mProviderFlags, mPRTime));
-      if (!runnable) {
-        // CreateCertErrorRunnable set a new error code
-        error = PR_GetError();
-      } else {
-        // We must block the the socket transport service thread while the
-        // main thread executes the CertErrorRunnable. The CertErrorRunnable
-        // will dispatch the result asynchronously, so we don't have to block
-        // this thread waiting for it.
+  if (error != 0) {
+    RefPtr<CertErrorRunnable> runnable(
+        CreateCertErrorRunnable(*mCertVerifier, error, mInfoObject, mCert,
+                                mFdForLogging, mProviderFlags, mPRTime));
+    if (!runnable) {
+      // CreateCertErrorRunnable set a new error code
+      error = PR_GetError();
+    } else {
+      // We must block the the socket transport service thread while the
+      // main thread executes the CertErrorRunnable. The CertErrorRunnable
+      // will dispatch the result asynchronously, so we don't have to block
+      // this thread waiting for it.
 
-        MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-                ("[%p][%p] Before dispatching CertErrorRunnable\n",
-                mFdForLogging, runnable.get()));
+      MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
+              ("[%p][%p] Before dispatching CertErrorRunnable\n",
+              mFdForLogging, runnable.get()));
 
-        nsresult nrv;
-        nsCOMPtr<nsIEventTarget> stsTarget
-          = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
-        if (NS_SUCCEEDED(nrv)) {
-          nrv = stsTarget->Dispatch(new CertErrorRunnableRunnable(runnable),
-                                    NS_DISPATCH_NORMAL);
-        }
-        if (NS_SUCCEEDED(nrv)) {
-          return NS_OK;
-        }
+      nsresult nrv;
+      nsCOMPtr<nsIEventTarget> stsTarget
+        = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &nrv);
+      if (NS_SUCCEEDED(nrv)) {
+        nrv = stsTarget->Dispatch(new CertErrorRunnableRunnable(runnable),
+                                  NS_DISPATCH_NORMAL);
+      }
+      if (NS_SUCCEEDED(nrv)) {
+        return NS_OK;
+      }
 
-        NS_ERROR("Failed to dispatch CertErrorRunnable");
-        error = PR_INVALID_STATE_ERROR;
-      }
+      NS_ERROR("Failed to dispatch CertErrorRunnable");
+      error = PR_INVALID_STATE_ERROR;
     }
   }
 
   if (error == 0) {
     MOZ_ASSERT_UNREACHABLE("No error set during certificate validation failure");
     error = PR_INVALID_STATE_ERROR;
   }
 
--- a/security/manager/ssl/SecretDecoderRing.cpp
+++ b/security/manager/ssl/SecretDecoderRing.cpp
@@ -61,30 +61,22 @@ void BackgroundSdrEncryptStrings(const n
 }
 
 SecretDecoderRing::SecretDecoderRing()
 {
 }
 
 SecretDecoderRing::~SecretDecoderRing()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 SecretDecoderRing::Encrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Make sure token is initialized. */
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsresult rv = setPassword(slot.get(), ctx);
@@ -111,20 +103,16 @@ SecretDecoderRing::Encrypt(const nsACStr
 
   result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len);
   return NS_OK;
 }
 
 nsresult
 SecretDecoderRing::Decrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   /* Find token with SDR key */
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Force authentication */
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
@@ -223,20 +211,16 @@ SecretDecoderRing::DecryptString(const n
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::ChangePassword()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot.get()));
 
   nsCOMPtr<nsITokenPasswordDialogs> dialogs;
@@ -250,57 +234,39 @@ SecretDecoderRing::ChangePassword()
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   bool canceled; // Ignored
   return dialogs->SetPassword(ctx, tokenName, &canceled);
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::Logout()
 {
-  static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
-
-  nsresult rv;
-  nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv))
-    return rv;
-
-  {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
-    PK11_LogoutAll();
-    SSL_ClearSessionCache();
-  }
-
+  PK11_LogoutAll();
+  SSL_ClearSessionCache();
   return NS_OK;
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::LogoutAndTeardown()
 {
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
+  PK11_LogoutAll();
+  SSL_ClearSessionCache();
+
   nsresult rv;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
-  if (NS_FAILED(rv))
+  if (NS_FAILED(rv)) {
     return rv;
-
-  {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
-    PK11_LogoutAll();
-    SSL_ClearSessionCache();
   }
 
   rv = nssComponent->LogoutAuthenticatedPK11();
 
   // After we just logged out, we need to prune dead connections to make
   // sure that all connections that should be stopped, are stopped. See
   // bug 517584.
   nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
-  if (os)
+  if (os) {
     os->NotifyObservers(nullptr, "net:prune-dead-connections", nullptr);
+  }
 
   return rv;
 }
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -45,19 +45,16 @@ TransportSecurityInfo::TransportSecurity
   , mErrorCode(0)
   , mErrorMessageType(SSLErrorMessageType::Plain)
   , mPort(0)
 {
 }
 
 TransportSecurityInfo::~TransportSecurityInfo()
 {
-  if (isAlreadyShutDown())
-    return;
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 TransportSecurityInfo::virtualDestroyNSSReference()
 {
 }
 
@@ -1035,19 +1032,15 @@ TransportSecurityInfo::GetFailedCertChai
   NS_IF_ADDREF(*_result);
 
   return NS_OK;
 }
 
 nsresult
 TransportSecurityInfo::SetFailedCertChain(UniqueCERTCertList certList)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // nsNSSCertList takes ownership of certList
   mFailedCertChain = new nsNSSCertList(Move(certList));
 
   return NS_OK;
 }
 
 } } // namespace mozilla::psm
--- a/security/manager/ssl/nsCryptoHash.cpp
+++ b/security/manager/ssl/nsCryptoHash.cpp
@@ -33,19 +33,16 @@ static const uint64_t STREAM_BUFFER_SIZE
 nsCryptoHash::nsCryptoHash()
   : mHashContext(nullptr)
   , mInitialized(false)
 {
 }
 
 nsCryptoHash::~nsCryptoHash()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsCryptoHash::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -57,20 +54,16 @@ nsCryptoHash::destructorSafeDestroyNSSRe
   mHashContext = nullptr;
 }
 
 NS_IMPL_ISUPPORTS(nsCryptoHash, nsICryptoHash)
 
 NS_IMETHODIMP
 nsCryptoHash::Init(uint32_t algorithm)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   HASH_HashType hashType;
   switch (algorithm) {
     case nsICryptoHash::MD2:
       hashType = HASH_AlgMD2; break;
     case nsICryptoHash::MD5:
       hashType = HASH_AlgMD5; break;
     case nsICryptoHash::SHA1:
       hashType = HASH_AlgSHA1; break;
@@ -129,35 +122,27 @@ nsCryptoHash::InitWithString(const nsACS
     return Init(nsICryptoHash::SHA512);
 
   return NS_ERROR_INVALID_ARG;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Update(const uint8_t *data, uint32_t len)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   HASH_Update(mHashContext.get(), data, len);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::UpdateFromStream(nsIInputStream *data, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!data)
     return NS_ERROR_INVALID_ARG;
 
   uint64_t n;
   nsresult rv = data->Available(&n);
@@ -200,20 +185,16 @@ nsCryptoHash::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Finish(bool ascii, nsACString & _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   uint32_t hashLen = 0;
   unsigned char buffer[HASH_LENGTH_MAX];
   HASH_End(mHashContext.get(), buffer, &hashLen, HASH_LENGTH_MAX);
 
