bug 1421084 - part 1/4 - remove now-unnecessary nsNSSShutDownPreventionLock r=mt,ttaubert
authorDavid Keeler <dkeeler@mozilla.com>
Tue, 23 Jan 2018 10:37:47 -0800
changeset 457118 b2b6ca8d0f70173d7b18bca53fa4e7a57dba9a14
parent 457117 c0cef2d01295fce0ac263fcc6c1283e7264ef29a
child 457119 ecb9941ee0344bd6952724e371589c3d0834e30d
push id1683
push usersfraser@mozilla.com
push dateThu, 26 Apr 2018 16:43:40 +0000
treeherdermozilla-release@5af6cb21869d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmt, ttaubert
bugs1421084, 1417680
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
bug 1421084 - part 1/4 - remove now-unnecessary nsNSSShutDownPreventionLock r=mt,ttaubert As of bug 1417680, the NSS shutdown tracking infrastructure is unnecessary (and does nothing anyway). This series of changesets removes the remaining pieces in a way that is hopefully easy to confirm is correct. MozReview-Commit-ID: 8Y5wpsyNlGc
dom/crypto/CryptoKey.cpp
dom/crypto/CryptoKey.h
dom/crypto/WebCryptoTask.cpp
dom/media/webrtc/RTCCertificate.cpp
dom/media/webrtc/RTCCertificate.h
dom/webauthn/U2FSoftTokenManager.cpp
dom/webauthn/U2FSoftTokenManager.h
netwerk/base/BackgroundFileSaver.cpp
security/apps/AppSignatureVerification.cpp
security/certverifier/ExtendedValidation.cpp
security/certverifier/ExtendedValidation.h
security/manager/ssl/ContentSignatureVerifier.cpp
security/manager/ssl/ContentSignatureVerifier.h
security/manager/ssl/CryptoTask.cpp
security/manager/ssl/PKCS11ModuleDB.cpp
security/manager/ssl/SSLServerCertVerification.cpp
security/manager/ssl/SecretDecoderRing.cpp
security/manager/ssl/TransportSecurityInfo.cpp
security/manager/ssl/nsCertTree.cpp
security/manager/ssl/nsCryptoHash.cpp
security/manager/ssl/nsDataSignatureVerifier.cpp
security/manager/ssl/nsIX509CertList.idl
security/manager/ssl/nsKeyModule.cpp
security/manager/ssl/nsKeygenHandler.cpp
security/manager/ssl/nsKeygenHandler.h
security/manager/ssl/nsKeygenThread.cpp
security/manager/ssl/nsNSSCallbacks.cpp
security/manager/ssl/nsNSSCertHelper.cpp
security/manager/ssl/nsNSSCertValidity.cpp
security/manager/ssl/nsNSSCertificate.cpp
security/manager/ssl/nsNSSCertificate.h
security/manager/ssl/nsNSSCertificateDB.cpp
security/manager/ssl/nsNSSCertificateDB.h
security/manager/ssl/nsNSSComponent.cpp
security/manager/ssl/nsNSSComponent.h
security/manager/ssl/nsNSSHelper.h
security/manager/ssl/nsNSSIOLayer.cpp
security/manager/ssl/nsNSSIOLayer.h
security/manager/ssl/nsNSSShutDown.h
security/manager/ssl/nsNTLMAuthModule.cpp
security/manager/ssl/nsPK11TokenDB.cpp
security/manager/ssl/nsPK11TokenDB.h
security/manager/ssl/nsPKCS11Slot.cpp
security/manager/ssl/nsPKCS11Slot.h
security/manager/ssl/nsPKCS12Blob.cpp
security/manager/ssl/nsRandomGenerator.cpp
security/manager/ssl/nsSSLStatus.cpp
services/crypto/component/IdentityCryptoService.cpp
--- a/dom/crypto/CryptoKey.cpp
+++ b/dom/crypto/CryptoKey.cpp
@@ -157,17 +157,16 @@ CryptoKey::CryptoKey(nsIGlobalObject* aG
   , mSymKey()
   , mPrivateKey(nullptr)
   , mPublicKey(nullptr)
 {
 }
 
 CryptoKey::~CryptoKey()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 JSObject*
@@ -324,18 +323,16 @@ CryptoKey::AddPublicKeyData(SECKEYPublic
 {
   // This should be a private key.
   MOZ_ASSERT(GetKeyType() == PRIVATE);
   // There should be a private NSS key with type 'EC'.
   MOZ_ASSERT(mPrivateKey && mPrivateKey->keyType == ecKey);
   // The given public key should have the same key type.
   MOZ_ASSERT(aPublicKey->keyType == mPrivateKey->keyType);
 
-  nsNSSShutDownPreventionLock locker;
-
   // Read EC params.
   ScopedAutoSECItem params;
   SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, mPrivateKey.get(),
                                        CKA_EC_PARAMS, &params);
   if (rv != SECSuccess) {
     return NS_ERROR_DOM_OPERATION_ERR;
   }
 
@@ -450,32 +447,28 @@ nsresult CryptoKey::SetSymKey(const Cryp
   }
 
   return NS_OK;
 }
 
 nsresult
 CryptoKey::SetPrivateKey(SECKEYPrivateKey* aPrivateKey)
 {
-  nsNSSShutDownPreventionLock locker;
-
   if (!aPrivateKey || isAlreadyShutDown()) {
     mPrivateKey = nullptr;
     return NS_OK;
   }
 
   mPrivateKey = UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(aPrivateKey));
   return mPrivateKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
 
 nsresult
 CryptoKey::SetPublicKey(SECKEYPublicKey* aPublicKey)
 {
-  nsNSSShutDownPreventionLock locker;
-
   if (!aPublicKey || isAlreadyShutDown()) {
     mPublicKey = nullptr;
     return NS_OK;
   }
 
   mPublicKey = UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(aPublicKey));
   return mPublicKey ? NS_OK : NS_ERROR_OUT_OF_MEMORY;
 }
@@ -484,27 +477,25 @@ const CryptoBuffer&
 CryptoKey::GetSymKey() const
 {
   return mSymKey;
 }
 
 UniqueSECKEYPrivateKey
 CryptoKey::GetPrivateKey() const
 {
-  nsNSSShutDownPreventionLock locker;
   if (!mPrivateKey || isAlreadyShutDown()) {
     return nullptr;
   }
   return UniqueSECKEYPrivateKey(SECKEY_CopyPrivateKey(mPrivateKey.get()));
 }
 
 UniqueSECKEYPublicKey
 CryptoKey::GetPublicKey() const
 {
-  nsNSSShutDownPreventionLock locker;
   if (!mPublicKey || isAlreadyShutDown()) {
     return nullptr;
   }
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(mPublicKey.get()));
 }
 
 void CryptoKey::virtualDestroyNSSReference()
 {
@@ -516,18 +507,17 @@ void CryptoKey::destructorSafeDestroyNSS
   mPrivateKey = nullptr;
   mPublicKey = nullptr;
 }
 
 
 // Serialization and deserialization convenience methods
 
 UniqueSECKEYPrivateKey
-CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData,
-                         const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData)
 {
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return nullptr;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
@@ -550,18 +540,17 @@ CryptoKey::PrivateKeyFromPkcs8(CryptoBuf
   if (rv == SECFailure) {
     return nullptr;
   }
 
   return UniqueSECKEYPrivateKey(privKey);
 }
 
 UniqueSECKEYPublicKey
-CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData,
-                       const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData)
 {
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return nullptr;
   }
 
   SECItem spkiItem = { siBuffer, nullptr, 0 };
   if (!aKeyData.ToSECItem(arena.get(), &spkiItem)) {
@@ -608,19 +597,17 @@ CryptoKey::PublicKeyFromSpki(CryptoBuffe
   if (!tmp.get() || !PublicKeyValid(tmp.get())) {
     return nullptr;
   }
 
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(tmp.get()));
 }
 
 nsresult
-CryptoKey::PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey,
-                       CryptoBuffer& aRetVal,
-                       const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey, CryptoBuffer& aRetVal)
 {
   UniqueSECItem pkcs8Item(PK11_ExportDERPrivateKeyInfo(aPrivKey, nullptr));
   if (!pkcs8Item.get()) {
     return NS_ERROR_DOM_INVALID_ACCESS_ERR;
   }
   if (!aRetVal.Assign(pkcs8Item.get())) {
     return NS_ERROR_DOM_OPERATION_ERR;
   }
@@ -657,19 +644,17 @@ PublicDhKeyToSpki(SECKEYPublicKey* aPubK
   // The public value is a BIT_STRING encoded as an INTEGER. After encoding
   // an INT we need to adjust the length to reflect the number of bits.
   aSpki->subjectPublicKey.len <<= 3;
 
   return NS_OK;
 }
 
 nsresult
-CryptoKey::PublicKeyToSpki(SECKEYPublicKey* aPubKey,
-                           CryptoBuffer& aRetVal,
-                           const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicKeyToSpki(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal)
 {
   UniqueCERTSubjectPublicKeyInfo spki;
 
   // NSS doesn't support exporting DH public keys.
   if (aPubKey->keyType == dhKey) {
     // Mimic the behavior of SECKEY_CreateSubjectPublicKeyInfo() and create
     // a new arena for the SPKI object.
     UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
@@ -746,18 +731,17 @@ CreateECPointForCoordinates(const Crypto
   point->data[0] = EC_POINT_FORM_UNCOMPRESSED;
   memcpy(point->data + 1, aX.Elements(), aX.Length());
   memcpy(point->data + 1 + aX.Length(), aY.Elements(), aY.Length());
 
   return point;
 }
 
 UniqueSECKEYPrivateKey
-CryptoKey::PrivateKeyFromJwk(const JsonWebKey& aJwk,
-                             const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PrivateKeyFromJwk(const JsonWebKey& aJwk)
 {
   CK_OBJECT_CLASS privateKeyValue = CKO_PRIVATE_KEY;
   CK_BBOOL falseValue = CK_FALSE;
 
   if (aJwk.mKty.EqualsLiteral(JWK_TYPE_EC)) {
     // Verify that all of the required parameters are present
     CryptoBuffer x, y, d;
     if (!aJwk.mCrv.WasPassed() ||
@@ -933,19 +917,17 @@ ECKeyToJwk(const PK11ObjectType aKeyType
     return false;
   }
 
   aRetVal.mKty = NS_LITERAL_STRING(JWK_TYPE_EC);
   return true;
 }
 
 nsresult
-CryptoKey::PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey,
-                           JsonWebKey& aRetVal,
-                           const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey, JsonWebKey& aRetVal)
 {
   switch (aPrivKey->keyType) {
     case rsaKey: {
       aRetVal.mN.Construct();
       aRetVal.mE.Construct();
       aRetVal.mD.Construct();
       aRetVal.mP.Construct();
       aRetVal.mQ.Construct();
@@ -1038,18 +1020,17 @@ CreateECPublicKey(const SECItem* aKeyDat
   if (!CryptoKey::PublicKeyValid(key.get())) {
     return nullptr;
   }
 
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(key.get()));
 }
 
 UniqueSECKEYPublicKey
-CryptoKey::PublicKeyFromJwk(const JsonWebKey& aJwk,
-                            const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicKeyFromJwk(const JsonWebKey& aJwk)
 {
   if (aJwk.mKty.EqualsLiteral(JWK_TYPE_RSA)) {
     // Verify that all of the required parameters are present
     CryptoBuffer n, e;
     if (!aJwk.mN.WasPassed() || NS_FAILED(n.FromJwkBase64(aJwk.mN.Value())) ||
         !aJwk.mE.WasPassed() || NS_FAILED(e.FromJwkBase64(aJwk.mE.Value()))) {
       return nullptr;
     }
@@ -1106,19 +1087,17 @@ CryptoKey::PublicKeyFromJwk(const JsonWe
 
     return CreateECPublicKey(point, namedCurve);
   }
 
   return nullptr;
 }
 
 nsresult
-CryptoKey::PublicKeyToJwk(SECKEYPublicKey* aPubKey,
-                          JsonWebKey& aRetVal,
-                          const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicKeyToJwk(SECKEYPublicKey* aPubKey, JsonWebKey& aRetVal)
 {
   switch (aPubKey->keyType) {
     case rsaKey: {
       CryptoBuffer n, e;
       aRetVal.mN.Construct();
       aRetVal.mE.Construct();
 
       if (!n.Assign(&aPubKey->u.rsa.modulus) ||
@@ -1140,18 +1119,17 @@ CryptoKey::PublicKeyToJwk(SECKEYPublicKe
     default:
       return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
   }
 }
 
 UniqueSECKEYPublicKey
 CryptoKey::PublicDhKeyFromRaw(CryptoBuffer& aKeyData,
                               const CryptoBuffer& aPrime,
-                              const CryptoBuffer& aGenerator,
-                              const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+                              const CryptoBuffer& aGenerator)
 {
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return nullptr;
   }
 
   SECKEYPublicKey* key = PORT_ArenaZNew(arena.get(), SECKEYPublicKey);
   if (!key) {
@@ -1172,30 +1150,27 @@ CryptoKey::PublicDhKeyFromRaw(CryptoBuff
   key->u.dh.prime.type = siUnsignedInteger;
   key->u.dh.base.type = siUnsignedInteger;
   key->u.dh.publicValue.type = siUnsignedInteger;
 
   return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(key));
 }
 
 nsresult
-CryptoKey::PublicDhKeyToRaw(SECKEYPublicKey* aPubKey,
-                            CryptoBuffer& aRetVal,
-                            const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicDhKeyToRaw(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal)
 {
   if (!aRetVal.Assign(&aPubKey->u.dh.publicValue)) {
     return NS_ERROR_DOM_OPERATION_ERR;
   }
   return NS_OK;
 }
 
 UniqueSECKEYPublicKey
 CryptoKey::PublicECKeyFromRaw(CryptoBuffer& aKeyData,
-                              const nsString& aNamedCurve,
-                              const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+                              const nsString& aNamedCurve)
 {
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return nullptr;
   }
 
   SECItem rawItem = { siBuffer, nullptr, 0 };
   if (!aKeyData.ToSECItem(arena.get(), &rawItem)) {
@@ -1223,19 +1198,17 @@ CryptoKey::PublicECKeyFromRaw(CryptoBuff
   if (rawItem.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
     return nullptr;
   }
 
   return CreateECPublicKey(&rawItem, aNamedCurve);
 }
 
 nsresult
-CryptoKey::PublicECKeyToRaw(SECKEYPublicKey* aPubKey,
-                            CryptoBuffer& aRetVal,
-                            const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+CryptoKey::PublicECKeyToRaw(SECKEYPublicKey* aPubKey, CryptoBuffer& aRetVal)
 {
   if (!aRetVal.Assign(&aPubKey->u.ec.publicValue)) {
     return NS_ERROR_DOM_OPERATION_ERR;
   }
   return NS_OK;
 }
 
 bool
@@ -1256,53 +1229,50 @@ CryptoKey::PublicKeyValid(SECKEYPublicKe
 
   SECStatus rv = PK11_DestroyObject(slot.get(), id);
   return (rv == SECSuccess);
 }
 
 bool
 CryptoKey::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return false;
   }
 
   // Write in five pieces
   // 1. Attributes
   // 2. Symmetric key as raw (if present)
   // 3. Private key as pkcs8 (if present)
   // 4. Public key as spki (if present)
   // 5. Algorithm in whatever form it chooses
   CryptoBuffer priv, pub;
 
   if (mPrivateKey) {
-    if (NS_FAILED(CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), priv,
-                                               locker))) {
+    if (NS_FAILED(CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), priv))) {
       return false;
     }
   }
 
   if (mPublicKey) {
-    if (NS_FAILED(CryptoKey::PublicKeyToSpki(mPublicKey.get(), pub, locker))) {
+    if (NS_FAILED(CryptoKey::PublicKeyToSpki(mPublicKey.get(), pub))) {
       return false;
     }
   }
 
   return JS_WriteUint32Pair(aWriter, mAttributes, CRYPTOKEY_SC_VERSION) &&
          WriteBuffer(aWriter, mSymKey) &&
          WriteBuffer(aWriter, priv) &&
          WriteBuffer(aWriter, pub) &&
          mAlgorithm.WriteStructuredClone(aWriter);
 }
 
 bool
 CryptoKey::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return false;
   }
 