@@ -236,19 +217,16 @@ NS_IMPL_ISUPPORTS(nsCryptoHMAC, nsICrypt
 
 nsCryptoHMAC::nsCryptoHMAC()
   : mHMACContext(nullptr)
 {
 }
 
 nsCryptoHMAC::~nsCryptoHMAC()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsCryptoHMAC::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -258,20 +236,16 @@ void
 nsCryptoHMAC::destructorSafeDestroyNSSReference()
 {
   mHMACContext = nullptr;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Init(uint32_t aAlgorithm, nsIKeyObject *aKeyObject)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (mHMACContext) {
     mHMACContext = nullptr;
   }
 
   CK_MECHANISM_TYPE mechType;
   switch (aAlgorithm) {
     case nsICryptoHMAC::MD5:
       mechType = CKM_MD5_HMAC; break;
@@ -314,40 +288,32 @@ nsCryptoHMAC::Init(uint32_t aAlgorithm, 
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Update(const uint8_t *aData, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aData)
     return NS_ERROR_INVALID_ARG;
 
   if (PK11_DigestOp(mHMACContext.get(), aData, aLen) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::UpdateFromStream(nsIInputStream *aStream, uint32_t aLen)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aStream)
     return NS_ERROR_INVALID_ARG;
 
   uint64_t n;
   nsresult rv = aStream->Available(&n);
@@ -393,20 +359,16 @@ nsCryptoHMAC::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Finish(bool aASCII, nsACString & _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   uint32_t hashLen = 0;
   unsigned char buffer[HASH_LENGTH_MAX];
   SECStatus srv = PK11_DigestFinal(mHMACContext.get(), buffer, &hashLen,
                                    HASH_LENGTH_MAX);
   if (srv != SECSuccess) {
@@ -420,18 +382,14 @@ nsCryptoHMAC::Finish(bool aASCII, nsACSt
 
   _retval.Assign(BitwiseCast<char*>(buffer), hashLen);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Reset()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (PK11_DigestBegin(mHMACContext.get()) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
--- a/security/manager/ssl/nsDataSignatureVerifier.cpp
+++ b/security/manager/ssl/nsDataSignatureVerifier.cpp
@@ -26,35 +26,27 @@ const SEC_ASN1Template CERT_SignatureDat
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), },
     { SEC_ASN1_BIT_STRING,
         offsetof(CERTSignedData,signature), },
     { 0, }
 };
 
 nsDataSignatureVerifier::~nsDataSignatureVerifier()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsDataSignatureVerifier::VerifyData(const nsACString& aData,
                                     const nsACString& aSignature,
                                     const nsACString& aPublicKey,
                                     bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // Allocate an arena to handle the majority of the allocations
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   // Base 64 decode the key
   // For compatibility reasons we need to remove all whitespace first, since
--- a/security/manager/ssl/nsKeyModule.cpp
+++ b/security/manager/ssl/nsKeyModule.cpp
@@ -14,19 +14,16 @@ NS_IMPL_ISUPPORTS(nsKeyObject, nsIKeyObj
 
 nsKeyObject::nsKeyObject()
   : mSymKey(nullptr)
 {
 }
 
 nsKeyObject::~nsKeyObject()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsKeyObject::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -43,37 +40,29 @@ nsKeyObject::destructorSafeDestroyNSSRef
 
 NS_IMETHODIMP
 nsKeyObject::InitKey(int16_t aAlgorithm, PK11SymKey* aKey)
 {
   if (!aKey || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   mSymKey.reset(aKey);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsKeyObject::GetKeyObj(PK11SymKey** _retval)
 {
   if (!_retval) {
     return NS_ERROR_INVALID_ARG;
   }
 
   *_retval = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mSymKey) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   *_retval = mSymKey.get();
   return NS_OK;
 }
 
@@ -93,34 +82,27 @@ nsKeyObject::GetType(int16_t *_retval)
 NS_IMPL_ISUPPORTS(nsKeyObjectFactory, nsIKeyObjectFactory)
 
 nsKeyObjectFactory::nsKeyObjectFactory()
 {
 }
 
 nsKeyObjectFactory::~nsKeyObjectFactory()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString& aKey,
                                   nsIKeyObject** _retval)
 {
   if (!_retval || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   CK_MECHANISM_TYPE cipherMech = CKM_GENERIC_SECRET_KEY_GEN;
   CK_ATTRIBUTE_TYPE cipherOperation = CKA_SIGN;
 
   nsresult rv;
   nsCOMPtr<nsIKeyObject> key(
     do_CreateInstance(NS_KEYMODULEOBJECT_CONTRACTID, &rv));
   if (NS_FAILED(rv)) {
     return rv;
--- a/security/manager/ssl/nsKeygenHandler.cpp
+++ b/security/manager/ssl/nsKeygenHandler.cpp
@@ -217,20 +217,16 @@ NS_IMPL_ISUPPORTS(nsKeygenFormProcessor,
 
 nsKeygenFormProcessor::nsKeygenFormProcessor()
 {
    m_ctx = new PipUIContext();
 }
 
 nsKeygenFormProcessor::~nsKeygenFormProcessor()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 nsKeygenFormProcessor::Create(nsISupports* aOuter, const nsIID& aIID, void* *aResult)
 {
   if (GeckoProcessType_Content == XRE_GetProcessType()) {
     nsCOMPtr<nsISupports> contentProcessor = new nsKeygenFormProcessorContent();
@@ -269,20 +265,16 @@ nsKeygenFormProcessor::Init()
   mSECKeySizeChoiceList[1].size = 1024;
 
   return NS_OK;
 }
 
 nsresult
 nsKeygenFormProcessor::GetSlot(uint32_t aMechanism, PK11SlotInfo** aSlot)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return GetSlotWithMechanism(aMechanism, m_ctx, aSlot);
 }
 
 uint32_t MapGenMechToAlgoMech(uint32_t mechanism)
 {
     uint32_t searchMech;
 
     /* We are interested in slots based on the ability to perform
@@ -419,20 +411,16 @@ loser:
 
 nsresult
 nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
                                     const nsAString& aChallenge,
                                     const nsString& aKeyType,
                                     nsAString& aOutPublicKey,
                                     const nsAString& aKeyParams)
 {
-    if (isAlreadyShutDown()) {
-      return NS_ERROR_NOT_AVAILABLE;
-    }
-
     nsresult rv = NS_ERROR_FAILURE;
     nsAutoCString keystring;
     char *keyparamsString = nullptr;
     uint32_t keyGenMechanism;
     PK11SlotInfo *slot = nullptr;
     PK11RSAGenParams rsaParams;
     mozilla::UniqueSECItem ecParams;
     SECOidTag algTag;
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -748,30 +748,22 @@ public:
   virtual void RunOnTargetThread() override;
 private:
   PK11SlotInfo* const mSlot; // in
   nsIInterfaceRequestor* const mIR; // in
 };
 
 PK11PasswordPromptRunnable::~PK11PasswordPromptRunnable()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 PK11PasswordPromptRunnable::RunOnTargetThread()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   nsresult rv;
   nsCOMPtr<nsIPrompt> prompt;
   if (!mIR) {
     rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt));
     if (NS_FAILED(rv)) {
       return;
     }
   } else {
@@ -993,22 +985,16 @@ CanFalseStartCallback(PRFileDesc* fd, vo
   nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
   if (!infoObject) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   infoObject->SetFalseStartCallbackCalled();
 
-  if (infoObject->isAlreadyShutDown()) {
-    MOZ_CRASH("SSL socket used after NSS shut down");
-    PR_SetError(PR_INVALID_STATE_ERROR, 0);
-    return SECFailure;
-  }
-
   PreliminaryHandshakeDone(fd);
 
   uint32_t reasonsForNotFalseStarting = 0;
 
   SSLChannelInfo channelInfo;
   if (SSL_GetChannelInfo(fd, &channelInfo, sizeof(channelInfo)) != SECSuccess) {
     return SECSuccess;
   }
--- a/security/manager/ssl/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/nsNSSCertHelper.cpp
@@ -1829,19 +1829,16 @@ RegisterDynamicOids()
   }
   registered = true;
   return rv;
 }
 
 nsresult
 nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (RegisterDynamicOids() != SECSuccess)
     return NS_ERROR_FAILURE;
 
   //
   //   TBSCertificate  ::=  SEQUENCE  {
   //        version         [0]  EXPLICIT Version DEFAULT v1,
   //        serialNumber         CertificateSerialNumber,
   //        signature            AlgorithmIdentifier,
@@ -1976,19 +1973,16 @@ nsNSSCertificate::CreateTBSCertificateAS
   }
   sequence.forget(retSequence);
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::CreateASN1Struct(nsIASN1Object** aRetVal)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsCOMPtr<nsIASN1Sequence> sequence = new nsNSSASN1Sequence();
 
   nsCOMPtr<nsIMutableArray> asn1Objects;
   sequence->GetASN1Objects(getter_AddRefs(asn1Objects));
 
   nsAutoString displayName;
   nsresult rv = GetDisplayName(displayName);
   if (NS_FAILED(rv)) {
--- a/security/manager/ssl/nsNSSCertValidity.cpp
+++ b/security/manager/ssl/nsNSSCertValidity.cpp
@@ -17,31 +17,23 @@ nsX509CertValidity::nsX509CertValidity(c
   , mNotAfter(0)
   , mTimesInitialized(false)
 {
   MOZ_ASSERT(cert);
   if (!cert) {
     return;
   }
 
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) {
     mTimesInitialized = true;
   }
 }
 
 nsX509CertValidity::~nsX509CertValidity()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsX509CertValidity::GetNotBefore(PRTime* aNotBefore)
 {
   NS_ENSURE_ARG(aNotBefore);
 
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -85,19 +85,16 @@ nsNSSCertificate::ConstructFromDER(char*
   }
 
   return newObject;
 }
 
 bool
 nsNSSCertificate::InitFromDER(char* certDER, int derLen)
 {
-  if (isAlreadyShutDown())
-    return false;
-
   if (!certDER || !derLen)
     return false;
 
   CERTCertificate* aCert = CERT_DecodeCertFromPackage(certDER, derLen);
 
   if (!aCert)
     return false;
 
@@ -110,36 +107,30 @@ nsNSSCertificate::InitFromDER(char* cert
   return true;
 }
 
 nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert)
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
-  if (isAlreadyShutDown())
-    return;
-
   if (cert) {
     mCert.reset(CERT_DupCertificate(cert));
   }
 }
 
 nsNSSCertificate::nsNSSCertificate()
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
 }
 
 nsNSSCertificate::~nsNSSCertificate()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertificate::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -172,44 +163,35 @@ nsNSSCertificate::GetCertType(uint32_t* 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsSelfSigned(bool* aIsSelfSigned)
 {
   NS_ENSURE_ARG(aIsSelfSigned);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *aIsSelfSigned = mCert->isRoot;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot)
 {
   NS_ENSURE_ARG(aIsBuiltInRoot);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot);
   if (rv != pkix::Result::Success) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::MarkForPermDeletion()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // make sure user is logged in to the token
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
 
   if (mCert->slot && PK11_NeedLogin(mCert->slot) &&
       !PK11_NeedUserInit(mCert->slot) && !PK11_IsInternal(mCert->slot)) {
     if (SECSuccess != PK11_Authenticate(mCert->slot, true, ctx)) {
       return NS_ERROR_FAILURE;
     }
@@ -298,19 +280,16 @@ nsNSSCertificate::GetKeyUsages(nsAString
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDbKey(nsACString& aDbKey)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   return GetDbKey(mCert, aDbKey);
 }
 
 nsresult
 nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey)
 {
   static_assert(sizeof(uint64_t) == 8, "type size sanity check");
   static_assert(sizeof(uint32_t) == 4, "type size sanity check");
@@ -338,20 +317,16 @@ nsNSSCertificate::GetDbKey(const UniqueC
              cert->derIssuer.len);
 
   return Base64Encode(buf, aDbKey);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDisplayName(nsAString& aDisplayName)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aDisplayName.Truncate();
 
   MOZ_ASSERT(mCert, "mCert should not be null in GetDisplayName");
   if (!mCert) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));
@@ -406,38 +381,32 @@ nsNSSCertificate::GetDisplayName(nsAStri
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mCert->emailAddr) {
     CopyUTF8toUTF16(mCert->emailAddr, aEmailAddress);
   } else {
     nsresult rv;
     nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
     if (NS_FAILED(rv) || !nssComponent) {
       return NS_ERROR_FAILURE;
     }
     nssComponent->GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddresses(uint32_t* aLength, char16_t*** aAddresses)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aAddresses);
 
   *aLength = 0;
 
   const char* aAddr;
   for (aAddr = CERT_GetFirstEmailAddress(mCert.get())
        ;
@@ -464,19 +433,16 @@ nsNSSCertificate::GetEmailAddresses(uint
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress,
                                        bool* result)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(result);
   *result = false;
 
   const char* aAddr = nullptr;
   for (aAddr = CERT_GetFirstEmailAddress(mCert.get())
        ;
        aAddr
        ;
@@ -497,99 +463,81 @@ nsNSSCertificate::ContainsEmailAddress(c
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetCommonName(nsAString& aCommonName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganization(nsAString& aOrganization)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->subject));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->issuer));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->issuer));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganizationUnit.Truncate();
   if (mCert) {
     UniquePORTString organizationUnit(CERT_GetOrgUnitName(&mCert->issuer));
     if (organizationUnit) {
       aOrganizationUnit = NS_ConvertUTF8toUTF16(organizationUnit.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuer(nsIX509Cert** aIssuer)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aIssuer);
   *aIssuer = nullptr;
 
   nsCOMPtr<nsIArray> chain;
   nsresult rv;
   rv = GetChain(getter_AddRefs(chain));
   NS_ENSURE_SUCCESS(rv, rv);
   uint32_t length;
@@ -606,19 +554,16 @@ nsNSSCertificate::GetIssuer(nsIX509Cert*
   }
   cert.forget(aIssuer);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aOrganizationalUnit.Truncate();
   if (mCert) {
     UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject));
     if (orgunit) {
       aOrganizationalUnit = NS_ConvertUTF8toUTF16(orgunit.get());
     }
   }
   return NS_OK;
@@ -650,19 +595,16 @@ UniqueCERTCertListToMutableArray(/*in*/ 
 
   array.forget(x509CertArray);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetChain(nsIArray** _rvChain)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(_rvChain);
 