   // Ensure that NSS is initialized.
   if (!EnsureNSSInitializedChromeOrContent()) {
     return false;
   }
@@ -1319,20 +1289,20 @@ CryptoKey::ReadStructuredClone(JSStructu
   if (!read) {
     return false;
   }
 
   if (sym.Length() > 0 && !mSymKey.Assign(sym))  {
     return false;
   }
   if (priv.Length() > 0) {
-    mPrivateKey = CryptoKey::PrivateKeyFromPkcs8(priv, locker);
+    mPrivateKey = CryptoKey::PrivateKeyFromPkcs8(priv);
   }
   if (pub.Length() > 0)  {
-    mPublicKey = CryptoKey::PublicKeyFromSpki(pub, locker);
+    mPublicKey = CryptoKey::PublicKeyFromSpki(pub);
   }
 
   // Ensure that what we've read is consistent
   // If the attributes indicate a key type, should have a key of that type
   if (!((GetKeyType() == SECRET  && mSymKey.Length() > 0) ||
         (GetKeyType() == PRIVATE && mPrivateKey) ||
         (GetKeyType() == PUBLIC  && mPublicKey))) {
     return false;
--- a/dom/crypto/CryptoKey.h
+++ b/dom/crypto/CryptoKey.h
@@ -140,60 +140,44 @@ public:
   virtual void virtualDestroyNSSReference() override;
   void destructorSafeDestroyNSSReference();
 
   // Serialization and deserialization convenience methods
   // Note:
   // 1. The inputs aKeyData are non-const only because the NSS import
   //    functions lack the const modifier.  They should not be modified.
   // 2. All of the NSS key objects returned need to be freed by the caller.
-  static UniqueSECKEYPrivateKey PrivateKeyFromPkcs8(
-    CryptoBuffer& aKeyData,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+  static UniqueSECKEYPrivateKey PrivateKeyFromPkcs8(CryptoBuffer& aKeyData);
   static nsresult PrivateKeyToPkcs8(SECKEYPrivateKey* aPrivKey,
-                                    CryptoBuffer& aRetVal,
-                                    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                    CryptoBuffer& aRetVal);
 
-  static UniqueSECKEYPublicKey PublicKeyFromSpki(
-    CryptoBuffer& aKeyData,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+  static UniqueSECKEYPublicKey PublicKeyFromSpki(CryptoBuffer& aKeyData);
   static nsresult PublicKeyToSpki(SECKEYPublicKey* aPubKey,
-                                  CryptoBuffer& aRetVal,
-                                  const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                  CryptoBuffer& aRetVal);
 
-  static UniqueSECKEYPrivateKey PrivateKeyFromJwk(
-    const JsonWebKey& aJwk,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+  static UniqueSECKEYPrivateKey PrivateKeyFromJwk(const JsonWebKey& aJwk);
   static nsresult PrivateKeyToJwk(SECKEYPrivateKey* aPrivKey,
-                                  JsonWebKey& aRetVal,
-                                  const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                  JsonWebKey& aRetVal);
 
-  static UniqueSECKEYPublicKey PublicKeyFromJwk(
-    const JsonWebKey& aKeyData,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+  static UniqueSECKEYPublicKey PublicKeyFromJwk(const JsonWebKey& aKeyData);
   static nsresult PublicKeyToJwk(SECKEYPublicKey* aPubKey,
-                                 JsonWebKey& aRetVal,
-                                 const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                 JsonWebKey& aRetVal);
 
   static UniqueSECKEYPublicKey PublicDhKeyFromRaw(
     CryptoBuffer& aKeyData,
     const CryptoBuffer& aPrime,
-    const CryptoBuffer& aGenerator,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+    const CryptoBuffer& aGenerator);
   static nsresult PublicDhKeyToRaw(SECKEYPublicKey* aPubKey,
-                                   CryptoBuffer& aRetVal,
-                                   const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                   CryptoBuffer& aRetVal);
 
   static UniqueSECKEYPublicKey PublicECKeyFromRaw(
     CryptoBuffer& aKeyData,
-    const nsString& aNamedCurve,
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+    const nsString& aNamedCurve);
   static nsresult PublicECKeyToRaw(SECKEYPublicKey* aPubKey,
-                                   CryptoBuffer& aRetVal,
-                                   const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                                   CryptoBuffer& aRetVal);
 
   static bool PublicKeyValid(SECKEYPublicKey* aPubKey);
 
   // Structured clone methods use these to clone keys
   bool WriteStructuredClone(JSStructuredCloneWriter* aWriter) const;
   bool ReadStructuredClone(JSStructuredCloneReader* aReader);
 
 private:
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -400,18 +400,16 @@ WebCryptoTask::DispatchWithPromise(Promi
   MAYBE_EARLY_FAIL(mEarlyRv)
 }
 
 NS_IMETHODIMP
 WebCryptoTask::Run()
 {
   // Run heavy crypto operations on the thread pool, off the original thread.
   if (!IsOnOriginalThread()) {
-    nsNSSShutDownPreventionLock locker;
-
     if (isAlreadyShutDown()) {
       mRv = NS_ERROR_NOT_AVAILABLE;
     } else {
       mRv = CalculateResult();
     }
 
     // Back to the original thread, i.e. continue below.
     mOriginalEventTarget->Dispatch(this, NS_DISPATCH_NORMAL);
@@ -1764,48 +1762,46 @@ public:
 
 private:
   nsString mHashName;
   uint32_t mModulusLength;
   CryptoBuffer mPublicExponent;
 
   virtual nsresult DoCrypto() override
   {
-    nsNSSShutDownPreventionLock locker;
-
     // Import the key data itself
     UniqueSECKEYPublicKey pubKey;
     UniqueSECKEYPrivateKey privKey;
     if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI) ||
         (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) &&
          !mJwk.mD.WasPassed())) {
       // Public key import
       if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) {
-        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker);
+        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData);
       } else {
-        pubKey = CryptoKey::PublicKeyFromJwk(mJwk, locker);
+        pubKey = CryptoKey::PublicKeyFromJwk(mJwk);
       }
 
       if (!pubKey) {
         return NS_ERROR_DOM_DATA_ERR;
       }
 
       if (NS_FAILED(mKey->SetPublicKey(pubKey.get()))) {
         return NS_ERROR_DOM_OPERATION_ERR;
       }
 
       mKey->SetType(CryptoKey::PUBLIC);
     } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8) ||
         (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) &&
          mJwk.mD.WasPassed())) {
       // Private key import
       if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8)) {
-        privKey = CryptoKey::PrivateKeyFromPkcs8(mKeyData, locker);
+        privKey = CryptoKey::PrivateKeyFromPkcs8(mKeyData);
       } else {
-        privKey = CryptoKey::PrivateKeyFromJwk(mJwk, locker);
+        privKey = CryptoKey::PrivateKeyFromJwk(mJwk);
       }
 
       if (!privKey) {
         return NS_ERROR_DOM_DATA_ERR;
       }
 
       if (NS_FAILED(mKey->SetPrivateKey(privKey.get()))) {
         return NS_ERROR_DOM_OPERATION_ERR;
@@ -1916,40 +1912,39 @@ private:
   nsString mNamedCurve;
 
   virtual nsresult DoCrypto() override
   {
     // Import the key data itself
     UniqueSECKEYPublicKey pubKey;
     UniqueSECKEYPrivateKey privKey;
 
-    nsNSSShutDownPreventionLock locker;
     if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) && mJwk.mD.WasPassed()) {
       // Private key import
-      privKey = CryptoKey::PrivateKeyFromJwk(mJwk, locker);
+      privKey = CryptoKey::PrivateKeyFromJwk(mJwk);
       if (!privKey) {
         return NS_ERROR_DOM_DATA_ERR;
       }
 
       if (NS_FAILED(mKey->SetPrivateKey(privKey.get()))) {
         return NS_ERROR_DOM_OPERATION_ERR;
       }
 
       mKey->SetType(CryptoKey::PRIVATE);
     } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW) ||
                mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI) ||
                (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK) &&
                 !mJwk.mD.WasPassed())) {
       // Public key import
       if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) {
-        pubKey = CryptoKey::PublicECKeyFromRaw(mKeyData, mNamedCurve, locker);
+        pubKey = CryptoKey::PublicECKeyFromRaw(mKeyData, mNamedCurve);
       } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) {
-        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker);
+        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData);
       } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK)) {
-        pubKey = CryptoKey::PublicKeyFromJwk(mJwk, locker);
+        pubKey = CryptoKey::PublicKeyFromJwk(mJwk);
       } else {
         MOZ_ASSERT(false);
       }
 
       if (!pubKey) {
         return NS_ERROR_DOM_DATA_ERR;
       }
 
@@ -2068,25 +2063,23 @@ private:
   CryptoBuffer mPrime;
   CryptoBuffer mGenerator;
 
   virtual nsresult DoCrypto() override
   {
     // Import the key data itself
     UniqueSECKEYPublicKey pubKey;
 
-    nsNSSShutDownPreventionLock locker;
     if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW) ||
         mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) {
       // Public key import
       if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) {
-        pubKey = CryptoKey::PublicDhKeyFromRaw(mKeyData, mPrime, mGenerator,
-                                               locker);
+        pubKey = CryptoKey::PublicDhKeyFromRaw(mKeyData, mPrime, mGenerator);
       } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) {
-        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData, locker);
+        pubKey = CryptoKey::PublicKeyFromSpki(mKeyData);
       } else {
         MOZ_ASSERT(false);
       }
 
       if (!pubKey) {
         return NS_ERROR_DOM_DATA_ERR;
       }
 
@@ -2153,31 +2146,27 @@ private:
   virtual void ReleaseNSSResources() override
   {
     mPrivateKey = nullptr;
     mPublicKey = nullptr;
   }
 
   virtual nsresult DoCrypto() override
   {
-    nsNSSShutDownPreventionLock locker;
-
     if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_RAW)) {
       if (mPublicKey && mPublicKey->keyType == dhKey) {
-        nsresult rv = CryptoKey::PublicDhKeyToRaw(mPublicKey.get(), mResult,
-                                                  locker);
+        nsresult rv = CryptoKey::PublicDhKeyToRaw(mPublicKey.get(), mResult);
         if (NS_FAILED(rv)) {
           return NS_ERROR_DOM_OPERATION_ERR;
         }
         return NS_OK;
       }
 
       if (mPublicKey && mPublicKey->keyType == ecKey) {
-        nsresult rv = CryptoKey::PublicECKeyToRaw(mPublicKey.get(), mResult,
-                                                  locker);
+        nsresult rv = CryptoKey::PublicECKeyToRaw(mPublicKey.get(), mResult);
         if (NS_FAILED(rv)) {
           return NS_ERROR_DOM_OPERATION_ERR;
         }
         return NS_OK;
       }
 
       mResult = mSymKey;
       if (mResult.Length() == 0) {
@@ -2187,56 +2176,55 @@ private:
       return NS_OK;
     } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_PKCS8)) {
       if (!mPrivateKey) {
         return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
       }
 
       switch (mPrivateKey->keyType) {
         case rsaKey: {
-          nsresult rv = CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), mResult, locker);
+          nsresult rv = CryptoKey::PrivateKeyToPkcs8(mPrivateKey.get(), mResult);
           if (NS_FAILED(rv)) {
             return NS_ERROR_DOM_OPERATION_ERR;
           }
           return NS_OK;
         }
         default:
           return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
       }
     } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_SPKI)) {
       if (!mPublicKey) {
         return NS_ERROR_DOM_NOT_SUPPORTED_ERR;
       }
 
-      return CryptoKey::PublicKeyToSpki(mPublicKey.get(), mResult, locker);
+      return CryptoKey::PublicKeyToSpki(mPublicKey.get(), mResult);
     } else if (mFormat.EqualsLiteral(WEBCRYPTO_KEY_FORMAT_JWK)) {
       if (mKeyType == CryptoKey::SECRET) {
         nsString k;
         nsresult rv = mSymKey.ToJwkBase64(k);
         if (NS_FAILED(rv)) {
           return NS_ERROR_DOM_OPERATION_ERR;
         }
         mJwk.mK.Construct(k);
         mJwk.mKty = NS_LITERAL_STRING(JWK_TYPE_SYMMETRIC);
       } else if (mKeyType == CryptoKey::PUBLIC) {
         if (!mPublicKey) {
           return NS_ERROR_DOM_UNKNOWN_ERR;
         }
 
-        nsresult rv = CryptoKey::PublicKeyToJwk(mPublicKey.get(), mJwk, locker);
+        nsresult rv = CryptoKey::PublicKeyToJwk(mPublicKey.get(), mJwk);
         if (NS_FAILED(rv)) {
           return NS_ERROR_DOM_OPERATION_ERR;
         }
       } else if (mKeyType == CryptoKey::PRIVATE) {
         if (!mPrivateKey) {
           return NS_ERROR_DOM_UNKNOWN_ERR;
         }
 
-        nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), mJwk,
-                                                 locker);
+        nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), mJwk);
         if (NS_FAILED(rv)) {
           return NS_ERROR_DOM_OPERATION_ERR;
         }
       }
 
       if (!mAlg.IsEmpty()) {
         mJwk.mAlg.Construct(mAlg);
       }
@@ -3733,17 +3721,16 @@ WebCryptoTask::WebCryptoTask()
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 WebCryptoTask::~WebCryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  nsNSSShutDownPreventionLock lock;
   if (!isAlreadyShutDown()) {
     shutdown(ShutdownCalledFrom::Object);
   }
 
   if (mWorkerHolder) {
     NS_ProxyRelease(
       "WebCryptoTask::mWorkerHolder",
       mOriginalEventTarget, mWorkerHolder.forget());
--- a/dom/media/webrtc/RTCCertificate.cpp
+++ b/dom/media/webrtc/RTCCertificate.cpp
@@ -303,17 +303,16 @@ RTCCertificate::RTCCertificate(nsIGlobal
       mCertificate(aCertificate),
       mAuthType(aAuthType),
       mExpires(aExpires)
 {
 }
 
 RTCCertificate::~RTCCertificate()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // This creates some interesting lifecycle consequences, since the DtlsIdentity
@@ -325,17 +324,16 @@ RTCCertificate::~RTCCertificate()
 // have a lifetime that is strictly shorter than the RTCCertificate.
 //
 // RTCPeerConnection provides this guarantee by holding a strong reference to
 // the RTCCertificate.  It will cleanup any DtlsIdentity instances that it
 // creates before the RTCCertificate reference is released.
 RefPtr<DtlsIdentity>
 RTCCertificate::CreateDtlsIdentity() const
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
     return nullptr;
   }
   UniqueSECKEYPrivateKey key(SECKEY_CopyPrivateKey(mPrivateKey.get()));
   UniqueCERTCertificate cert(CERT_DupCertificate(mCertificate.get()));
   RefPtr<DtlsIdentity> id = new DtlsIdentity(Move(key), Move(cert), mAuthType);
   return id;
 }
@@ -355,96 +353,90 @@ RTCCertificate::virtualDestroyNSSReferen
 void
 RTCCertificate::destructorSafeDestroyNSSReference()
 {
   mPrivateKey.reset();
   mCertificate.reset();
 }
 
 bool
-RTCCertificate::WritePrivateKey(JSStructuredCloneWriter* aWriter,
-                                const nsNSSShutDownPreventionLock& aLockProof) const
+RTCCertificate::WritePrivateKey(JSStructuredCloneWriter* aWriter) const
 {
   JsonWebKey jwk;
-  nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), jwk, aLockProof);
+  nsresult rv = CryptoKey::PrivateKeyToJwk(mPrivateKey.get(), jwk);
   if (NS_FAILED(rv)) {
     return false;
   }
   nsString json;
   if (!jwk.ToJSON(json)) {
     return false;
   }
   return WriteString(aWriter, json);
 }
 
 bool
-RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter,
-                                 const nsNSSShutDownPreventionLock& /*proof*/) const
+RTCCertificate::WriteCertificate(JSStructuredCloneWriter* aWriter) const
 {
   UniqueCERTCertificateList certs(CERT_CertListFromCert(mCertificate.get()));
   if (!certs || certs->len <= 0) {
     return false;
   }
   if (!JS_WriteUint32Pair(aWriter, certs->certs[0].len, 0)) {
     return false;
   }
   return JS_WriteBytes(aWriter, certs->certs[0].data, certs->certs[0].len);
 }
 
 bool
 RTCCertificate::WriteStructuredClone(JSStructuredCloneWriter* aWriter) const
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown() || !mPrivateKey || !mCertificate) {
     return false;
   }
 
   return JS_WriteUint32Pair(aWriter, RTCCERTIFICATE_SC_VERSION, mAuthType) &&
       JS_WriteUint32Pair(aWriter, (mExpires >> 32) & 0xffffffff,
                          mExpires & 0xffffffff) &&
-      WritePrivateKey(aWriter, locker) &&
-      WriteCertificate(aWriter, locker);
+      WritePrivateKey(aWriter) &&
+      WriteCertificate(aWriter);
 }
 
 bool
-RTCCertificate::ReadPrivateKey(JSStructuredCloneReader* aReader,
-                               const nsNSSShutDownPreventionLock& aLockProof)
+RTCCertificate::ReadPrivateKey(JSStructuredCloneReader* aReader)
 {
   nsString json;
   if (!ReadString(aReader, json)) {
     return false;
   }
   JsonWebKey jwk;
   if (!jwk.Init(json)) {
     return false;
   }
-  mPrivateKey = CryptoKey::PrivateKeyFromJwk(jwk, aLockProof);
+  mPrivateKey = CryptoKey::PrivateKeyFromJwk(jwk);
   return !!mPrivateKey;
 }
 
 bool
-RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader,
-                                const nsNSSShutDownPreventionLock& /*proof*/)
+RTCCertificate::ReadCertificate(JSStructuredCloneReader* aReader)
 {
   CryptoBuffer cert;
   if (!ReadBuffer(aReader, cert) || cert.Length() == 0) {
     return false;
   }
 
   SECItem der = { siBuffer, cert.Elements(),
                   static_cast<unsigned int>(cert.Length()) };
   mCertificate.reset(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
                                              &der, nullptr, true, true));
   return !!mCertificate;
 }
 
 bool
 RTCCertificate::ReadStructuredClone(JSStructuredCloneReader* aReader)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return false;
   }
 
   uint32_t version, authType;
   if (!JS_ReadUint32Pair(aReader, &version, &authType) ||
       version != RTCCERTIFICATE_SC_VERSION) {
     return false;
@@ -452,14 +444,14 @@ RTCCertificate::ReadStructuredClone(JSSt
   mAuthType = static_cast<SSLKEAType>(authType);
 
   uint32_t high, low;
   if (!JS_ReadUint32Pair(aReader, &high, &low)) {
     return false;
   }
   mExpires = static_cast<PRTime>(high) << 32 | low;
 
-  return ReadPrivateKey(aReader, locker) &&
-      ReadCertificate(aReader, locker);
+  return ReadPrivateKey(aReader) &&
+      ReadCertificate(aReader);
 }
 
 } // namespace dom
 } // namespace mozilla
--- a/dom/media/webrtc/RTCCertificate.h
+++ b/dom/media/webrtc/RTCCertificate.h
@@ -71,24 +71,20 @@ public:
   bool WriteStructuredClone(JSStructuredCloneWriter* aWriter) const;
   bool ReadStructuredClone(JSStructuredCloneReader* aReader);
 
 private:
   ~RTCCertificate();
   void operator=(const RTCCertificate&) = delete;
   RTCCertificate(const RTCCertificate&) = delete;
 
-  bool ReadCertificate(JSStructuredCloneReader* aReader,
-                       const nsNSSShutDownPreventionLock& /*lockproof*/);
-  bool ReadPrivateKey(JSStructuredCloneReader* aReader,
-                      const nsNSSShutDownPreventionLock& aLockProof);
-  bool WriteCertificate(JSStructuredCloneWriter* aWriter,
-                        const nsNSSShutDownPreventionLock& /*lockproof*/) const;
-  bool WritePrivateKey(JSStructuredCloneWriter* aWriter,
-                       const nsNSSShutDownPreventionLock& aLockProof) const;
+  bool ReadCertificate(JSStructuredCloneReader* aReader);
+  bool ReadPrivateKey(JSStructuredCloneReader* aReader);
+  bool WriteCertificate(JSStructuredCloneWriter* aWriter) const;
+  bool WritePrivateKey(JSStructuredCloneWriter* aWriter) const;
 
   RefPtr<nsIGlobalObject> mGlobal;
   UniqueSECKEYPrivateKey mPrivateKey;
   UniqueCERTCertificate mCertificate;
   SSLKEAType mAuthType;
   PRTime mExpires;
 };
 
--- a/dom/webauthn/U2FSoftTokenManager.cpp
+++ b/dom/webauthn/U2FSoftTokenManager.cpp
@@ -65,17 +65,16 @@ enum SoftTokenHandle {
 
 U2FSoftTokenManager::U2FSoftTokenManager(uint32_t aCounter)
   : mInitialized(false),
     mCounter(aCounter)
 {}
 
 U2FSoftTokenManager::~U2FSoftTokenManager()
 {
-  nsNSSShutDownPreventionLock locker;
 
   if (isAlreadyShutDown()) {
     return;
   }
 
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
@@ -97,19 +96,17 @@ U2FSoftTokenManager::destructorSafeDestr
  * keys found are not returned.
  * PK11_GetNextSymKey() should not be called on the returned key.
  *
  * @param aSlot Slot to search.
  * @param aNickname Nickname the key should have.
  * @return The first key found. nullptr if no key could be found.
  */
 static UniquePK11SymKey
-GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot,
-                    const nsCString& aNickname,
-                    const nsNSSShutDownPreventionLock&)
+GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot, const nsCString& aNickname)
 {
   MOZ_ASSERT(aSlot);
   if (NS_WARN_IF(!aSlot)) {
     return nullptr;
   }
 
   MOZ_LOG(gNSSTokenLog, LogLevel::Debug,
           ("Searching for a symmetric key named %s", aNickname.get()));
@@ -135,18 +132,17 @@ GetSymKeyByNickname(const UniquePK11Slot
   }
 
   return keyListHead;
 }
 
 static nsresult
 GenEcKeypair(const UniquePK11SlotInfo& aSlot,
              /*out*/ UniqueSECKEYPrivateKey& aPrivKey,
-             /*out*/ UniqueSECKEYPublicKey& aPubKey,
-             const nsNSSShutDownPreventionLock&)
+             /*out*/ UniqueSECKEYPublicKey& aPubKey)
 {
   MOZ_ASSERT(aSlot);
   if (NS_WARN_IF(!aSlot)) {
     return NS_ERROR_INVALID_ARG;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (NS_WARN_IF(!arena)) {
@@ -177,27 +173,26 @@ GenEcKeypair(const UniquePK11SlotInfo& a
   if (NS_WARN_IF(aPubKey->u.ec.publicValue.len != kPublicKeyLen)) {
     return NS_ERROR_FAILURE;
   }
 
   return NS_OK;
 }
 
 nsresult
-U2FSoftTokenManager::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot,
-                                            const nsNSSShutDownPreventionLock& locker)
+U2FSoftTokenManager::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot)
 {
   MOZ_ASSERT(aSlot);
   if (NS_WARN_IF(!aSlot)) {
     return NS_ERROR_INVALID_ARG;
   }
 
   // Search for an existing wrapping key. If we find it,
   // store it for later and mark ourselves initialized.
-  mWrappingKey = GetSymKeyByNickname(aSlot, mSecretNickname, locker);
+  mWrappingKey = GetSymKeyByNickname(aSlot, mSecretNickname);
   if (mWrappingKey) {
     MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("U2F Soft Token Key found."));
     mInitialized = true;
     return NS_OK;
   }
 
   MOZ_LOG(gNSSTokenLog, LogLevel::Info,
           ("No keys found. Generating new U2F Soft Token wrapping key."));
@@ -239,28 +234,27 @@ U2FSoftTokenManager::GetOrCreateWrapping
                                            }));
 
   return NS_OK;
 }
 
 static nsresult
 GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
                           /*out*/ UniqueSECKEYPrivateKey& aAttestPrivKey,
-                          /*out*/ UniqueCERTCertificate& aAttestCert,
-                          const nsNSSShutDownPreventionLock& locker)
+                          /*out*/ UniqueCERTCertificate& aAttestCert)
 {
   MOZ_ASSERT(aSlot);
   if (NS_WARN_IF(!aSlot)) {
     return NS_ERROR_INVALID_ARG;
   }
 
   UniqueSECKEYPublicKey pubKey;
 
   // Construct an ephemeral keypair for this Attestation Certificate
-  nsresult rv = GenEcKeypair(aSlot, aAttestPrivKey, pubKey, locker);
+  nsresult rv = GenEcKeypair(aSlot, aAttestPrivKey, pubKey);
   if (NS_WARN_IF(NS_FAILED(rv) || !aAttestPrivKey || !pubKey)) {
     MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
             ("Failed to gen keypair, NSS error #%d", PORT_GetError()));
     return NS_ERROR_FAILURE;
   }
 
   // Construct the Attestation Certificate itself
   UniqueCERTName subjectName(CERT_AsciiToName(kAttestCertSubjectName.get()));
@@ -367,44 +361,42 @@ GetAttestationCertificate(const UniquePK
 nsresult
 U2FSoftTokenManager::Init()
 {
   // If we've already initialized, just return.
   if (mInitialized) {
     return NS_OK;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (NS_WARN_IF(isAlreadyShutDown())) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   MOZ_ASSERT(slot.get());
 
   // Search for an existing wrapping key, or create one.
-  nsresult rv = GetOrCreateWrappingKey(slot, locker);
+  nsresult rv = GetOrCreateWrappingKey(slot);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return rv;
   }
 
   mInitialized = true;
   MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("U2F Soft Token initialized."));
   return NS_OK;
 }
 
 // Convert a Private Key object into an opaque key handle, using AES Key Wrap
 // with the long-lived aPersistentKey mixed with aAppParam to convert aPrivKey.
 // The key handle's format is version || saltLen || salt || wrappedPrivateKey
 static UniqueSECItem
 KeyHandleFromPrivateKey(const UniquePK11SlotInfo& aSlot,
                         const UniquePK11SymKey& aPersistentKey,
                         uint8_t* aAppParam, uint32_t aAppParamLen,
-                        const UniqueSECKEYPrivateKey& aPrivKey,
-                        const nsNSSShutDownPreventionLock&)
+                        const UniqueSECKEYPrivateKey& aPrivKey)
 {
   MOZ_ASSERT(aSlot);
   MOZ_ASSERT(aPersistentKey);
   MOZ_ASSERT(aAppParam);
   MOZ_ASSERT(aPrivKey);
   if (NS_WARN_IF(!aSlot || !aPersistentKey || !aPrivKey || !aAppParam)) {
     return nullptr;
   }
@@ -487,18 +479,17 @@ KeyHandleFromPrivateKey(const UniquePK11
 
 // Convert an opaque key handle aKeyHandle back into a Private Key object, using
 // the long-lived aPersistentKey mixed with aAppParam and the AES Key Wrap
 // algorithm.
 static UniqueSECKEYPrivateKey
 PrivateKeyFromKeyHandle(const UniquePK11SlotInfo& aSlot,
                         const UniquePK11SymKey& aPersistentKey,
                         uint8_t* aKeyHandle, uint32_t aKeyHandleLen,
-                        uint8_t* aAppParam, uint32_t aAppParamLen,
-                        const nsNSSShutDownPreventionLock&)
+                        uint8_t* aAppParam, uint32_t aAppParamLen)
 {
   MOZ_ASSERT(aSlot);
   MOZ_ASSERT(aPersistentKey);
   MOZ_ASSERT(aKeyHandle);
   MOZ_ASSERT(aAppParam);
   MOZ_ASSERT(aAppParamLen == SHA256_LENGTH);
   if (NS_WARN_IF(!aSlot || !aPersistentKey || !aKeyHandle || !aAppParam ||
                  aAppParamLen != SHA256_LENGTH)) {
@@ -574,17 +565,16 @@ PrivateKeyFromKeyHandle(const UniquePK11
 }
 
 // IsRegistered determines if the provided key handle is usable by this token.
 nsresult
 U2FSoftTokenManager::IsRegistered(const nsTArray<uint8_t>& aKeyHandle,
                                   const nsTArray<uint8_t>& aAppParam,
                                   bool& aResult)
 {
-  nsNSSShutDownPreventionLock locker;
   if (NS_WARN_IF(isAlreadyShutDown())) {
     return NS_ERROR_FAILURE;
   }
 
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return rv;
@@ -594,18 +584,17 @@ U2FSoftTokenManager::IsRegistered(const 
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   MOZ_ASSERT(slot.get());
 
   // Decode the key handle
   UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey,
                                                            const_cast<uint8_t*>(aKeyHandle.Elements()),
                                                            aKeyHandle.Length(),
                                                            const_cast<uint8_t*>(aAppParam.Elements()),
-                                                           aAppParam.Length(),
-                                                           locker);
+                                                           aAppParam.Length());
   aResult = privKey.get() != nullptr;
   return NS_OK;
 }
 
 // A U2F Register operation causes a new key pair to be generated by the token.
 // The token then returns the public key of the key pair, and a handle to the
 // private key, which is a fancy way of saying "key wrapped private key", as
 // well as the generated attestation certificate and a signature using that
@@ -626,17 +615,16 @@ U2FSoftTokenManager::IsRegistered(const 
 //
 RefPtr<U2FRegisterPromise>
 U2FSoftTokenManager::Register(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                               const WebAuthnAuthenticatorSelection &aAuthenticatorSelection,
                               const nsTArray<uint8_t>& aApplication,
                               const nsTArray<uint8_t>& aChallenge,
                               uint32_t aTimeoutMS)
 {
-  nsNSSShutDownPreventionLock locker;
   if (NS_WARN_IF(isAlreadyShutDown())) {
     return U2FRegisterPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
   }
 
   if (!mInitialized) {
     nsresult rv = Init();
     if (NS_WARN_IF(NS_FAILED(rv))) {
       return U2FRegisterPromise::CreateAndReject(rv, __func__);
@@ -667,37 +655,36 @@ U2FSoftTokenManager::Register(const nsTA
   MOZ_ASSERT(mWrappingKey);
 
   UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   MOZ_ASSERT(slot.get());
 
   // Construct a one-time-use Attestation Certificate
   UniqueSECKEYPrivateKey attestPrivKey;
   UniqueCERTCertificate attestCert;
-  nsresult rv = GetAttestationCertificate(slot, attestPrivKey, attestCert,
-                                          locker);
+  nsresult rv = GetAttestationCertificate(slot, attestPrivKey, attestCert);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__);
   }
   MOZ_ASSERT(attestCert);
   MOZ_ASSERT(attestPrivKey);
 
   // Generate a new keypair; the private will be wrapped into a Key Handle
   UniqueSECKEYPrivateKey privKey;
   UniqueSECKEYPublicKey pubKey;
-  rv = GenEcKeypair(slot, privKey, pubKey, locker);
+  rv = GenEcKeypair(slot, privKey, pubKey);
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__);
   }
 
   // The key handle will be the result of keywrap(privKey, key=mWrappingKey)
   UniqueSECItem keyHandleItem = KeyHandleFromPrivateKey(slot, mWrappingKey,
                                                         const_cast<uint8_t*>(aApplication.Elements()),
                                                         aApplication.Length(),
-                                                        privKey, locker);
+                                                        privKey);
   if (NS_WARN_IF(!keyHandleItem.get())) {
     return U2FRegisterPromise::CreateAndReject(NS_ERROR_FAILURE, __func__);
   }
 