   mozilla::pkix::Time now(mozilla::pkix::Now());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
   UniqueCERTCertList nssChain;
@@ -694,61 +636,48 @@ nsNSSCertificate::GetChain(nsIArray** _r
     return NS_ERROR_FAILURE;
   }
   return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSubjectName(nsAString& _subjectName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _subjectName.Truncate();
   if (mCert->subjectName) {
     _subjectName = NS_ConvertUTF8toUTF16(mCert->subjectName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerName(nsAString& _issuerName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _issuerName.Truncate();
   if (mCert->issuerName) {
     _issuerName = NS_ConvertUTF8toUTF16(mCert->issuerName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   _serialNumber.Truncate();
   UniquePORTString tmpstr(CERT_Hexify(&mCert->serialNumber, 1));
   if (tmpstr) {
     _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get());
     return NS_OK;
   }
   return NS_ERROR_FAILURE;
 }
 
 nsresult
 nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aFingerprint.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data,
                                  mCert->derCert.len);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
@@ -772,19 +701,16 @@ NS_IMETHODIMP
 nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
 {
   return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetTokenName(nsAString& aTokenName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   aTokenName.Truncate();
   if (mCert) {
     // HACK alert
     // When the trust of a builtin cert is modified, NSS copies it into the
     // cert db.  At this point, it is now "managed" by the user, and should
     // not be listed with the builtins.  However, in the collection code
     // used by PK11_ListCerts, the cert is found in the temp db, where it
     // has been loaded from the token.  Though the trust is correct (grabbed
@@ -806,20 +732,16 @@ nsNSSCertificate::GetTokenName(nsAString
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(nsACString& aSha256SPKIDigest)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   aSha256SPKIDigest.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(SEC_OID_SHA256, mCert->derPublicKey.data,
                                  mCert->derPublicKey.len);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
   rv = Base64Encode(nsDependentCSubstring(
@@ -830,19 +752,16 @@ nsNSSCertificate::GetSha256SubjectPublic
     return rv;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetRawDER(uint32_t* aLength, uint8_t** aArray)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mCert) {
     *aArray = (uint8_t*)moz_xmalloc(mCert->derCert.len);
     if (*aArray) {
       memcpy(*aArray, mCert->derCert.data, mCert->derCert.len);
       *aLength = mCert->derCert.len;
       return NS_OK;
     }
   }
@@ -852,19 +771,16 @@ nsNSSCertificate::GetRawDER(uint32_t* aL
 
 NS_IMETHODIMP
 nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
                               uint32_t* aLength, uint8_t** aArray)
 {
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aArray);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   if (!mCert)
     return NS_ERROR_FAILURE;
 
@@ -977,28 +893,22 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   memcpy(*aArray, certP7.data, certP7.len);
   *aLength = certP7.len;
   return NS_OK;
 }
 
 CERTCertificate*
 nsNSSCertificate::GetCert()
 {
-  if (isAlreadyShutDown())
-    return nullptr;
-
   return (mCert) ? CERT_DupCertificate(mCert.get()) : nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(aValidity);
 
   if (!mCert) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509CertValidity> validity = new nsX509CertValidity(mCert);
   validity.forget(aValidity);
@@ -1013,19 +923,16 @@ nsNSSCertificate::GetASN1Structure(nsIAS
     return NS_ERROR_NOT_SAME_THREAD;
   }
   return CreateASN1Struct(aASN1Structure);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::Equals(nsIX509Cert* other, bool* result)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
   UniqueCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
   return NS_OK;
 }
 
@@ -1088,19 +995,16 @@ nsNSSCertList::nsNSSCertList(UniqueCERTC
 
 nsNSSCertList::nsNSSCertList()
 {
   mCertList = UniqueCERTCertList(CERT_NewCertList());
 }
 
 nsNSSCertList::~nsNSSCertList()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertList::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -1114,19 +1018,16 @@ nsNSSCertList*
 nsNSSCertList::GetCertList()
 {
   return this;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert* aCert)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   // We need an owning handle when calling nsIX509Cert::GetCert().
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
   }
 
   if (!mCertList) {
@@ -1167,29 +1068,22 @@ nsNSSCertList::DupCertList(const UniqueC
     Unused << cert.release(); // Ownership transferred to the cert list.
   }
   return newList;
 }
 
 CERTCertList*
 nsNSSCertList::GetRawCertList()
 {
-  if (isAlreadyShutDown()) {
-    return nullptr;
-  }
   return mCertList.get();
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Write(nsIObjectOutputStream* aStream)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   // First, enumerate the certs to get the length of the list
   uint32_t certListLen = 0;
   CERTCertListNode* node = nullptr;
   for (node = CERT_LIST_HEAD(mCertList);
        !CERT_LIST_END(node, mCertList);
@@ -1219,20 +1113,16 @@ nsNSSCertList::Write(nsIObjectOutputStre
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Read(nsIObjectInputStream* aStream)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   uint32_t certListLen;
   rv = aStream->Read32(&certListLen);
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -1252,38 +1142,30 @@ nsNSSCertList::Read(nsIObjectInputStream
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::GetEnumerator(nsISimpleEnumerator** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (!mCertList) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsISimpleEnumerator> enumerator =
     new nsNSSCertListEnumerator(mCertList);
 
   enumerator.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Equals(nsIX509CertList* other, bool* result)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_ARG(result);
   *result = true;
 
   nsresult rv;
 
   nsCOMPtr<nsISimpleEnumerator> selfEnumerator;
   rv = GetEnumerator(getter_AddRefs(selfEnumerator));
   if (NS_FAILED(rv)) {
@@ -1428,19 +1310,16 @@ nsNSSCertListEnumerator::nsNSSCertListEn
   const UniqueCERTCertList& certList)
 {
   MOZ_ASSERT(certList);
   mCertList = nsNSSCertList::DupCertList(certList);
 }
 
 nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertListEnumerator::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
 }
@@ -1448,33 +1327,25 @@ void nsNSSCertListEnumerator::virtualDes
 void nsNSSCertListEnumerator::destructorSafeDestroyNSSReference()
 {
   mCertList = nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::HasMoreElements(bool* _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   *_retval = !CERT_LIST_EMPTY(mCertList);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::GetNext(nsISupports** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   CERTCertListNode* node = CERT_LIST_HEAD(mCertList);
   if (CERT_LIST_END(node, mCertList)) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509Cert> nssCert = nsNSSCertificate::Create(node->cert);
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -54,38 +54,30 @@ using namespace mozilla::psm;
 using mozilla::psm::SharedSSLState;
 
 extern LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByDBKey(const nsACString& aDBKey,
                             /*out*/ nsIX509Cert** _cert)
 {
   NS_ENSURE_ARG_POINTER(_cert);
   *_cert = nullptr;
 
   if (aDBKey.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   UniqueCERTCertificate cert;
   rv = FindCertByDBKey(aDBKey, cert);
   if (NS_FAILED(rv)) {
@@ -428,20 +420,16 @@ nsNSSCertificateDB::handleCACertDownload
   return ImportCertsIntoPermanentStorage(certList);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
                                        uint32_t type,
                                        nsIInterfaceRequestor* ctx)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // We currently only handle CA certificates.
   if (type != nsIX509Cert::CA_CERT) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -535,20 +523,16 @@ ImportCertsIntoTempStorage(int numcerts,
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
                                            nsIInterfaceRequestor* ctx)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length);
   if (!certCollection) {
     return NS_ERROR_FAILURE;
@@ -624,20 +608,16 @@ NS_IMETHODIMP
 nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length,
                                           nsIInterfaceRequestor* ctx)
 {
   if (!NS_IsMainThread()) {
     NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread");
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length);
   if (!collectArgs) {
     return NS_ERROR_FAILURE;
@@ -693,19 +673,16 @@ nsNSSCertificateDB::ImportUserCertificat
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   NS_ENSURE_ARG_POINTER(aCert);
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     return NS_ERROR_FAILURE;
   }
   SECStatus srv = SECSuccess;
 