   // Sign the challenge using the Attestation privkey (from attestCert)
   mozilla::dom::CryptoBuffer signedDataBuf;
   if (NS_WARN_IF(!signedDataBuf.SetCapacity(1 + aApplication.Length() + aChallenge.Length() +
                                             keyHandleItem->len + kPublicKeyLen,
@@ -759,17 +746,16 @@ U2FSoftTokenManager::Register(const nsTA
 //
 RefPtr<U2FSignPromise>
 U2FSoftTokenManager::Sign(const nsTArray<WebAuthnScopedCredential>& aCredentials,
                           const nsTArray<uint8_t>& aApplication,
                           const nsTArray<uint8_t>& aChallenge,
                           bool aRequireUserVerification,
                           uint32_t aTimeoutMS)
 {
-  nsNSSShutDownPreventionLock locker;
   if (NS_WARN_IF(isAlreadyShutDown())) {
     return U2FSignPromise::CreateAndReject(NS_ERROR_NOT_AVAILABLE, __func__);
   }
 
   // The U2F softtoken doesn't support user verification.
   if (aRequireUserVerification) {
     return U2FSignPromise::CreateAndReject(NS_ERROR_DOM_NOT_ALLOWED_ERR, __func__);
   }
@@ -802,18 +788,17 @@ U2FSoftTokenManager::Sign(const nsTArray
     return U2FSignPromise::CreateAndReject(NS_ERROR_ILLEGAL_VALUE, __func__);
   }
 
   // Decode the key handle
   UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey,
                                                            const_cast<uint8_t*>(keyHandle.Elements()),
                                                            keyHandle.Length(),
                                                            const_cast<uint8_t*>(aApplication.Elements()),
-                                                           aApplication.Length(),
-                                                           locker);
+                                                           aApplication.Length());
   if (NS_WARN_IF(!privKey.get())) {
     MOZ_LOG(gNSSTokenLog, LogLevel::Warning, ("Couldn't get the priv key!"));
     return U2FSignPromise::CreateAndReject(NS_ERROR_FAILURE, __func__);
   }
 
   // Increment the counter and turn it into a SECItem
   mCounter += 1;
   ScopedAutoSECItem counterItem(4);
--- a/dom/webauthn/U2FSoftTokenManager.h
+++ b/dom/webauthn/U2FSoftTokenManager.h
@@ -53,17 +53,16 @@ private:
                         const nsTArray<uint8_t>& aAppParam,
                         bool& aResult);
 
   bool mInitialized;
   mozilla::UniquePK11SymKey mWrappingKey;
 
   static const nsCString mSecretNickname;
 
-  nsresult GetOrCreateWrappingKey(const mozilla::UniquePK11SlotInfo& aSlot,
-                                  const nsNSSShutDownPreventionLock&);
+  nsresult GetOrCreateWrappingKey(const mozilla::UniquePK11SlotInfo& aSlot);
   uint32_t mCounter;
 };
 
 } // namespace dom
 } // namespace mozilla
 
 #endif // mozilla_dom_U2FSoftTokenManager_h
--- a/netwerk/base/BackgroundFileSaver.cpp
+++ b/netwerk/base/BackgroundFileSaver.cpp
@@ -113,17 +113,16 @@ BackgroundFileSaver::BackgroundFileSaver
 , mDigestContext(nullptr)
 {
   LOG(("Created BackgroundFileSaver [this = %p]", this));
 }
 
 BackgroundFileSaver::~BackgroundFileSaver()
 {
   LOG(("Destroying BackgroundFileSaver [this = %p]", this));
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -548,17 +547,16 @@ BackgroundFileSaver::ProcessStateChange(
     rv = mPipeInputStream->Available(&available);
     if (NS_FAILED(rv)) {
       return NS_OK;
     }
   }
 
   // Create the digest context if requested and NSS hasn't been shut down.
   if (sha256Enabled && !mDigestContext) {
-    nsNSSShutDownPreventionLock lock;
     if (!isAlreadyShutDown()) {
       mDigestContext = UniquePK11Context(
         PK11_CreateDigestContext(SEC_OID_SHA256));
       NS_ENSURE_TRUE(mDigestContext, NS_ERROR_OUT_OF_MEMORY);
     }
   }
 
   // When we are requested to append to an existing file, we should read the
@@ -577,17 +575,16 @@ BackgroundFileSaver::ProcessStateChange(
         rv = inputStream->Read(buffer, BUFFERED_IO_SIZE, &count);
         NS_ENSURE_SUCCESS(rv, rv);
 
         if (count == 0) {
           // We reached the end of the file.
           break;
         }
 
-        nsNSSShutDownPreventionLock lock;
         if (isAlreadyShutDown()) {
           return NS_ERROR_NOT_AVAILABLE;
         }
 
         nsresult rv = MapSECStatus(
           PK11_DigestOp(mDigestContext.get(),
                         BitwiseCast<unsigned char*, char*>(buffer),
                         count));
@@ -623,23 +620,21 @@ BackgroundFileSaver::ProcessStateChange(
   nsCOMPtr<nsIOutputStream> bufferedStream;
   rv = NS_NewBufferedOutputStream(getter_AddRefs(bufferedStream),
                                   outputStream.forget(), BUFFERED_IO_SIZE);
   NS_ENSURE_SUCCESS(rv, rv);
   outputStream = bufferedStream;
 
   // Wrap the output stream so that it feeds the digest context if needed.
   if (mDigestContext) {
-    // No need to acquire the NSS lock here, DigestOutputStream must acquire it
-    // in any case before each asynchronous write. Constructing the
-    // DigestOutputStream cannot fail. Passing mDigestContext to
-    // DigestOutputStream is safe, because BackgroundFileSaver always outlives
-    // the outputStream. BackgroundFileSaver is reference-counted before the
-    // call to AsyncCopy, and mDigestContext is never destroyed before
-    // AsyncCopyCallback.
+    // Constructing the DigestOutputStream cannot fail. Passing mDigestContext
+    // to DigestOutputStream is safe, because BackgroundFileSaver always
+    // outlives the outputStream. BackgroundFileSaver is reference-counted
+    // before the call to AsyncCopy, and mDigestContext is never destroyed
+    // before AsyncCopyCallback.
     outputStream = new DigestOutputStream(outputStream, mDigestContext.get());
   }
 
   // Start copying our input to the target file.  No errors can be raised past
   // this point if the copy starts, since they should be handled by the thread.
   {
     MutexAutoLock lock(mLock);
 
@@ -719,17 +714,16 @@ BackgroundFileSaver::CheckCompletion()
   // Ensure we notify completion now that the operation finished.
   // Do a best-effort attempt to remove the file if required.
   if (failed && mActualTarget && !mActualTargetKeepPartial) {
     (void)mActualTarget->Remove(false);
   }
 
   // Finish computing the hash
   if (!failed && mDigestContext) {
-    nsNSSShutDownPreventionLock lock;
     if (!isAlreadyShutDown()) {
       Digest d;
       rv = d.End(SEC_OID_SHA256, mDigestContext);
       if (NS_SUCCEEDED(rv)) {
         MutexAutoLock lock(mLock);
         mSha256 =
           nsDependentCSubstring(BitwiseCast<char*, unsigned char*>(d.get().data),
                                 d.get().len);
@@ -812,17 +806,16 @@ BackgroundFileSaver::NotifySaveComplete(
   return NS_OK;
 }
 
 nsresult
 BackgroundFileSaver::ExtractSignatureInfo(const nsAString& filePath)
 {
   MOZ_ASSERT(!NS_IsMainThread(), "Cannot extract signature on main thread");
 
-  nsNSSShutDownPreventionLock nssLock;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   {
     MutexAutoLock lock(mLock);
     if (!mSignatureInfoEnabled) {
       return NS_OK;
     }
@@ -1214,17 +1207,16 @@ DigestOutputStream::DigestOutputStream(n
   , mDigestContext(aContext)
 {
   MOZ_ASSERT(mDigestContext, "Can't have null digest context");
   MOZ_ASSERT(mOutputStream, "Can't have null output stream");
 }
 
 DigestOutputStream::~DigestOutputStream()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Close()
@@ -1236,17 +1228,16 @@ NS_IMETHODIMP
 DigestOutputStream::Flush()
 {
   return mOutputStream->Flush();
 }
 
 NS_IMETHODIMP
 DigestOutputStream::Write(const char* aBuf, uint32_t aCount, uint32_t* retval)
 {
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = MapSECStatus(
     PK11_DigestOp(mDigestContext,
                   BitwiseCast<const unsigned char*, const char*>(aBuf),
                   aCount));
--- a/security/apps/AppSignatureVerification.cpp
+++ b/security/apps/AppSignatureVerification.cpp
@@ -734,20 +734,16 @@ GetSignerInfoForDigestAlgorithm(NSSCMSSi
 
 nsresult
 VerifySignature(AppTrustedRoot trustedRoot, const SECItem& buffer,
                 const SECItem& detachedSHA1Digest,
                 const SECItem& detachedSHA256Digest,
                 /*out*/ SECOidTag& digestAlgorithm,
                 /*out*/ UniqueCERTCertList& builtChain)
 {
-  // Currently, this function is only called within the CalculateResult() method
-  // of CryptoTasks. As such, NSS should not be shut down at this point and the
-  // CryptoTask implementation should already hold a nsNSSShutDownPreventionLock.
-
   if (NS_WARN_IF(!buffer.data || buffer.len == 0 || !detachedSHA1Digest.data ||
                  detachedSHA1Digest.len == 0 || !detachedSHA256Digest.data ||
                  detachedSHA256Digest.len == 0)) {
     return NS_ERROR_INVALID_ARG;
   }
 
   UniqueNSSCMSMessage
     cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -1080,17 +1080,17 @@ CertIsAuthoritativeForEVPolicy(const Uni
       return true;
     }
   }
 
   return false;
 }
 
 nsresult
-LoadExtendedValidationInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+LoadExtendedValidationInfo()
 {
   static const char* sCABForumOIDString = "2.23.140.1.1";
   static const char* sCABForumOIDDescription = "CA/Browser Forum EV OID";
 
   ScopedAutoSECItem cabforumOIDItem;
   if (SEC_StringToOID(nullptr, &cabforumOIDItem, sCABForumOIDString, 0)
         != SECSuccess) {
     return NS_ERROR_FAILURE;
--- a/security/certverifier/ExtendedValidation.h
+++ b/security/certverifier/ExtendedValidation.h
@@ -9,18 +9,17 @@
 #include "ScopedNSSTypes.h"
 #include "certt.h"
 #include "nsNSSShutDown.h"
 
 namespace mozilla { namespace pkix { struct CertPolicyId; } }
 
 namespace mozilla { namespace psm {
 
-nsresult LoadExtendedValidationInfo(
-  const nsNSSShutDownPreventionLock& proofOfLock);
+nsresult LoadExtendedValidationInfo();
 
 /**
  * Finds the first policy OID in the given cert that is known to be an EV policy
  * OID.
  *
  * @param cert
  *        The cert to find the first EV policy of.
  * @param policy
--- a/security/manager/ssl/ContentSignatureVerifier.cpp
+++ b/security/manager/ssl/ContentSignatureVerifier.cpp
@@ -39,17 +39,16 @@ using namespace mozilla::psm;
 static LazyLogModule gCSVerifierPRLog("ContentSignatureVerifier");
 #define CSVerifier_LOG(args) MOZ_LOG(gCSVerifierPRLog, LogLevel::Debug, args)
 
 // Content-Signature prefix
 const nsLiteralCString kPREFIX = NS_LITERAL_CSTRING("Content-Signature:\x00");
 
 ContentSignatureVerifier::~ContentSignatureVerifier()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
@@ -76,18 +75,17 @@ ContentSignatureVerifier::VerifyContentS
 
 bool
 IsNewLine(char16_t c)
 {
   return c == '\n' || c == '\r';
 }
 
 nsresult
-ReadChainIntoCertList(const nsACString& aCertChain, CERTCertList* aCertList,
-                      const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+ReadChainIntoCertList(const nsACString& aCertChain, CERTCertList* aCertList)
 {
   bool inBlock = false;
   bool certFound = false;
 
   const nsCString header = NS_LITERAL_CSTRING("-----BEGIN CERTIFICATE-----");
   const nsCString footer = NS_LITERAL_CSTRING("-----END CERTIFICATE-----");
 
   nsCWhitespaceTokenizerTemplate<IsNewLine> tokenizer(aCertChain);
@@ -143,28 +141,27 @@ ReadChainIntoCertList(const nsACString& 
 }
 
 nsresult
 ContentSignatureVerifier::CreateContextInternal(const nsACString& aData,
                                                 const nsACString& aCertChain,
                                                 const nsACString& aName)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
     return NS_ERROR_FAILURE;
   }
 
   UniqueCERTCertList certCertList(CERT_NewCertList());
   if (!certCertList) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get(), locker);
+  nsresult rv = ReadChainIntoCertList(aCertChain, certCertList.get());
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   CERTCertListNode* node = CERT_LIST_HEAD(certCertList.get());
   if (!node || CERT_LIST_END(node, certCertList.get()) || !node->cert) {
     return NS_ERROR_FAILURE;
   }
@@ -275,22 +272,22 @@ ContentSignatureVerifier::CreateContextI
   }
 
   if (VFY_Begin(mCx.get()) != SECSuccess) {
     // Creating context failed.
     Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 9);
     return NS_ERROR_INVALID_SIGNATURE;
   }
 
-  rv = UpdateInternal(kPREFIX, locker);
+  rv = UpdateInternal(kPREFIX);
   if (NS_FAILED(rv)) {
     return rv;
   }
   // add data if we got any
-  return UpdateInternal(aData, locker);
+  return UpdateInternal(aData);
 }
 
 nsresult
 ContentSignatureVerifier::DownloadCertChain()
 {
   MOZ_ASSERT(NS_IsMainThread());
 
   if (mCertChainURL.IsEmpty()) {
@@ -386,18 +383,17 @@ ContentSignatureVerifier::CreateContext(
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   return CreateContextInternal(aData, aCertChain, aName);
 }
 
 nsresult
-ContentSignatureVerifier::UpdateInternal(
-  const nsACString& aData, const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+ContentSignatureVerifier::UpdateInternal(const nsACString& aData)
 {
   if (!aData.IsEmpty()) {
     if (VFY_Update(mCx.get(), (const unsigned char*)nsPromiseFlatCString(aData).get(),
                    aData.Length()) != SECSuccess){
       return NS_ERROR_INVALID_SIGNATURE;
     }
   }
   return NS_OK;
@@ -405,42 +401,40 @@ ContentSignatureVerifier::UpdateInternal
 
 /**
  * Add data to the context that shold be verified.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::Update(const nsACString& aData)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
     return NS_ERROR_FAILURE;
   }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     MOZ_ASSERT_UNREACHABLE(
       "Someone called ContentSignatureVerifier::Update before "
       "downloading the cert chain.");
     return NS_ERROR_FAILURE;
   }
 
-  return UpdateInternal(aData, locker);
+  return UpdateInternal(aData);
 }
 
 /**
  * Finish signature verification and return the result in _retval.
  */
 NS_IMETHODIMP
 ContentSignatureVerifier::End(bool* _retval)
 {
   NS_ENSURE_ARG(_retval);
   MOZ_ASSERT(NS_IsMainThread());
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     CSVerifier_LOG(("CSVerifier: nss is already shutdown\n"));
     return NS_ERROR_FAILURE;
   }
 
   // If we didn't create the context yet, bail!
   if (!mHasCertChain) {
     Accumulate(Telemetry::CONTENT_SIGNATURE_VERIFICATION_STATUS, 2);
--- a/security/manager/ssl/ContentSignatureVerifier.h
+++ b/security/manager/ssl/ContentSignatureVerifier.h
@@ -46,18 +46,17 @@ public:
   virtual void virtualDestroyNSSReference() override
   {
     destructorSafeDestroyNSSReference();
   }
 
 private:
   ~ContentSignatureVerifier();
 