   uint32_t certType;
   aCert->GetCertType(&certType);
@@ -738,20 +715,16 @@ nsNSSCertificateDB::DeleteCertificate(ns
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
                                  uint32_t type,
                                  uint32_t trusted)
 {
   NS_ENSURE_ARG_POINTER(cert);
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSCertTrust trust;
   switch (type) {
     case nsIX509Cert::CA_CERT:
       trust.SetValidCA();
       trust.AddCATrust(!!(trusted & nsIX509CertDB::TRUSTED_SSL),
                        !!(trusted & nsIX509CertDB::TRUSTED_EMAIL));
       break;
     case nsIX509Cert::SERVER_CERT:
@@ -778,20 +751,16 @@ NS_IMETHODIMP
 nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
                                   uint32_t certType,
                                   uint32_t trustType,
                                   bool *_isTrusted)
 {
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   SECStatus srv;
   UniqueCERTCertificate nsscert(cert->GetCert());
   CERTCertTrust nsstrust;
@@ -827,20 +796,16 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   } /* user: ignore */
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   NS_ENSURE_ARG(aFile);
   switch (aType) {
     case nsIX509Cert::CA_CERT:
     case nsIX509Cert::EMAIL_CERT:
       // good
       break;
 
     default:
@@ -886,19 +851,16 @@ nsNSSCertificateDB::ImportCertsFromFile(
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   NS_ENSURE_ARG(aFile);
   nsPKCS12Blob blob;
   rv = blob.ImportFromFile(aFile);
@@ -914,19 +876,16 @@ nsNSSCertificateDB::ImportPKCS12File(nsI
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ExportPKCS12File(nsIFile* aFile, uint32_t count,
                                      nsIX509Cert** certs)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   NS_ENSURE_ARG(aFile);
   if (count == 0) {
     return NS_OK;
@@ -934,20 +893,16 @@ nsNSSCertificateDB::ExportPKCS12File(nsI
   nsPKCS12Blob blob;
   return blob.ExportToFile(aFile, certs, count);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByEmailAddress(const nsACString& aEmailAddress,
                                            nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_UNEXPECTED);
 
@@ -994,19 +949,16 @@ nsNSSCertificateDB::FindCertByEmailAddre
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64,
                                     /*out*/ nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (!_retval) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   // Base64Decode() doesn't consider a zero length input as an error, and just
   // returns the empty string. We don't want this behavior, so the below check
   // catches this case.
   if (base64.Length() < 1) {
@@ -1021,19 +973,16 @@ nsNSSCertificateDB::ConstructX509FromBas
 
   return ConstructX509(certDER, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509(const nsACString& certDER,
                                   nsIX509Cert** _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (NS_WARN_IF(!_retval)) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   SECItem certData;
   certData.type = siDERCertBuffer;
   certData.data = BitwiseCast<unsigned char*, const char*>(certDER.BeginReading());
   certData.len = certDER.Length();
@@ -1164,20 +1113,16 @@ nsNSSCertificateDB::AddCertFromBase64(co
                                       nsIX509Cert** addedCertificate)
 {
   MOZ_ASSERT(addedCertificate);
   if (!addedCertificate) {
     return NS_ERROR_INVALID_ARG;
   }
   *addedCertificate = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsNSSCertTrust trust;
   if (CERT_DecodeTrustString(&trust.GetTrust(), PromiseFlatCString(aTrust).get())
         != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIX509Cert> newCert;
   nsresult rv = ConstructX509FromBase64(aBase64, getter_AddRefs(newCert));
@@ -1248,20 +1193,16 @@ nsNSSCertificateDB::SetCertTrustFromStri
 
   srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr);
   return MapSECStatus(srv);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
@@ -1284,20 +1225,16 @@ nsNSSCertificateDB::GetEnterpriseRoots(n
 {
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
 #ifdef XP_WIN
   nsCOMPtr<nsINSSComponent> psm(do_GetService(PSM_COMPONENT_CONTRACTID));
   if (!psm) {
     return NS_ERROR_FAILURE;
   }
   return psm->GetEnterpriseRoots(enterpriseRoots);
 #else
   return NS_ERROR_NOT_IMPLEMENTED;
@@ -1379,39 +1316,31 @@ NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
                                   int64_t /*SECCertificateUsage*/ aUsage,
                                   uint32_t aFlags,
                                   const nsACString& aHostname,
                                   nsIX509CertList** aVerifiedChain,
                                   bool* aHasEVPolicy,
                                   int32_t* /*PRErrorCode*/ _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::Now(),
                             aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert,
                                      int64_t /*SECCertificateUsage*/ aUsage,
                                      uint32_t aFlags,
                                      const nsACString& aHostname,
                                      uint64_t aTime,
                                      nsIX509CertList** aVerifiedChain,
                                      bool* aHasEVPolicy,
                                      int32_t* /*PRErrorCode*/ _retval)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::TimeFromEpochInSeconds(aTime),
                             aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 class VerifyCertAtTimeTask final : public CryptoTask
 {
 public:
@@ -1471,29 +1400,22 @@ private:
 NS_IMETHODIMP
 nsNSSCertificateDB::AsyncVerifyCertAtTime(nsIX509Cert* aCert,
                                           int64_t /*SECCertificateUsage*/ aUsage,
                                           uint32_t aFlags,
                                           const nsACString& aHostname,
                                           uint64_t aTime,
                                           nsICertVerificationCallback* aCallback)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(aCert, aUsage,
                                                              aFlags, aHostname,
                                                              aTime, aCallback));
   return task->Dispatch("VerifyCert");
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ClearOCSPCache()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
   certVerifier->ClearOCSPCache();
   return NS_OK;
 }
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -817,21 +817,16 @@ nsNSSComponent::GetEnterpriseRoots(nsIX5
 {
   MutexAutoLock nsNSSComponentLock(mMutex);
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
-  // nsNSSComponent isn't a nsNSSShutDownObject, so we can't check
-  // isAlreadyShutDown(). However, since mEnterpriseRoots is cleared when NSS
-  // shuts down, we can use that as a proxy for checking for NSS shutdown.
-  // (Of course, it may also be the case that no enterprise roots were imported,
-  // so we should just return a null list and NS_OK in this case.)
   if (!mEnterpriseRoots) {
     *enterpriseRoots = nullptr;
     return NS_OK;
   }
   UniqueCERTCertList enterpriseRootsCopy(
     nsNSSCertList::DupCertList(mEnterpriseRoots));
   if (!enterpriseRootsCopy) {
     return NS_ERROR_FAILURE;
@@ -998,19 +993,16 @@ private:
   NS_IMETHOD Run() override;
   nsresult LoadLoadableRoots();
   RefPtr<nsNSSComponent> mNSSComponent;
   nsCOMPtr<nsIThread> mThread;
 };
 
 LoadLoadableRootsTask::~LoadLoadableRootsTask()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 LoadLoadableRootsTask::Dispatch()
 {
   // Can't add 'this' as the event to run, since mThread may not be set yet
   nsresult rv = NS_NewNamedThread("LoadRoots", getter_AddRefs(mThread),
@@ -1022,20 +1014,16 @@ LoadLoadableRootsTask::Dispatch()
 