-  nsresult UpdateInternal(const nsACString& aData,
-                          const nsNSSShutDownPreventionLock& /*proofOfLock*/);
+  nsresult UpdateInternal(const nsACString& aData);
   nsresult DownloadCertChain();
   nsresult CreateContextInternal(const nsACString& aData,
                                  const nsACString& aCertChain,
                                  const nsACString& aName);
 
   void destructorSafeDestroyNSSReference()
   {
     mCx = nullptr;
--- a/security/manager/ssl/CryptoTask.cpp
+++ b/security/manager/ssl/CryptoTask.cpp
@@ -8,17 +8,16 @@
 #include "nsNSSComponent.h"
 
 namespace mozilla {
 
 CryptoTask::~CryptoTask()
 {
   MOZ_ASSERT(mReleasedNSSResources);
 
-  nsNSSShutDownPreventionLock lock;
   if (!isAlreadyShutDown()) {
     shutdown(ShutdownCalledFrom::Object);
   }
 }
 
 nsresult
 CryptoTask::Dispatch(const nsACString& taskThreadName)
 {
@@ -41,17 +40,16 @@ CryptoTask::Dispatch(const nsACString& t
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 CryptoTask::Run()
 {
   if (!NS_IsMainThread()) {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       mRv = NS_ERROR_NOT_AVAILABLE;
     } else {
       mRv = CalculateResult();
     }
     NS_DispatchToMainThread(this);
   } else {
     // back on the main thread
--- a/security/manager/ssl/PKCS11ModuleDB.cpp
+++ b/security/manager/ssl/PKCS11ModuleDB.cpp
@@ -20,28 +20,26 @@ namespace mozilla { namespace psm {
 NS_IMPL_ISUPPORTS(PKCS11ModuleDB, nsIPKCS11ModuleDB)
 
 PKCS11ModuleDB::PKCS11ModuleDB()
 {
 }
 
 PKCS11ModuleDB::~PKCS11ModuleDB()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // Delete a PKCS11 module from the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::DeleteModule(const nsAString& aModuleName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
@@ -86,17 +84,16 @@ GetModuleNameForTelemetry(/*in*/ const S
 
 // Add a new PKCS11 module to the user's profile.
 NS_IMETHODIMP
 PKCS11ModuleDB::AddModule(const nsAString& aModuleName,
                           const nsAString& aLibraryFullPath,
                           int32_t aCryptoMechanismFlags,
                           int32_t aCipherFlags)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (aModuleName.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
@@ -150,17 +147,16 @@ PKCS11ModuleDB::AddModule(const nsAStrin
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::FindModuleByName(const nsACString& name,
                          /*out*/ nsIPKCS11Module** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -175,17 +171,16 @@ PKCS11ModuleDB::FindModuleByName(const n
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ListModules(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -219,30 +214,28 @@ PKCS11ModuleDB::ListModules(nsISimpleEnu
   return array->Enumerate(_retval);
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetCanToggleFIPS(bool* aCanToggleFIPS)
 {
   NS_ENSURE_ARG_POINTER(aCanToggleFIPS);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   *aCanToggleFIPS = SECMOD_CanDeleteInternalModule();
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 PKCS11ModuleDB::ToggleFIPSMode()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // The way to toggle FIPS mode in NSS is extremely obscure. Basically, we
   // delete the internal module, and it gets replaced with the opposite module
   // (i.e. if it was FIPS before, then it becomes non-FIPS next).
   // SECMOD_GetInternalModule() returns a pointer to a local copy of the
@@ -264,17 +257,16 @@ PKCS11ModuleDB::ToggleFIPSMode()
   return NS_OK;
 }
 
 NS_IMETHODIMP
 PKCS11ModuleDB::GetIsFIPSEnabled(bool* aIsFIPSEnabled)
 {
   NS_ENSURE_ARG_POINTER(aIsFIPSEnabled);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   *aIsFIPSEnabled = PK11_IsFIPS();
   return NS_OK;
 }
 
--- a/security/manager/ssl/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/SSLServerCertVerification.cpp
@@ -1517,21 +1517,18 @@ SSLServerCertVerificationJob::Dispatch(
 
   if (!gCertVerificationThreadPool) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   // Copy the certificate list so the runnable can take ownership of it in the
   // constructor.
-  // We can safely skip checking if NSS has already shut down here since we're
-  // in the middle of verifying a certificate.
-  nsNSSShutDownPreventionLock lock;
   UniqueCERTCertList peerCertChainCopy =
-    nsNSSCertList::DupCertList(peerCertChain, lock);
+    nsNSSCertList::DupCertList(peerCertChain);
   if (!peerCertChainCopy) {
     PR_SetError(SEC_ERROR_NO_MEMORY, 0);
     return SECFailure;
   }
 
   RefPtr<SSLServerCertVerificationJob> job(
     new SSLServerCertVerificationJob(certVerifier, fdForLogging, infoObject,
                                      serverCert, Move(peerCertChainCopy),
@@ -1562,17 +1559,16 @@ SSLServerCertVerificationJob::Run()
 {
   // Runs on a cert verification thread
 
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
           ("[%p] SSLServerCertVerificationJob::Run\n", mInfoObject.get()));
 
   PRErrorCode error;
 
-  nsNSSShutDownPreventionLock nssShutdownPrevention;
   if (mInfoObject->isAlreadyShutDown()) {
     error = SEC_ERROR_USER_CANCELLED;
   } else {
     Telemetry::HistogramID successTelemetry
       = Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX;
     Telemetry::HistogramID failureTelemetry
       = Telemetry::SSL_INITIAL_FAILED_CERT_VALIDATION_TIME_MOZILLAPKIX;
 
--- a/security/manager/ssl/SecretDecoderRing.cpp
+++ b/security/manager/ssl/SecretDecoderRing.cpp
@@ -61,40 +61,38 @@ void BackgroundSdrEncryptStrings(const n
 }
 
 SecretDecoderRing::SecretDecoderRing()
 {
 }
 
 SecretDecoderRing::~SecretDecoderRing()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 SecretDecoderRing::Encrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Make sure token is initialized. */
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
-  nsresult rv = setPassword(slot.get(), ctx, locker);
+  nsresult rv = setPassword(slot.get(), ctx);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   /* Force authentication */
   if (PK11_Authenticate(slot.get(), true, ctx) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
@@ -113,17 +111,16 @@ SecretDecoderRing::Encrypt(const nsACStr
 
   result.Assign(BitwiseCast<char*, unsigned char*>(reply.data), reply.len);
   return NS_OK;
 }
 
 nsresult
 SecretDecoderRing::Decrypt(const nsACString& data, /*out*/ nsACString& result)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   /* Find token with SDR key */
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
@@ -226,17 +223,16 @@ SecretDecoderRing::DecryptString(const n
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 SecretDecoderRing::ChangePassword()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_NOT_AVAILABLE;
   }
@@ -262,17 +258,16 @@ SecretDecoderRing::Logout()
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
   nsresult rv;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
   if (NS_FAILED(rv))
     return rv;
 
   {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return NS_ERROR_NOT_AVAILABLE;
     }
 
     PK11_LogoutAll();
     SSL_ClearSessionCache();
   }
 
@@ -285,17 +280,16 @@ SecretDecoderRing::LogoutAndTeardown()
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
   nsresult rv;
   nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
   if (NS_FAILED(rv))
     return rv;
 
   {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return NS_ERROR_NOT_AVAILABLE;
     }
 
     PK11_LogoutAll();
     SSL_ClearSessionCache();
   }
 
--- a/security/manager/ssl/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/TransportSecurityInfo.cpp
@@ -45,17 +45,16 @@ TransportSecurityInfo::TransportSecurity
   , mErrorCode(0)
   , mErrorMessageType(SSLErrorMessageType::Plain)
   , mPort(0)
 {
 }
 
 TransportSecurityInfo::~TransportSecurityInfo()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return;
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 TransportSecurityInfo::virtualDestroyNSSReference()
@@ -1036,20 +1035,19 @@ TransportSecurityInfo::GetFailedCertChai
   NS_IF_ADDREF(*_result);
 
   return NS_OK;
 }
 
 nsresult
 TransportSecurityInfo::SetFailedCertChain(UniqueCERTCertList certList)
 {
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // nsNSSCertList takes ownership of certList
-  mFailedCertChain = new nsNSSCertList(Move(certList), lock);
+  mFailedCertChain = new nsNSSCertList(Move(certList));
 
   return NS_OK;
 }
 
 } } // namespace mozilla::psm
--- a/security/manager/ssl/nsCertTree.cpp
+++ b/security/manager/ssl/nsCertTree.cpp
@@ -603,42 +603,33 @@ nsCertTree::GetCertsByTypeFromCertList(C
   return NS_OK;
 }
 
 nsresult
 nsCertTree::GetCertsByType(uint32_t           aType,
                            nsCertCompareFunc  aCertCmpFn,
                            void              *aCertCmpFnArg)
 {
-  nsNSSShutDownPreventionLock locker;
   nsCOMPtr<nsIInterfaceRequestor> cxt = new PipUIContext();
   UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, cxt));
   return GetCertsByTypeFromCertList(certList.get(), aType, aCertCmpFn,
                                     aCertCmpFnArg);
 }
 
 nsresult
 nsCertTree::GetCertsByTypeFromCache(nsIX509CertList   *aCache,
                                     uint32_t           aType,
                                     nsCertCompareFunc  aCertCmpFn,
                                     void              *aCertCmpFnArg)
 {
   NS_ENSURE_ARG_POINTER(aCache);
-  // GetRawCertList checks for NSS shutdown since we can't do it ourselves here
-  // easily. We still have to acquire a shutdown prevention lock to prevent NSS
-  // shutting down after GetRawCertList has returned. While cumbersome, this is
-  // at least mostly correct. The rest of this implementation doesn't even go
-  // this far in attempting to check for or prevent NSS shutdown at the
-  // appropriate times. If this were reimplemented at a higher level using
-  // more encapsulated types that handled NSS shutdown themselves, we wouldn't
-  // be having these kinds of problems.
-  nsNSSShutDownPreventionLock locker;
   CERTCertList* certList = aCache->GetRawCertList();
-  if (!certList)
+  if (!certList) {
     return NS_ERROR_FAILURE;
+  }
   return GetCertsByTypeFromCertList(certList, aType, aCertCmpFn, aCertCmpFnArg);
 }
 
 // LoadCerts
 //
 // Load all of the certificates in the DB for this type.  Sort them
 // by token, organization, then common name.
 NS_IMETHODIMP
--- a/security/manager/ssl/nsCryptoHash.cpp
+++ b/security/manager/ssl/nsCryptoHash.cpp
@@ -33,17 +33,16 @@ static const uint64_t STREAM_BUFFER_SIZE
 nsCryptoHash::nsCryptoHash()
   : mHashContext(nullptr)
   , mInitialized(false)
 {
 }
 
 nsCryptoHash::~nsCryptoHash()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -58,17 +57,16 @@ nsCryptoHash::destructorSafeDestroyNSSRe
   mHashContext = nullptr;
 }
 
 NS_IMPL_ISUPPORTS(nsCryptoHash, nsICryptoHash)
 
 NS_IMETHODIMP
 nsCryptoHash::Init(uint32_t algorithm)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   HASH_HashType hashType;
   switch (algorithm) {
     case nsICryptoHash::MD2:
       hashType = HASH_AlgMD2; break;
@@ -131,33 +129,31 @@ nsCryptoHash::InitWithString(const nsACS
     return Init(nsICryptoHash::SHA512);
 
   return NS_ERROR_INVALID_ARG;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Update(const uint8_t *data, uint32_t len)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   HASH_Update(mHashContext.get(), data, len);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::UpdateFromStream(nsIInputStream *data, uint32_t aLen)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mInitialized)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!data)
@@ -204,17 +200,16 @@ nsCryptoHash::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHash::Finish(bool ascii, nsACString & _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
@@ -241,17 +236,16 @@ NS_IMPL_ISUPPORTS(nsCryptoHMAC, nsICrypt
 
 nsCryptoHMAC::nsCryptoHMAC()
   : mHMACContext(nullptr)
 {
 }
 
 nsCryptoHMAC::~nsCryptoHMAC()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -264,17 +258,16 @@ void
 nsCryptoHMAC::destructorSafeDestroyNSSReference()
 {
   mHMACContext = nullptr;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Init(uint32_t aAlgorithm, nsIKeyObject *aKeyObject)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (mHMACContext) {
     mHMACContext = nullptr;
   }
 
@@ -321,17 +314,16 @@ nsCryptoHMAC::Init(uint32_t aAlgorithm, 
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Update(const uint8_t *aData, uint32_t aLen)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aData)
@@ -342,17 +334,16 @@ nsCryptoHMAC::Update(const uint8_t *aDat
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::UpdateFromStream(nsIInputStream *aStream, uint32_t aLen)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   if (!aStream)
@@ -402,17 +393,16 @@ nsCryptoHMAC::UpdateFromStream(nsIInputS
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Finish(bool aASCII, nsACString & _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mHMACContext)
     return NS_ERROR_NOT_INITIALIZED;
 
   uint32_t hashLen = 0;
@@ -430,17 +420,16 @@ nsCryptoHMAC::Finish(bool aASCII, nsACSt
 
   _retval.Assign(BitwiseCast<char*>(buffer), hashLen);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsCryptoHMAC::Reset()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (PK11_DigestBegin(mHMACContext.get()) != SECSuccess) {
     return NS_ERROR_FAILURE;
   }
 
--- a/security/manager/ssl/nsDataSignatureVerifier.cpp
+++ b/security/manager/ssl/nsDataSignatureVerifier.cpp
@@ -26,33 +26,31 @@ const SEC_ASN1Template CERT_SignatureDat
         SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), },
     { SEC_ASN1_BIT_STRING,
         offsetof(CERTSignedData,signature), },
     { 0, }
 };
 
 nsDataSignatureVerifier::~nsDataSignatureVerifier()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsDataSignatureVerifier::VerifyData(const nsACString& aData,
                                     const nsACString& aSignature,
                                     const nsACString& aPublicKey,
                                     bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // Allocate an arena to handle the majority of the allocations
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
--- a/security/manager/ssl/nsIX509CertList.idl
+++ b/security/manager/ssl/nsIX509CertList.idl
@@ -21,18 +21,16 @@ class nsNSSCertList;
 interface nsIX509CertList : nsISupports {
   [must_use]
   void addCert(in nsIX509Cert cert);
   [must_use]
   nsISimpleEnumerator getEnumerator();
 
   /**
    * Returns the raw, backing cert list.
-   * Must be called only from functions where an nsNSSShutDownPreventionLock
-   * has been acquired.
    */
   [notxpcom, noscript, must_use]
   CERTCertListPtr getRawCertList();
 
   /**
    * Test whether two certificate list instances represent the same
    * certificate list.
    *
--- a/security/manager/ssl/nsKeyModule.cpp
+++ b/security/manager/ssl/nsKeyModule.cpp
@@ -14,17 +14,16 @@ NS_IMPL_ISUPPORTS(nsKeyObject, nsIKeyObj
 
 nsKeyObject::nsKeyObject()
   : mSymKey(nullptr)
 {
 }
 
 nsKeyObject::~nsKeyObject()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -44,17 +43,16 @@ nsKeyObject::destructorSafeDestroyNSSRef
 
 NS_IMETHODIMP
 nsKeyObject::InitKey(int16_t aAlgorithm, PK11SymKey* aKey)
 {
   if (!aKey || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   mSymKey.reset(aKey);
   return NS_OK;
 }
 
@@ -62,17 +60,16 @@ NS_IMETHODIMP
 nsKeyObject::GetKeyObj(PK11SymKey** _retval)
 {
   if (!_retval) {
     return NS_ERROR_INVALID_ARG;
   }
 
   *_retval = nullptr;
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mSymKey) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
@@ -96,32 +93,30 @@ nsKeyObject::GetType(int16_t *_retval)
 NS_IMPL_ISUPPORTS(nsKeyObjectFactory, nsIKeyObjectFactory)
 
 nsKeyObjectFactory::nsKeyObjectFactory()
 {
 }
 
 nsKeyObjectFactory::~nsKeyObjectFactory()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsKeyObjectFactory::KeyFromString(int16_t aAlgorithm, const nsACString& aKey,
                                   nsIKeyObject** _retval)
 {
   if (!_retval || aAlgorithm != nsIKeyObject::HMAC) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   CK_MECHANISM_TYPE cipherMech = CKM_GENERIC_SECRET_KEY_GEN;
   CK_ATTRIBUTE_TYPE cipherOperation = CKA_SIGN;
 
   nsresult rv;
--- a/security/manager/ssl/nsKeygenHandler.cpp
+++ b/security/manager/ssl/nsKeygenHandler.cpp
@@ -217,17 +217,16 @@ NS_IMPL_ISUPPORTS(nsKeygenFormProcessor,
 
 nsKeygenFormProcessor::nsKeygenFormProcessor()
 {
    m_ctx = new PipUIContext();
 }
 
 nsKeygenFormProcessor::~nsKeygenFormProcessor()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
@@ -270,22 +269,21 @@ nsKeygenFormProcessor::Init()
   mSECKeySizeChoiceList[1].size = 1024;
 
   return NS_OK;
 }
 
 nsresult
 nsKeygenFormProcessor::GetSlot(uint32_t aMechanism, PK11SlotInfo** aSlot)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  return GetSlotWithMechanism(aMechanism, m_ctx, aSlot, locker);
+  return GetSlotWithMechanism(aMechanism, m_ctx, aSlot);
 }
 
 uint32_t MapGenMechToAlgoMech(uint32_t mechanism)
 {
     uint32_t searchMech;
 
     /* We are interested in slots based on the ability to perform
        a given algorithm, not on their ability to generate keys usable
@@ -313,17 +311,17 @@ uint32_t MapGenMechToAlgoMech(uint32_t m
         break;
     }
     return searchMech;
 }
 
 
 nsresult
 GetSlotWithMechanism(uint32_t aMechanism, nsIInterfaceRequestor* m_ctx,
-                     PK11SlotInfo** aSlot, nsNSSShutDownPreventionLock& /*proofOfLock*/)
+                     PK11SlotInfo** aSlot)
 {
     PK11SlotList * slotList = nullptr;
     char16_t** tokenNameList = nullptr;
     nsCOMPtr<nsITokenDialogs> dialogs;
     nsAutoString tokenStr;
     PK11SlotListElement *slotElement, *tmpSlot;
     uint32_t numSlots = 0, i = 0;
     bool canceled;
@@ -421,17 +419,16 @@ loser:
 
 nsresult
 nsKeygenFormProcessor::GetPublicKey(const nsAString& aValue,
                                     const nsAString& aChallenge,
                                     const nsString& aKeyType,
                                     nsAString& aOutPublicKey,
                                     const nsAString& aKeyParams)
 {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return NS_ERROR_NOT_AVAILABLE;
     }
 
     nsresult rv = NS_ERROR_FAILURE;
     nsAutoCString keystring;
     char *keyparamsString = nullptr;
     uint32_t keyGenMechanism;
@@ -547,17 +544,17 @@ nsKeygenFormProcessor::GetPublicKey(cons
              */
             algTag = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
             break;
       default:
           goto loser;
       }
 
     /* Make sure token is initialized. */
-    rv = setPassword(slot, m_ctx, locker);
+    rv = setPassword(slot, m_ctx);
     if (NS_FAILED(rv))
         goto loser;
 
     srv = PK11_Authenticate(slot, true, m_ctx);
     if (srv != SECSuccess) {
         goto loser;
     }
 
--- a/security/manager/ssl/nsKeygenHandler.h
+++ b/security/manager/ssl/nsKeygenHandler.h
@@ -15,18 +15,17 @@
 #include "nsIInterfaceRequestor.h"
 #include "nsNSSShutDown.h"
 #include "nsString.h"
 #include "nsTArray.h"
 #include "secmodt.h"
 
 nsresult GetSlotWithMechanism(uint32_t mechanism,
                               nsIInterfaceRequestor* ctx,
-                              PK11SlotInfo** retSlot,
-                              nsNSSShutDownPreventionLock& /*proofOfLock*/);
+                              PK11SlotInfo** retSlot);
 
 #define DEFAULT_RSA_KEYGEN_PE 65537L
 #define DEFAULT_RSA_KEYGEN_ALG SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION
 
 mozilla::UniqueSECItem DecodeECParams(const char* curve);
 
 class nsKeygenFormProcessor : public nsIFormProcessor
                             , public nsNSSShutDownObject
--- a/security/manager/ssl/nsKeygenThread.cpp
+++ b/security/manager/ssl/nsKeygenThread.cpp
@@ -61,17 +61,16 @@ void nsKeygenThread::SetParams(
     PK11SlotInfo *a_slot,
     PK11AttrFlags a_flags,
     PK11SlotInfo *a_alternative_slot,
     PK11AttrFlags a_alternative_flags,
     uint32_t a_keyGenMechanism,
     void *a_params,
     void *a_wincx )
 {
-  nsNSSShutDownPreventionLock locker;
   MutexAutoLock lock(mutex);
 
     if (!alreadyReceivedParams) {
       alreadyReceivedParams = true;
       slot = (a_slot) ? PK11_ReferenceSlot(a_slot) : nullptr;
       flags = a_flags;
       altSlot = (a_alternative_slot) ? PK11_ReferenceSlot(a_alternative_slot) : nullptr;
       altFlags = a_alternative_flags;
@@ -173,17 +172,16 @@ nsresult nsKeygenThread::UserCanceled(bo
     // it again to avoid problems.
     statusDialogClosed = true;
 
   return NS_OK;
 }
 
 void nsKeygenThread::Run(void)
 {
-  nsNSSShutDownPreventionLock locker;
   bool canGenerate = false;
 
   {
     MutexAutoLock lock(mutex);
     if (alreadyReceivedParams) {
       canGenerate = true;
       keygenReady = false;
     }
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -748,28 +748,26 @@ public:
   virtual void RunOnTargetThread() override;
 private:
   PK11SlotInfo* const mSlot; // in
   nsIInterfaceRequestor* const mIR; // in
 };
 
 PK11PasswordPromptRunnable::~PK11PasswordPromptRunnable()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 PK11PasswordPromptRunnable::RunOnTargetThread()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   nsresult rv;
   nsCOMPtr<nsIPrompt> prompt;
   if (!mIR) {
     rv = nsNSSComponent::GetNewPrompter(getter_AddRefs(prompt));
@@ -987,18 +985,16 @@ PreliminaryHandshakeDone(PRFileDesc* fd)
   infoObject->SetPreliminaryHandshakeDone();
 }
 
 SECStatus
 CanFalseStartCallback(PRFileDesc* fd, void* client_data, PRBool *canFalseStart)
 {
   *canFalseStart = false;
 
-  nsNSSShutDownPreventionLock locker;
-
   nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
   if (!infoObject) {
     PR_SetError(PR_INVALID_STATE_ERROR, 0);
     return SECFailure;
   }
 
   infoObject->SetFalseStartCallbackCalled();
 
@@ -1325,17 +1321,16 @@ IsCertificateDistrustImminent(nsIX509Cer
   });
 
   // If this chain did not match the whitelist, exit true
   aResult = !foundInWhitelist;
   return NS_OK;
 }
 
 void HandshakeCallback(PRFileDesc* fd, void* client_data) {
-  nsNSSShutDownPreventionLock locker;
   SECStatus rv;
 
   nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;
 
   // Do the bookkeeping that needs to be done after the
   // server's ServerHello...ServerHelloDone have been processed, but that doesn't
   // need the handshake to be completed.
   PreliminaryHandshakeDone(fd);
--- a/security/manager/ssl/nsNSSCertHelper.cpp
+++ b/security/manager/ssl/nsNSSCertHelper.cpp
@@ -1829,17 +1829,16 @@ RegisterDynamicOids()
   }
   registered = true;
   return rv;
 }
 
 nsresult
 nsNSSCertificate::CreateTBSCertificateASN1Struct(nsIASN1Sequence** retSequence)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (RegisterDynamicOids() != SECSuccess)
     return NS_ERROR_FAILURE;
 
   //
   //   TBSCertificate  ::=  SEQUENCE  {
@@ -1977,17 +1976,16 @@ nsNSSCertificate::CreateTBSCertificateAS
   }
   sequence.forget(retSequence);
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::CreateASN1Struct(nsIASN1Object** aRetVal)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsCOMPtr<nsIASN1Sequence> sequence = new nsNSSASN1Sequence();
 
   nsCOMPtr<nsIMutableArray> asn1Objects;
   sequence->GetASN1Objects(getter_AddRefs(asn1Objects));
 
--- a/security/manager/ssl/nsNSSCertValidity.cpp
+++ b/security/manager/ssl/nsNSSCertValidity.cpp
@@ -17,29 +17,27 @@ nsX509CertValidity::nsX509CertValidity(c
   , mNotAfter(0)
   , mTimesInitialized(false)
 {
   MOZ_ASSERT(cert);
   if (!cert) {
     return;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   if (CERT_GetCertTimes(cert.get(), &mNotBefore, &mNotAfter) == SECSuccess) {
     mTimesInitialized = true;
   }
 }
 
 nsX509CertValidity::~nsX509CertValidity()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -85,17 +85,16 @@ nsNSSCertificate::ConstructFromDER(char*
   }
 
   return newObject;
 }
 
 bool
 nsNSSCertificate::InitFromDER(char* certDER, int derLen)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return false;
 
   if (!certDER || !derLen)
     return false;
 
   CERTCertificate* aCert = CERT_DecodeCertFromPackage(certDER, derLen);
 
@@ -111,17 +110,16 @@ nsNSSCertificate::InitFromDER(char* cert
   return true;
 }
 
 nsNSSCertificate::nsNSSCertificate(CERTCertificate* cert)
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return;
 
   if (cert) {
     mCert.reset(CERT_DupCertificate(cert));
   }
 }
 
@@ -129,17 +127,16 @@ nsNSSCertificate::nsNSSCertificate()
   : mCert(nullptr)
   , mPermDelete(false)
   , mCertType(CERT_TYPE_NOT_YET_INITIALIZED)
 {
 }
 
 nsNSSCertificate::~nsNSSCertificate()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertificate::virtualDestroyNSSReference()
@@ -175,44 +172,41 @@ nsNSSCertificate::GetCertType(uint32_t* 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsSelfSigned(bool* aIsSelfSigned)
 {
   NS_ENSURE_ARG(aIsSelfSigned);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   *aIsSelfSigned = mCert->isRoot;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIsBuiltInRoot(bool* aIsBuiltInRoot)
 {
   NS_ENSURE_ARG(aIsBuiltInRoot);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   pkix::Result rv = IsCertBuiltInRoot(mCert.get(), *aIsBuiltInRoot);
   if (rv != pkix::Result::Success) {
     return NS_ERROR_FAILURE;
   }
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificate::MarkForPermDeletion()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   // make sure user is logged in to the token
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
 
   if (mCert->slot && PK11_NeedLogin(mCert->slot) &&
       !PK11_NeedUserInit(mCert->slot) && !PK11_IsInternal(mCert->slot)) {
@@ -304,17 +298,16 @@ nsNSSCertificate::GetKeyUsages(nsAString
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDbKey(nsACString& aDbKey)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   return GetDbKey(mCert, aDbKey);
 }
 
 nsresult
 nsNSSCertificate::GetDbKey(const UniqueCERTCertificate& cert, nsACString& aDbKey)
@@ -345,17 +338,16 @@ nsNSSCertificate::GetDbKey(const UniqueC
              cert->derIssuer.len);
 
   return Base64Encode(buf, aDbKey);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetDisplayName(nsAString& aDisplayName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   aDisplayName.Truncate();
 
   MOZ_ASSERT(mCert, "mCert should not be null in GetDisplayName");
   if (!mCert) {
@@ -414,17 +406,16 @@ nsNSSCertificate::GetDisplayName(nsAStri
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddress(nsAString& aEmailAddress)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (mCert->emailAddr) {
     CopyUTF8toUTF16(mCert->emailAddr, aEmailAddress);
   } else {
     nsresult rv;
     nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID, &rv));
@@ -434,17 +425,16 @@ nsNSSCertificate::GetEmailAddress(nsAStr
     nssComponent->GetPIPNSSBundleString("CertNoEmailAddress", aEmailAddress);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetEmailAddresses(uint32_t* aLength, char16_t*** aAddresses)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aAddresses);
 
   *aLength = 0;
 
@@ -474,17 +464,16 @@ nsNSSCertificate::GetEmailAddresses(uint
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::ContainsEmailAddress(const nsAString& aEmailAddress,
                                        bool* result)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(result);
   *result = false;
 
   const char* aAddr = nullptr;
   for (aAddr = CERT_GetFirstEmailAddress(mCert.get())
@@ -508,102 +497,96 @@ nsNSSCertificate::ContainsEmailAddress(c
   }
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetCommonName(nsAString& aCommonName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->subject));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganization(nsAString& aOrganization)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->subject));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerCommonName(nsAString& aCommonName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aCommonName.Truncate();
   if (mCert) {
     UniquePORTString commonName(CERT_GetCommonName(&mCert->issuer));
     if (commonName) {
       aCommonName = NS_ConvertUTF8toUTF16(commonName.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganization(nsAString& aOrganization)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aOrganization.Truncate();
   if (mCert) {
     UniquePORTString organization(CERT_GetOrgName(&mCert->issuer));
     if (organization) {
       aOrganization = NS_ConvertUTF8toUTF16(organization.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerOrganizationUnit(nsAString& aOrganizationUnit)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aOrganizationUnit.Truncate();
   if (mCert) {
     UniquePORTString organizationUnit(CERT_GetOrgUnitName(&mCert->issuer));
     if (organizationUnit) {
       aOrganizationUnit = NS_ConvertUTF8toUTF16(organizationUnit.get());
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuer(nsIX509Cert** aIssuer)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(aIssuer);
   *aIssuer = nullptr;
 
   nsCOMPtr<nsIArray> chain;
   nsresult rv;
@@ -623,17 +606,16 @@ nsNSSCertificate::GetIssuer(nsIX509Cert*
   }
   cert.forget(aIssuer);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganizationalUnit(nsAString& aOrganizationalUnit)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aOrganizationalUnit.Truncate();
   if (mCert) {
     UniquePORTString orgunit(CERT_GetOrgUnitName(&mCert->subject));
     if (orgunit) {
       aOrganizationalUnit = NS_ConvertUTF8toUTF16(orgunit.get());
@@ -668,17 +650,16 @@ UniqueCERTCertListToMutableArray(/*in*/ 
 
   array.forget(x509CertArray);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetChain(nsIArray** _rvChain)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(_rvChain);
 
   mozilla::pkix::Time now(mozilla::pkix::Now());
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
@@ -713,61 +694,57 @@ nsNSSCertificate::GetChain(nsIArray** _r
     return NS_ERROR_FAILURE;
   }
   return UniqueCERTCertListToMutableArray(nssChain, _rvChain);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSubjectName(nsAString& _subjectName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   _subjectName.Truncate();
   if (mCert->subjectName) {
     _subjectName = NS_ConvertUTF8toUTF16(mCert->subjectName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetIssuerName(nsAString& _issuerName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   _issuerName.Truncate();
   if (mCert->issuerName) {
     _issuerName = NS_ConvertUTF8toUTF16(mCert->issuerName);
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSerialNumber(nsAString& _serialNumber)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   _serialNumber.Truncate();
   UniquePORTString tmpstr(CERT_Hexify(&mCert->serialNumber, 1));
   if (tmpstr) {
     _serialNumber = NS_ConvertASCIItoUTF16(tmpstr.get());
     return NS_OK;
   }
   return NS_ERROR_FAILURE;
 }
 
 nsresult
 nsNSSCertificate::GetCertificateHash(nsAString& aFingerprint, SECOidTag aHashAlg)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   aFingerprint.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(aHashAlg, mCert->derCert.data,
                                  mCert->derCert.len);
@@ -795,17 +772,16 @@ NS_IMETHODIMP
 nsNSSCertificate::GetSha1Fingerprint(nsAString& _sha1Fingerprint)
 {
   return GetCertificateHash(_sha1Fingerprint, SEC_OID_SHA1);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetTokenName(nsAString& aTokenName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   aTokenName.Truncate();
   if (mCert) {
     // HACK alert
     // When the trust of a builtin cert is modified, NSS copies it into the
     // cert db.  At this point, it is now "managed" by the user, and should
@@ -830,17 +806,16 @@ nsNSSCertificate::GetTokenName(nsAString
     }
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(nsACString& aSha256SPKIDigest)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   aSha256SPKIDigest.Truncate();
   Digest digest;
   nsresult rv = digest.DigestBuf(SEC_OID_SHA256, mCert->derPublicKey.data,
                                  mCert->derPublicKey.len);
@@ -855,17 +830,16 @@ nsNSSCertificate::GetSha256SubjectPublic
     return rv;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetRawDER(uint32_t* aLength, uint8_t** aArray)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (mCert) {
     *aArray = (uint8_t*)moz_xmalloc(mCert->derCert.len);
     if (*aArray) {
       memcpy(*aArray, mCert->derCert.data, mCert->derCert.len);
       *aLength = mCert->derCert.len;
@@ -878,17 +852,16 @@ nsNSSCertificate::GetRawDER(uint32_t* aL
 