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 LoadLoadableRootsTask::Run()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = LoadLoadableRoots();
   if (NS_FAILED(rv)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed"));
     // We don't return rv here because then BlockUntilLoadableRootsLoaded will
     // just wait forever. Instead we'll save its value (below) so we can inform
     // code that relies on the roots module being present that loading it
     // failed.
   }
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -353,20 +353,16 @@ nsNSSSocketInfo::GetNegotiatedNPN(nsACSt
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::GetAlpnEarlySelection(nsACString& aAlpnSelected)
 {
   aAlpnSelected.Truncate();
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   SSLPreliminaryChannelInfo info;
   SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info));
   if (rv != SECSuccess || !info.canSendEarlyData) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SSLNextProtoState alpnState;
   unsigned char chosenAlpn[MAX_ALPN_LENGTH];
@@ -397,19 +393,16 @@ void
 nsNSSSocketInfo::SetEarlyDataAccepted(bool aAccepted)
 {
   mEarlyDataAccepted = aAccepted;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::DriveHandshake()
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   if (!mFd) {
     return NS_ERROR_FAILURE;
   }
   PRErrorCode errorCode = GetErrorCode();
   if (errorCode) {
     return GetXPCOMFromNSSError(errorCode);
   }
 
@@ -579,18 +572,16 @@ NS_IMETHODIMP
 nsNSSSocketInfo::StartTLS()
 {
   return ActivateSSL();
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::SetNPNList(nsTArray<nsCString>& protocolArray)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
   if (!mFd)
     return NS_ERROR_FAILURE;
 
   // the npn list is a concatenated list of 8 bit byte strings.
   nsCString npnList;
 
   for (uint32_t index = 0; index < protocolArray.Length(); ++index) {
     if (protocolArray[index].IsEmpty() ||
@@ -608,19 +599,16 @@ nsNSSSocketInfo::SetNPNList(nsTArray<nsC
     return NS_ERROR_FAILURE;
 
   return NS_OK;
 }
 
 nsresult
 nsNSSSocketInfo::ActivateSSL()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true))
     return NS_ERROR_FAILURE;
   if (SECSuccess != SSL_ResetHandshake(mFd, false))
     return NS_ERROR_FAILURE;
 
   mHandshakePending = true;
 
   return NS_OK;
@@ -752,21 +740,16 @@ getSocketInfoIfRunning(PRFileDesc* fd, O
       fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) {
     NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning");
     PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0);
     return nullptr;
   }
 
   nsNSSSocketInfo* socketInfo = (nsNSSSocketInfo*) fd->secret;
 
-  if (socketInfo->isAlreadyShutDown()) {
-    PR_SetError(PR_SOCKET_SHUTDOWN_ERROR, 0);
-    return nullptr;
-  }
-
   if (socketInfo->GetErrorCode()) {
     PRErrorCode err = socketInfo->GetErrorCode();
     PR_SetError(err, 0);
     if (op == reading || op == writing) {
       // We must do TLS intolerance checks for reads and writes, for timeouts
       // in particular.
       (void) checkHandshake(-1, op == reading, fd, socketInfo);
     }
--- a/security/manager/ssl/nsNSSShutDown.h
+++ b/security/manager/ssl/nsNSSShutDown.h
@@ -19,15 +19,13 @@ public:
   };
 
   nsNSSShutDownObject() {}
 
   virtual ~nsNSSShutDownObject() {}
 
   void shutdown(ShutdownCalledFrom) {}
 
-  bool isAlreadyShutDown() const { return false; }
-
 protected:
   virtual void virtualDestroyNSSReference() = 0;
 };
 
 #endif // nsNSSShutDown_h
--- a/security/manager/ssl/nsPK11TokenDB.cpp
+++ b/security/manager/ssl/nsPK11TokenDB.cpp
@@ -21,20 +21,16 @@
 extern mozilla::LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token)
 
 nsPK11Token::nsPK11Token(PK11SlotInfo* slot)
   : mUIContext(new PipUIContext())
 {
   MOZ_ASSERT(slot);
-
-  if (isAlreadyShutDown())
-    return;
-
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
 
   Unused << refreshTokenInfo();
 }
 
 nsresult
 nsPK11Token::refreshTokenInfo()
@@ -79,19 +75,16 @@ nsPK11Token::refreshTokenInfo()
                          strnlen(ccSerial, sizeof(tokInfo.serialNumber)));
   mTokenSerialNum.Trim(" ", false, true);
 
   return NS_OK;
 }
 
 nsPK11Token::~nsPK11Token()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPK11Token::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -102,20 +95,16 @@ nsPK11Token::destructorSafeDestroyNSSRef
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPK11Token::GetAttributeHelper(const nsACString& attribute,
                         /*out*/ nsACString& xpcomOutParam)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // Handle removals/insertions.
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshTokenInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
@@ -158,31 +147,23 @@ nsPK11Token::GetTokenSerialNumber(/*out*
 {
   return GetAttributeHelper(mTokenSerialNum, tokenSerialNum);
 }
 
 NS_IMETHODIMP
 nsPK11Token::IsLoggedIn(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *_retval = PK11_IsLoggedIn(mSlot.get(), 0);
-
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::Login(bool force)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsresult rv;
   bool test;
   rv = this->NeedsLogin(&test);
   if (NS_FAILED(rv)) return rv;
   if (test && force) {
     rv = this->LogoutSimple();
     if (NS_FAILED(rv)) return rv;
   }
@@ -190,19 +171,16 @@ nsPK11Token::Login(bool force)
   if (NS_FAILED(rv)) return rv;
 
   return MapSECStatus(PK11_Authenticate(mSlot.get(), true, mUIContext));
 }
 
 NS_IMETHODIMP
 nsPK11Token::LogoutSimple()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // PK11_Logout() can fail if the user wasn't logged in beforehand. We want
   // this method to succeed even in this case, so we ignore the return value.
   Unused << PK11_Logout(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::LogoutAndDropAuthenticatedResources()
@@ -219,42 +197,31 @@ nsPK11Token::LogoutAndDropAuthenticatedR
     return rv;
 
   return nssComponent->LogoutAuthenticatedPK11();
 }
 
 NS_IMETHODIMP
 nsPK11Token::Reset()
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   return MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit)
 {
   NS_ENSURE_ARG_POINTER(aNeedsUserInit);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::CheckPassword(const nsACString& password, bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   SECStatus srv =
     PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get());
   if (srv != SECSuccess) {
     *_retval =  false;
     PRErrorCode error = PR_GetError();
     if (error != SEC_ERROR_BAD_PASSWORD) {
       /* something really bad happened - throw an exception */
       return mozilla::psm::GetXPCOMFromNSSError(error);
@@ -263,20 +230,16 @@ nsPK11Token::CheckPassword(const nsACStr
     *_retval =  true;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::InitPassword(const nsACString& initialPassword)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
   // PSM initializes the sqlite-backed softoken with an empty password. The
   // implementation considers this not to be a password (GetHasPassword returns
   // false), but we can't actually call PK11_InitPin again. Instead, we call
   // PK11_ChangePW with the empty password.
   bool hasPassword;
   nsresult rv = GetHasPassword(&hasPassword);
   if (NS_FAILED(rv)) {
@@ -287,105 +250,78 @@ nsPK11Token::InitPassword(const nsACStri
   }
   return MapSECStatus(PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::ChangePassword(const nsACString& oldPassword,
                             const nsACString& newPassword)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // PK11_ChangePW() has different semantics for the empty string and for
   // nullptr. In order to support this difference, we need to check IsVoid() to
   // find out if our caller supplied null/undefined args or just empty strings.
   // See Bug 447589.
   return MapSECStatus(PK11_ChangePW(
     mSlot.get(),
     oldPassword.IsVoid() ? nullptr : PromiseFlatCString(oldPassword).get(),
     newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetHasPassword(bool* hasPassword)
 {
   NS_ENSURE_ARG_POINTER(hasPassword);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // PK11_NeedLogin returns true if the token is currently configured to require
   // the user to log in (whether or not the user is actually logged in makes no
   // difference).
   *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::NeedsLogin(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   *_retval = PK11_NeedLogin(mSlot.get());
-
   return NS_OK;
 }
 