 NS_IMETHODIMP
 nsNSSCertificate::ExportAsCMS(uint32_t chainMode,
                               uint32_t* aLength, uint8_t** aArray)
 {
   NS_ENSURE_ARG(aLength);
   NS_ENSURE_ARG(aArray);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
@@ -1004,27 +977,25 @@ nsNSSCertificate::ExportAsCMS(uint32_t c
   memcpy(*aArray, certP7.data, certP7.len);
   *aLength = certP7.len;
   return NS_OK;
 }
 
 CERTCertificate*
 nsNSSCertificate::GetCert()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return nullptr;
 
   return (mCert) ? CERT_DupCertificate(mCert.get()) : nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::GetValidity(nsIX509CertValidity** aValidity)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(aValidity);
 
   if (!mCert) {
     return NS_ERROR_FAILURE;
   }
@@ -1042,17 +1013,16 @@ nsNSSCertificate::GetASN1Structure(nsIAS
     return NS_ERROR_NOT_SAME_THREAD;
   }
   return CreateASN1Struct(aASN1Structure);
 }
 
 NS_IMETHODIMP
 nsNSSCertificate::Equals(nsIX509Cert* other, bool* result)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   NS_ENSURE_ARG(other);
   NS_ENSURE_ARG(result);
 
   UniqueCERTCertificate cert(other->GetCert());
   *result = (mCert.get() == cert.get());
@@ -1102,34 +1072,32 @@ NS_IMPL_CLASSINFO(nsNSSCertList,
                   // inferred from nsIX509Cert
                   nsIClassInfo::THREADSAFE,
                   NS_X509CERTLIST_CID)
 
 NS_IMPL_ISUPPORTS_CI(nsNSSCertList,
                      nsIX509CertList,
                      nsISerializable)
 
-nsNSSCertList::nsNSSCertList(UniqueCERTCertList certList,
-                             const nsNSSShutDownPreventionLock& proofOfLock)
+nsNSSCertList::nsNSSCertList(UniqueCERTCertList certList)
 {
   if (certList) {
     mCertList = Move(certList);
   } else {
     mCertList = UniqueCERTCertList(CERT_NewCertList());
   }
 }
 
 nsNSSCertList::nsNSSCertList()
 {
   mCertList = UniqueCERTCertList(CERT_NewCertList());
 }
 
 nsNSSCertList::~nsNSSCertList()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertList::virtualDestroyNSSReference()
@@ -1146,17 +1114,16 @@ nsNSSCertList*
 nsNSSCertList::GetCertList()
 {
   return this;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::AddCert(nsIX509Cert* aCert)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   // We need an owning handle when calling nsIX509Cert::GetCert().
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     NS_ERROR("Somehow got nullptr for mCertificate in nsNSSCertificate.");
     return NS_ERROR_FAILURE;
@@ -1169,18 +1136,17 @@ nsNSSCertList::AddCert(nsIX509Cert* aCer
   if (CERT_AddCertToListTail(mCertList.get(), cert.get()) != SECSuccess) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
   Unused << cert.release(); // Ownership transferred to the cert list.
   return NS_OK;
 }
 
 UniqueCERTCertList
-nsNSSCertList::DupCertList(const UniqueCERTCertList& certList,
-                           const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+nsNSSCertList::DupCertList(const UniqueCERTCertList& certList)
 {
   if (!certList) {
     return nullptr;
   }
 
   UniqueCERTCertList newList(CERT_NewCertList());
   if (!newList) {
     return nullptr;
@@ -1201,34 +1167,25 @@ nsNSSCertList::DupCertList(const UniqueC
     Unused << cert.release(); // Ownership transferred to the cert list.
   }
   return newList;
 }
 
 CERTCertList*
 nsNSSCertList::GetRawCertList()
 {
-  // This function should only be called after acquiring a
-  // nsNSSShutDownPreventionLock. It's difficult to enforce this in code since
-  // this is an implementation of an XPCOM interface function (albeit a
-  // C++-only one), so we acquire the (reentrant) lock and check for shutdown
-  // ourselves here. At the moment it appears that only nsCertTree uses this
-  // function. When that gets removed and replaced by a more reasonable
-  // implementation of the certificate manager, this function can be removed.
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return nullptr;
   }
   return mCertList.get();
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Write(nsIObjectOutputStream* aStream)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   // First, enumerate the certs to get the length of the list
@@ -1262,17 +1219,16 @@ nsNSSCertList::Write(nsIObjectOutputStre
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Read(nsIObjectInputStream* aStream)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_STATE(mCertList);
   nsresult rv = NS_OK;
 
   uint32_t certListLen;
@@ -1296,36 +1252,34 @@ nsNSSCertList::Read(nsIObjectInputStream
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::GetEnumerator(nsISimpleEnumerator** _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (!mCertList) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsISimpleEnumerator> enumerator =
-    new nsNSSCertListEnumerator(mCertList, locker);
+    new nsNSSCertListEnumerator(mCertList);
 
   enumerator.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertList::Equals(nsIX509CertList* other, bool* result)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_ARG(result);
   *result = true;
 
   nsresult rv;
@@ -1466,26 +1420,24 @@ nsNSSCertList::SegmentCertificateChain(/
   }
 
   return NS_OK;
 }
 
 NS_IMPL_ISUPPORTS(nsNSSCertListEnumerator, nsISimpleEnumerator)
 
 nsNSSCertListEnumerator::nsNSSCertListEnumerator(
-  const UniqueCERTCertList& certList,
-  const nsNSSShutDownPreventionLock& proofOfLock)
+  const UniqueCERTCertList& certList)
 {
   MOZ_ASSERT(certList);
-  mCertList = nsNSSCertList::DupCertList(certList, proofOfLock);
+  mCertList = nsNSSCertList::DupCertList(certList);
 }
 
 nsNSSCertListEnumerator::~nsNSSCertListEnumerator()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void nsNSSCertListEnumerator::virtualDestroyNSSReference()
@@ -1496,31 +1448,29 @@ void nsNSSCertListEnumerator::virtualDes
 void nsNSSCertListEnumerator::destructorSafeDestroyNSSReference()
 {
   mCertList = nullptr;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::HasMoreElements(bool* _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   *_retval = !CERT_LIST_EMPTY(mCertList);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertListEnumerator::GetNext(nsISupports** _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_TRUE(mCertList, NS_ERROR_FAILURE);
 
   CERTCertListNode* node = CERT_LIST_HEAD(mCertList);
   if (CERT_LIST_END(node, mCertList)) {
--- a/security/manager/ssl/nsNSSCertificate.h
+++ b/security/manager/ssl/nsNSSCertificate.h
@@ -79,24 +79,22 @@ class nsNSSCertList: public nsIX509CertL
                      public nsNSSShutDownObject
 {
 public:
   NS_DECL_THREADSAFE_ISUPPORTS
   NS_DECL_NSIX509CERTLIST
   NS_DECL_NSISERIALIZABLE
 
   // certList is adopted
-  nsNSSCertList(mozilla::UniqueCERTCertList certList,
-                const nsNSSShutDownPreventionLock& proofOfLock);
+  explicit nsNSSCertList(mozilla::UniqueCERTCertList certList);
 
   nsNSSCertList();
 
   static mozilla::UniqueCERTCertList DupCertList(
-    const mozilla::UniqueCERTCertList& certList,
-    const nsNSSShutDownPreventionLock& proofOfLock);
+    const mozilla::UniqueCERTCertList& certList);
 
   // For each certificate in this CertList, run the operation aOperation.
   // To end early with NS_OK, set the `aContinue` argument false before
   // returning. To end early with an error, return anything except NS_OK.
   // The `aHasMore` argument is false when this is the last certificate in the
   // chain.
   nsresult ForEachCertificateInChain(ForEachCertOperation& aOperation);
 
@@ -126,18 +124,17 @@ private:
 
 class nsNSSCertListEnumerator: public nsISimpleEnumerator,
                                public nsNSSShutDownObject
 {
 public:
    NS_DECL_THREADSAFE_ISUPPORTS
    NS_DECL_NSISIMPLEENUMERATOR
 
-   nsNSSCertListEnumerator(const mozilla::UniqueCERTCertList& certList,
-                           const nsNSSShutDownPreventionLock& proofOfLock);
+   explicit nsNSSCertListEnumerator(const mozilla::UniqueCERTCertList& certList);
 private:
    virtual ~nsNSSCertListEnumerator();
    virtual void virtualDestroyNSSReference() override;
    void destructorSafeDestroyNSSReference();
 
    mozilla::UniqueCERTCertList mCertList;
 
    nsNSSCertListEnumerator(const nsNSSCertListEnumerator&) = delete;
--- a/security/manager/ssl/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/nsNSSCertificateDB.cpp
@@ -54,17 +54,16 @@ using namespace mozilla::psm;
 using mozilla::psm::SharedSSLState;
 
 extern LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsNSSCertificateDB, nsIX509CertDB)
 
 nsNSSCertificateDB::~nsNSSCertificateDB()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
@@ -73,17 +72,16 @@ nsNSSCertificateDB::FindCertByDBKey(cons
 {
   NS_ENSURE_ARG_POINTER(_cert);
   *_cert = nullptr;
 
   if (aDBKey.IsEmpty()) {
     return NS_ERROR_INVALID_ARG;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -187,18 +185,17 @@ collect_certs(void *arg, SECItem **certs
     certs++;
   }
 
   return (SECSuccess);
 }
 
 CERTDERCerts*
 nsNSSCertificateDB::getCertsFromPackage(const UniquePLArenaPool& arena,
-                                        uint8_t* data, uint32_t length,
-                                        const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+                                        uint8_t* data, uint32_t length)
 {
   CERTDERCerts* collectArgs = PORT_ArenaZNew(arena.get(), CERTDERCerts);
   if (!collectArgs) {
     return nullptr;
   }
 
   collectArgs->arena = arena.get();
   if (CERT_DecodeCertPackage(BitwiseCast<char*, uint8_t*>(data), length,
@@ -237,18 +234,17 @@ ChangeCertTrustWithPossibleAuthenticatio
   }
   if (srv != SECSuccess) {
     return srv;
   }
   return CERT_ChangeCertTrust(nullptr, cert.get(), &trust);
 }
 
 static nsresult
-ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain,
-                                const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+ImportCertsIntoPermanentStorage(const UniqueCERTCertList& certChain)
 {
   bool encounteredFailure = false;
   PRErrorCode savedErrorCode = 0;
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   for (CERTCertListNode* chainNode = CERT_LIST_HEAD(certChain);
        !CERT_LIST_END(chainNode, certChain);
        chainNode = CERT_LIST_NEXT(chainNode)) {
     UniquePORTString nickname(CERT_MakeCANickname(chainNode->cert));
@@ -265,18 +261,17 @@ ImportCertsIntoPermanentStorage(const Un
     return GetXPCOMFromNSSError(savedErrorCode);
   }
 
   return NS_OK;
 }
 
 nsresult
 nsNSSCertificateDB::handleCACertDownload(NotNull<nsIArray*> x509Certs,
-                                         nsIInterfaceRequestor *ctx,
-                                         const nsNSSShutDownPreventionLock &proofOfLock)
+                                         nsIInterfaceRequestor *ctx)
 {
   // First thing we have to do is figure out which certificate we're
   // gonna present to the user.  The CA may have sent down a list of
   // certs which may or may not be a chained list of certs.  Until
   // the day we can design some solid UI for the general case, we'll
   // code to the > 90% case.  That case is where a CA sends down a
   // list that is a hierarchy whose root is either the first or
   // the last cert.  What we're gonna do is compare the first
@@ -351,22 +346,22 @@ nsNSSCertificateDB::handleCACertDownload
   }
 
   UniqueCERTCertificate tmpCert(certToShow->GetCert());
   if (!tmpCert) {
     return NS_ERROR_FAILURE;
   }
 
   if (!CERT_IsCACert(tmpCert.get(), nullptr)) {
-    DisplayCertificateAlert(ctx, "NotACACert", certToShow, proofOfLock);
+    DisplayCertificateAlert(ctx, "NotACACert", certToShow);
     return NS_ERROR_FAILURE;
   }
 
   if (tmpCert->isperm) {
-    DisplayCertificateAlert(ctx, "CaCertExists", certToShow, proofOfLock);
+    DisplayCertificateAlert(ctx, "CaCertExists", certToShow);
     return NS_ERROR_FAILURE;
   }
 
   uint32_t trustBits;
   bool allows;
   rv = dialogs->ConfirmDownloadCACert(ctx, certToShow, &trustBits, &allows);
   if (NS_FAILED(rv))
     return rv;
@@ -425,41 +420,39 @@ nsNSSCertificateDB::handleCACertDownload
 
     if (CERT_AddCertToListTail(certList.get(), tmpCert2.get()) != SECSuccess) {
       continue;
     }
 
     Unused << tmpCert2.release();
   }
 
-  return ImportCertsIntoPermanentStorage(certList, proofOfLock);
+  return ImportCertsIntoPermanentStorage(certList);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertificates(uint8_t* data, uint32_t length,
                                        uint32_t type,
                                        nsIInterfaceRequestor* ctx)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // We currently only handle CA certificates.
   if (type != nsIX509Cert::CA_CERT) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  CERTDERCerts* certCollection = getCertsFromPackage(arena, data, length,
-                                                     locker);
+  CERTDERCerts* certCollection = getCertsFromPackage(arena, data, length);
   if (!certCollection) {
     return NS_ERROR_FAILURE;
   }
 
   nsCOMPtr<nsIMutableArray> array = nsArrayBase::Create();
   if (!array) {
     return NS_ERROR_FAILURE;
   }
@@ -473,32 +466,31 @@ nsNSSCertificateDB::ImportCertificates(u
       return NS_ERROR_FAILURE;
     }
     nsresult rv = array->AppendElement(cert);
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
-  return handleCACertDownload(WrapNotNull(array), ctx, locker);
+  return handleCACertDownload(WrapNotNull(array), ctx);
 }
 
 /**
  * Decodes a given array of DER-encoded certificates into temporary storage.
  *
  * @param numcerts
  *        Size of the |certs| array.
  * @param certs
  *        Pointer to array of certs to decode.
  * @param temporaryCerts
  *        List of decoded certificates.
  */
 static nsresult
 ImportCertsIntoTempStorage(int numcerts, SECItem* certs,
-                           const nsNSSShutDownPreventionLock& /*proofOfLock*/,
                    /*out*/ const UniqueCERTCertList& temporaryCerts)
 {
   NS_ENSURE_ARG_MIN(numcerts, 1);
   NS_ENSURE_ARG_POINTER(certs);
   NS_ENSURE_ARG_POINTER(temporaryCerts);
 