 /*=========================================================*/
 
 NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB)
 
 nsPK11TokenDB::nsPK11TokenDB()
 {
 }
 
 nsPK11TokenDB::~nsPK11TokenDB()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get());
   token.forget(_retval);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::FindTokenByName(const nsACString& tokenName,
                        /*out*/ nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   if (tokenName.IsEmpty()) {
     return NS_ERROR_ILLEGAL_VALUE;
   }
--- a/security/manager/ssl/nsPKCS11Slot.cpp
+++ b/security/manager/ssl/nsPKCS11Slot.cpp
@@ -21,20 +21,16 @@ using mozilla::LogLevel;
 
 extern mozilla::LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot)
 
 nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot)
 {
   MOZ_ASSERT(slot);
-
-  if (isAlreadyShutDown())
-    return;
-
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
   Unused << refreshSlotInfo();
 }
 
 nsresult
 nsPKCS11Slot::refreshSlotInfo()
 {
@@ -70,19 +66,16 @@ nsPKCS11Slot::refreshSlotInfo()
   mSlotFWVersion.Append('.');
   mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor);
 
   return NS_OK;
 }
 
 nsPKCS11Slot::~nsPKCS11Slot()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPKCS11Slot::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -93,37 +86,30 @@ nsPKCS11Slot::destructorSafeDestroyNSSRe
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute,
                          /*out*/ nsACString& xpcomOutParam)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
   xpcomOutParam = attribute;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetName(/*out*/ nsACString& name)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   // |csn| is non-owning.
   char* csn = PK11_GetSlotName(mSlot.get());
   if (csn && *csn) {
     name = csn;
   } else if (PK11_HasRootCerts(mSlot.get())) {
     // This is a workaround to an Root Module bug - the root certs module has
     // no slot name.  Not bothering to localize, because this is a workaround
     // and for now all the slot names returned by NSS are char * anyway.
@@ -159,31 +145,24 @@ nsPKCS11Slot::GetFWVersion(/*out*/ nsACS
 {
   return GetAttributeHelper(mSlotFWVersion, fwVersion);
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get());
   token.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (!PK11_IsPresent(mSlot.get())) {
     tokenName.SetIsVoid(true);
     return NS_OK;
   }
 
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
     nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
@@ -194,20 +173,16 @@ nsPKCS11Slot::GetTokenName(/*out*/ nsACS
   tokenName = PK11_GetTokenName(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetStatus(uint32_t* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
-
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (PK11_IsDisabled(mSlot.get())) {
     *_retval = SLOT_DISABLED;
   } else if (!PK11_IsPresent(mSlot.get())) {
     *_retval = SLOT_NOT_PRESENT;
   } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) {
     *_retval = SLOT_UNINITIALIZED;
   } else if (PK11_NeedLogin(mSlot.get()) &&
              !PK11_IsLoggedIn(mSlot.get(), nullptr)) {
@@ -220,28 +195,21 @@ nsPKCS11Slot::GetStatus(uint32_t* _retva
   return NS_OK;
 }
 
 NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module)
 
 nsPKCS11Module::nsPKCS11Module(SECMODModule* module)
 {
   MOZ_ASSERT(module);
-
-  if (isAlreadyShutDown())
-    return;
-
   mModule.reset(SECMOD_ReferenceModule(module));
 }
 
 nsPKCS11Module::~nsPKCS11Module()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsPKCS11Module::virtualDestroyNSSReference()
 {
   destructorSafeDestroyNSSReference();
@@ -251,46 +219,37 @@ void
 nsPKCS11Module::destructorSafeDestroyNSSReference()
 {
   mModule = nullptr;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetName(/*out*/ nsACString& name)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   name = mModule->commonName;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetLibName(/*out*/ nsACString& libName)
 {
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   if (mModule->dllName) {
     libName = mModule->dllName;
   } else {
     libName.SetIsVoid(true);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::FindSlotByName(const nsACString& name,
                        /*out*/ nsIPKCS11Slot** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown())
-    return NS_ERROR_NOT_AVAILABLE;
-
   const nsCString& flatName = PromiseFlatCString(name);
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"", flatName.get()));
   UniquePK11SlotInfo slotInfo;
   UniquePK11SlotList slotList(PK11_FindSlotsByNames(mModule->dllName,
                                                     flatName.get() /*slotName*/,
                                                     nullptr /*tokenName*/,
                                                     false));
   if (!slotList) {
@@ -316,19 +275,16 @@ nsPKCS11Module::FindSlotByName(const nsA
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
   nsresult rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   nsCOMPtr<nsIMutableArray> array = do_CreateInstance(NS_ARRAY_CONTRACTID);
   if (!array) {
     return NS_ERROR_FAILURE;
--- a/security/manager/ssl/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@@ -37,20 +37,16 @@ nsPKCS12Blob::nsPKCS12Blob()
   , mTmpFile(nullptr)
 {
   mUIContext = new PipUIContext();
 }
 
 // destructor
 nsPKCS12Blob::~nsPKCS12Blob()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
-
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // nsPKCS12Blob::ImportFromFile
 //
 // Given a file handle, read a PKCS#12 blob from that file, decode it, and
 // import the results into the internal database.
 nsresult
--- a/security/manager/ssl/nsRandomGenerator.cpp
+++ b/security/manager/ssl/nsRandomGenerator.cpp
@@ -14,20 +14,16 @@ NS_IMPL_ISUPPORTS(nsRandomGenerator, nsI
 
 NS_IMETHODIMP
 nsRandomGenerator::GenerateRandomBytes(uint32_t aLength,
                                        uint8_t** aBuffer)
 {
   NS_ENSURE_ARG_POINTER(aBuffer);
   *aBuffer = nullptr;
 
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
 
   auto buf = static_cast<uint8_t*>(moz_xmalloc(aLength));
   if (!buf) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -41,13 +37,10 @@ nsRandomGenerator::GenerateRandomBytes(u
 
   *aBuffer = buf;
 
   return NS_OK;
 }
 
 nsRandomGenerator::~nsRandomGenerator()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
--- a/security/manager/ssl/nsSSLStatus.cpp
+++ b/security/manager/ssl/nsSSLStatus.cpp
@@ -390,39 +390,32 @@ nsSSLStatus::nsSSLStatus()
 , mHaveCertErrorBits(false)
 {
 }
 
 NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
 
 nsSSLStatus::~nsSSLStatus()
 {
-  if (isAlreadyShutDown()) {
-    return;
-  }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus)
 {
   MOZ_ASSERT(aServerCert);
 
   mServerCert = aServerCert;
   mIsEV = (aEVStatus == EVStatus::EV);
   mHasIsEVStatus = true;
 }
 
 nsresult
 nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList)
 {
-  if (isAlreadyShutDown()) {
-    return NS_ERROR_NOT_AVAILABLE;
-  }
-
   // nsNSSCertList takes ownership of certList
   mSucceededCertChain = new nsNSSCertList(Move(aCertList));
 
   return NS_OK;
 }
 
 void
 nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList)
--- a/services/crypto/component/IdentityCryptoService.cpp
+++ b/services/crypto/component/IdentityCryptoService.cpp
@@ -54,19 +54,16 @@ public:
   NS_DECL_NSIIDENTITYKEYPAIR
 
   KeyPair(SECKEYPrivateKey* aPrivateKey, SECKEYPublicKey* aPublicKey,
           nsIEventTarget* aOperationThread);
 
 private:
   ~KeyPair() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -95,19 +92,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   KeyGenRunnable(KeyType keyType, nsIIdentityKeyGenCallback * aCallback,
                  nsIEventTarget* aOperationThread);
 
 private:
   ~KeyGenRunnable() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -132,19 +126,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   SignRunnable(const nsACString & textToSign, SECKEYPrivateKey * privateKey,
                nsIIdentitySignCallback * aCallback);
 
 private:
   ~SignRunnable() override
   {
-    if (isAlreadyShutDown()) {
-      return;
-    }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
@@ -433,47 +424,43 @@ GenerateDSAKeyPair(PK11SlotInfo * slot,
   return GenerateKeyPair(slot, privateKey, publicKey, CKM_DSA_KEY_PAIR_GEN,
                          &pqgParams);
 }
 
 NS_IMETHODIMP
 KeyGenRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
+    // We always want to use the internal slot for BrowserID; in particular,
+    // we want to avoid smartcard slots.
+    PK11SlotInfo *slot = PK11_GetInternalSlot();
+    if (!slot) {
+      mRv = NS_ERROR_UNEXPECTED;
     } else {
-      // We always want to use the internal slot for BrowserID; in particular,
-      // we want to avoid smartcard slots.
-      PK11SlotInfo *slot = PK11_GetInternalSlot();
-      if (!slot) {
-        mRv = NS_ERROR_UNEXPECTED;
-      } else {
-        SECKEYPrivateKey *privk = nullptr;
-        SECKEYPublicKey *pubk = nullptr;
+      SECKEYPrivateKey *privk = nullptr;
+      SECKEYPublicKey *pubk = nullptr;
 
-        switch (mKeyType) {
-        case rsaKey:
-          mRv = GenerateRSAKeyPair(slot, &privk, &pubk);
-          break;
-        case dsaKey:
-          mRv = GenerateDSAKeyPair(slot, &privk, &pubk);
-          break;
-        default:
-          MOZ_CRASH("unknown key type");
-        }
+      switch (mKeyType) {
+      case rsaKey:
+        mRv = GenerateRSAKeyPair(slot, &privk, &pubk);
+        break;
+      case dsaKey:
+        mRv = GenerateDSAKeyPair(slot, &privk, &pubk);
+        break;
+      default:
+        MOZ_CRASH("unknown key type");
+      }
 
-        PK11_FreeSlot(slot);
+      PK11_FreeSlot(slot);
 
-        if (NS_SUCCEEDED(mRv)) {
-          MOZ_ASSERT(privk);
-          MOZ_ASSERT(pubk);
-      // mKeyPair will take over ownership of privk and pubk
-          mKeyPair = new KeyPair(privk, pubk, mThread);
-        }
+      if (NS_SUCCEEDED(mRv)) {
+        MOZ_ASSERT(privk);
+        MOZ_ASSERT(pubk);
+    // mKeyPair will take over ownership of privk and pubk
+        mKeyPair = new KeyPair(privk, pubk, mThread);
       }
     }
 
     NS_DispatchToMainThread(this);
   } else {
     // Back on Main Thread
     (void) mCallback->GenerateKeyPairFinished(mRv, mKeyPair);
   }
@@ -491,49 +478,45 @@ SignRunnable::SignRunnable(const nsACStr
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 NS_IMETHODIMP
 SignRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    if (isAlreadyShutDown()) {
-      mRv = NS_ERROR_NOT_AVAILABLE;
-    } else {
-      // We need the output in PKCS#11 format, not DER encoding, so we must use
-      // PK11_HashBuf and PK11_Sign instead of SEC_SignData.
+    // We need the output in PKCS#11 format, not DER encoding, so we must use
+    // PK11_HashBuf and PK11_Sign instead of SEC_SignData.
 
-      SECItem sig = { siBuffer, nullptr, 0 };
-      int sigLength = PK11_SignatureLen(mPrivateKey);
-      if (sigLength <= 0) {
-        mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
-      } else if (!SECITEM_AllocItem(nullptr, &sig, sigLength)) {
-        mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
-      } else {
-        uint8_t hash[32]; // big enough for SHA-1 or SHA-256
-        SECOidTag hashAlg = mPrivateKey->keyType == dsaKey ? SEC_OID_SHA1
-                                                           : SEC_OID_SHA256;
-        SECItem hashItem = { siBuffer, hash,
-                             hashAlg == SEC_OID_SHA1 ? 20u : 32u };
+    SECItem sig = { siBuffer, nullptr, 0 };
+    int sigLength = PK11_SignatureLen(mPrivateKey);
+    if (sigLength <= 0) {
+      mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    } else if (!SECITEM_AllocItem(nullptr, &sig, sigLength)) {
+      mRv = mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
+    } else {
+      uint8_t hash[32]; // big enough for SHA-1 or SHA-256
+      SECOidTag hashAlg = mPrivateKey->keyType == dsaKey ? SEC_OID_SHA1
+                                                         : SEC_OID_SHA256;
+      SECItem hashItem = { siBuffer, hash,
+                           hashAlg == SEC_OID_SHA1 ? 20u : 32u };
 
-        mRv = MapSECStatus(PK11_HashBuf(hashAlg, hash,
-                    const_cast<uint8_t*>(reinterpret_cast<const uint8_t *>(
-                                            mTextToSign.get())),
-                                      mTextToSign.Length()));
-        if (NS_SUCCEEDED(mRv)) {
-          mRv = MapSECStatus(PK11_Sign(mPrivateKey, &sig, &hashItem));
-        }
-        if (NS_SUCCEEDED(mRv)) {
-          mRv = Base64URLEncode(sig.len, sig.data,
-                                Base64URLEncodePaddingPolicy::Include,
-                                mSignature);
-        }
-        SECITEM_FreeItem(&sig, false);
+      mRv = MapSECStatus(PK11_HashBuf(hashAlg, hash,
+                  const_cast<uint8_t*>(reinterpret_cast<const uint8_t *>(
+                                          mTextToSign.get())),
+                                    mTextToSign.Length()));
+      if (NS_SUCCEEDED(mRv)) {
+        mRv = MapSECStatus(PK11_Sign(mPrivateKey, &sig, &hashItem));
       }
+      if (NS_SUCCEEDED(mRv)) {
+        mRv = Base64URLEncode(sig.len, sig.data,
+                              Base64URLEncodePaddingPolicy::Include,
+                              mSignature);
+      }
+      SECITEM_FreeItem(&sig, false);
     }
 
     NS_DispatchToMainThread(this);
   } else {
     // Back on Main Thread
     (void) mCallback->SignFinished(mRv, mSignature);
   }