   // CERT_ImportCerts() expects an array of *pointers* to SECItems, so we have
   // to convert |certs| to such a format first.
@@ -543,69 +535,65 @@ ImportCertsIntoTempStorage(int numcerts,
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportEmailCertificate(uint8_t* data, uint32_t length,
                                            nsIInterfaceRequestor* ctx)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length, locker);
+  CERTDERCerts *certCollection = getCertsFromPackage(arena, data, length);
   if (!certCollection) {
     return NS_ERROR_FAILURE;
   }
 
   UniqueCERTCertList temporaryCerts(CERT_NewCertList());
   if (!temporaryCerts) {
     return NS_ERROR_FAILURE;
   }
 
   nsresult rv = ImportCertsIntoTempStorage(certCollection->numcerts,
                                            certCollection->rawCerts,
-                                           locker, temporaryCerts);
+                                           temporaryCerts);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
-  return ImportCertsIntoPermanentStorage(temporaryCerts, locker);
+  return ImportCertsIntoPermanentStorage(temporaryCerts);
 }
 
 nsresult
 nsNSSCertificateDB::ImportCACerts(int numCACerts, SECItem* caCerts,
-                                  nsIInterfaceRequestor* ctx,
-                                  const nsNSSShutDownPreventionLock& proofOfLock)
+                                  nsIInterfaceRequestor* ctx)
 {
   UniqueCERTCertList temporaryCerts(CERT_NewCertList());
   if (!temporaryCerts) {
     return NS_ERROR_FAILURE;
   }
 
-  nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, proofOfLock,
-                                           temporaryCerts);
+  nsresult rv = ImportCertsIntoTempStorage(numCACerts, caCerts, temporaryCerts);
   if (NS_FAILED(rv)) {
     return rv;
   }
 
-  return ImportCertsIntoPermanentStorage(temporaryCerts, proofOfLock);
+  return ImportCertsIntoPermanentStorage(temporaryCerts);
 }
 
 void nsNSSCertificateDB::DisplayCertificateAlert(nsIInterfaceRequestor *ctx,
                                                  const char *stringID,
-                                                 nsIX509Cert *certToShow,
-                                                 const nsNSSShutDownPreventionLock &/*proofOfLock*/)
+                                                 nsIX509Cert *certToShow)
 {
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
   if (!NS_IsMainThread()) {
     NS_ERROR("nsNSSCertificateDB::DisplayCertificateAlert called off the main thread");
     return;
   }
 
@@ -636,87 +624,85 @@ NS_IMETHODIMP
 nsNSSCertificateDB::ImportUserCertificate(uint8_t* data, uint32_t length,
                                           nsIInterfaceRequestor* ctx)
 {
   if (!NS_IsMainThread()) {
     NS_ERROR("nsNSSCertificateDB::ImportUserCertificate called off the main thread");
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
   if (!arena) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length, locker);
+  CERTDERCerts* collectArgs = getCertsFromPackage(arena, data, length);
   if (!collectArgs) {
     return NS_ERROR_FAILURE;
   }
 
   UniqueCERTCertificate cert(
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), collectArgs->rawCerts,
                             nullptr, false, true));
   if (!cert) {
     return NS_ERROR_FAILURE;
   }
 
   UniquePK11SlotInfo slot(PK11_KeyForCertExists(cert.get(), nullptr, ctx));
   if (!slot) {
     nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert.get());
-    DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow, locker);
+    DisplayCertificateAlert(ctx, "UserCertIgnoredNoPrivateKey", certToShow);
     return NS_ERROR_FAILURE;
   }
   slot = nullptr;
 
   /* pick a nickname for the cert */
   nsAutoCString nickname;
   if (cert->nickname) {
     nickname = cert->nickname;
   } else {
-    get_default_nickname(cert.get(), ctx, nickname, locker);
+    get_default_nickname(cert.get(), ctx, nickname);
   }
 
   /* user wants to import the cert */
   slot.reset(PK11_ImportCertForKey(cert.get(), nickname.get(), ctx));
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
   slot = nullptr;
 
   {
     nsCOMPtr<nsIX509Cert> certToShow = nsNSSCertificate::Create(cert.get());
-    DisplayCertificateAlert(ctx, "UserCertImported", certToShow, locker);
+    DisplayCertificateAlert(ctx, "UserCertImported", certToShow);
   }
 
   nsresult rv = NS_OK;
   int numCACerts = collectArgs->numcerts - 1;
   if (numCACerts) {
     SECItem* caCerts = collectArgs->rawCerts + 1;
-    rv = ImportCACerts(numCACerts, caCerts, ctx, locker);
+    rv = ImportCACerts(numCACerts, caCerts, ctx);
   }
 
   nsCOMPtr<nsIObserverService> observerService =
     mozilla::services::GetObserverService();
   if (observerService) {
     observerService->NotifyObservers(nullptr, "psm:user-certificate-added", nullptr);
   }
 
   return rv;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::DeleteCertificate(nsIX509Cert *aCert)
 {
   NS_ENSURE_ARG_POINTER(aCert);
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   UniqueCERTCertificate cert(aCert->GetCert());
   if (!cert) {
     return NS_ERROR_FAILURE;
   }
   SECStatus srv = SECSuccess;
@@ -752,17 +738,16 @@ nsNSSCertificateDB::DeleteCertificate(ns
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::SetCertTrust(nsIX509Cert *cert,
                                  uint32_t type,
                                  uint32_t trusted)
 {
   NS_ENSURE_ARG_POINTER(cert);
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsNSSCertTrust trust;
   switch (type) {
     case nsIX509Cert::CA_CERT:
       trust.SetValidCA();
@@ -793,17 +778,16 @@ NS_IMETHODIMP
 nsNSSCertificateDB::IsCertTrusted(nsIX509Cert *cert,
                                   uint32_t certType,
                                   uint32_t trustType,
                                   bool *_isTrusted)
 {
   NS_ENSURE_ARG_POINTER(_isTrusted);
   *_isTrusted = false;
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -843,17 +827,16 @@ nsNSSCertificateDB::IsCertTrusted(nsIX50
   } /* user: ignore */
   return NS_OK;
 }
 
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportCertsFromFile(nsIFile* aFile, uint32_t aType)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   NS_ENSURE_ARG(aFile);
   switch (aType) {
     case nsIX509Cert::CA_CERT:
     case nsIX509Cert::EMAIL_CERT:
@@ -903,17 +886,16 @@ nsNSSCertificateDB::ImportCertsFromFile(
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ImportPKCS12File(nsIFile* aFile)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
@@ -932,17 +914,16 @@ nsNSSCertificateDB::ImportPKCS12File(nsI
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ExportPKCS12File(nsIFile* aFile, uint32_t count,
                                      nsIX509Cert** certs)
 {
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
@@ -953,17 +934,16 @@ nsNSSCertificateDB::ExportPKCS12File(nsI
   nsPKCS12Blob blob;
   return blob.ExportToFile(aFile, certs, count);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::FindCertByEmailAddress(const nsACString& aEmailAddress,
                                            nsIX509Cert** _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -1014,17 +994,16 @@ nsNSSCertificateDB::FindCertByEmailAddre
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509FromBase64(const nsACString& base64,
                                     /*out*/ nsIX509Cert** _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   if (!_retval) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   // Base64Decode() doesn't consider a zero length input as an error, and just
@@ -1042,17 +1021,16 @@ nsNSSCertificateDB::ConstructX509FromBas
 
   return ConstructX509(certDER, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ConstructX509(const nsACString& certDER,
                                   nsIX509Cert** _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   if (NS_WARN_IF(!_retval)) {
     return NS_ERROR_INVALID_POINTER;
   }
 
   SECItem certData;
@@ -1073,18 +1051,17 @@ nsNSSCertificateDB::ConstructX509(const 
   }
   nssCert.forget(_retval);
   return NS_OK;
 }
 
 void
 nsNSSCertificateDB::get_default_nickname(CERTCertificate *cert,
                                          nsIInterfaceRequestor* ctx,
-                                         nsCString &nickname,
-                                         const nsNSSShutDownPreventionLock &/*proofOfLock*/)
+                                         nsCString &nickname)
 {
   static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
 
   nickname.Truncate();
 
   nsresult rv;
   CK_OBJECT_HANDLE keyHandle;
 
@@ -1187,17 +1164,16 @@ nsNSSCertificateDB::AddCertFromBase64(co
                                       nsIX509Cert** addedCertificate)
 {
   MOZ_ASSERT(addedCertificate);
   if (!addedCertificate) {
     return NS_ERROR_INVALID_ARG;
   }
   *addedCertificate = nullptr;
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsNSSCertTrust trust;
   if (CERT_DecodeTrustString(&trust.GetTrust(), PromiseFlatCString(aTrust).get())
         != SECSuccess) {
     return NS_ERROR_FAILURE;
@@ -1272,17 +1248,16 @@ nsNSSCertificateDB::SetCertTrustFromStri
 
   srv = ChangeCertTrustWithPossibleAuthentication(nssCert, trust, nullptr);
   return MapSECStatus(srv);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::GetCerts(nsIX509CertList **_retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -1293,33 +1268,32 @@ nsNSSCertificateDB::GetCerts(nsIX509Cert
   }
 
   nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
   nsCOMPtr<nsIX509CertList> nssCertList;
   UniqueCERTCertList certList(PK11_ListCerts(PK11CertListUnique, ctx));
 
   // nsNSSCertList 1) adopts certList, and 2) handles the nullptr case fine.
   // (returns an empty list)
-  nssCertList = new nsNSSCertList(Move(certList), locker);
+  nssCertList = new nsNSSCertList(Move(certList));
 
   nssCertList.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots)
 {
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
 #ifdef XP_WIN
   nsCOMPtr<nsINSSComponent> psm(do_GetService(PSM_COMPONENT_CONTRACTID));
   if (!psm) {
     return NS_ERROR_FAILURE;
@@ -1333,18 +1307,17 @@ nsNSSCertificateDB::GetEnterpriseRoots(n
 nsresult
 VerifyCertAtTime(nsIX509Cert* aCert,
                  int64_t /*SECCertificateUsage*/ aUsage,
                  uint32_t aFlags,
                  const nsACString& aHostname,
                  mozilla::pkix::Time aTime,
                  nsIX509CertList** aVerifiedChain,
                  bool* aHasEVPolicy,
-                 int32_t* /*PRErrorCode*/ _retval,
-                 const nsNSSShutDownPreventionLock& locker)
+                 int32_t* /*PRErrorCode*/ _retval)
 {
   NS_ENSURE_ARG_POINTER(aCert);
   NS_ENSURE_ARG_POINTER(aHasEVPolicy);
   NS_ENSURE_ARG_POINTER(aVerifiedChain);
   NS_ENSURE_ARG_POINTER(_retval);
 
   *aVerifiedChain = nullptr;
   *aHasEVPolicy = false;
@@ -1385,17 +1358,17 @@ VerifyCertAtTime(nsIX509Cert* aCert,
                                       nullptr, // stapledOCSPResponse
                                       nullptr, // sctsFromTLSExtension
                                       OriginAttributes(),
                                       &evOidPolicy);
   }
 
   nsCOMPtr<nsIX509CertList> nssCertList;
   // This adopts the list
-  nssCertList = new nsNSSCertList(Move(resultChain), locker);
+  nssCertList = new nsNSSCertList(Move(resultChain));
   NS_ENSURE_TRUE(nssCertList, NS_ERROR_FAILURE);
 
   *_retval = mozilla::pkix::MapResultToPRErrorCode(result);
   if (result == mozilla::pkix::Success && evOidPolicy != SEC_OID_UNKNOWN) {
     *aHasEVPolicy = true;
   }
   nssCertList.forget(aVerifiedChain);
 
@@ -1406,44 +1379,42 @@ NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertNow(nsIX509Cert* aCert,
                                   int64_t /*SECCertificateUsage*/ aUsage,
                                   uint32_t aFlags,
                                   const nsACString& aHostname,
                                   nsIX509CertList** aVerifiedChain,
                                   bool* aHasEVPolicy,
                                   int32_t* /*PRErrorCode*/ _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::Now(),
-                            aVerifiedChain, aHasEVPolicy, _retval, locker);
+                            aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::VerifyCertAtTime(nsIX509Cert* aCert,
                                      int64_t /*SECCertificateUsage*/ aUsage,
                                      uint32_t aFlags,
                                      const nsACString& aHostname,
                                      uint64_t aTime,
                                      nsIX509CertList** aVerifiedChain,
                                      bool* aHasEVPolicy,
                                      int32_t* /*PRErrorCode*/ _retval)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   return ::VerifyCertAtTime(aCert, aUsage, aFlags, aHostname,
                             mozilla::pkix::TimeFromEpochInSeconds(aTime),
-                            aVerifiedChain, aHasEVPolicy, _retval, locker);
+                            aVerifiedChain, aHasEVPolicy, _retval);
 }
 
 class VerifyCertAtTimeTask final : public CryptoTask
 {
 public:
   VerifyCertAtTimeTask(nsIX509Cert* aCert, int64_t aUsage, uint32_t aFlags,
                        const nsACString& aHostname, uint64_t aTime,
                        nsICertVerificationCallback* aCallback)
@@ -1500,30 +1471,28 @@ private:
 NS_IMETHODIMP
 nsNSSCertificateDB::AsyncVerifyCertAtTime(nsIX509Cert* aCert,
                                           int64_t /*SECCertificateUsage*/ aUsage,
                                           uint32_t aFlags,
                                           const nsACString& aHostname,
                                           uint64_t aTime,
                                           nsICertVerificationCallback* aCallback)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   RefPtr<VerifyCertAtTimeTask> task(new VerifyCertAtTimeTask(aCert, aUsage,
                                                              aFlags, aHostname,
                                                              aTime, aCallback));
   return task->Dispatch("VerifyCert");
 }
 
 NS_IMETHODIMP
 nsNSSCertificateDB::ClearOCSPCache()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   RefPtr<SharedCertVerifier> certVerifier(GetDefaultCertVerifier());
   NS_ENSURE_TRUE(certVerifier, NS_ERROR_FAILURE);
   certVerifier->ClearOCSPCache();
   return NS_OK;
--- a/security/manager/ssl/nsNSSCertificateDB.h
+++ b/security/manager/ssl/nsNSSCertificateDB.h
@@ -33,33 +33,29 @@ public:
 protected:
   virtual ~nsNSSCertificateDB();
 
 private:
   // Use this function to generate a default nickname for a user
   // certificate that is to be imported onto a token.
   static void
   get_default_nickname(CERTCertificate* cert, nsIInterfaceRequestor* ctx,
-                       nsCString& nickname,
-                       const nsNSSShutDownPreventionLock& proofOfLock);
+                       nsCString& nickname);
 
   static nsresult
-  ImportCACerts(int numCACerts, SECItem* CACerts, nsIInterfaceRequestor* ctx,
-                const nsNSSShutDownPreventionLock& proofOfLock);
+  ImportCACerts(int numCACerts, SECItem* CACerts, nsIInterfaceRequestor* ctx);
 
-  static void DisplayCertificateAlert(nsIInterfaceRequestor *ctx,
-                                      const char *stringID, nsIX509Cert *certToShow,
-                                      const nsNSSShutDownPreventionLock &proofOfLock);
+  static void DisplayCertificateAlert(nsIInterfaceRequestor* ctx,
+                                      const char* stringID,
+                                      nsIX509Cert* certToShow);
 
   CERTDERCerts* getCertsFromPackage(const mozilla::UniquePLArenaPool& arena,
-                                    uint8_t* data, uint32_t length,
-                                    const nsNSSShutDownPreventionLock& proofOfLock);
+                                    uint8_t* data, uint32_t length);
   nsresult handleCACertDownload(mozilla::NotNull<nsIArray*> x509Certs,
-                                nsIInterfaceRequestor *ctx,
-                                const nsNSSShutDownPreventionLock &proofOfLock);
+                                nsIInterfaceRequestor* ctx);
 
   // We don't own any NSS objects here, so no need to clean up
   virtual void virtualDestroyNSSReference() override { };
 };
 
 #define NS_X509CERTDB_CID { /* fb0bbc5c-452e-4783-b32c-80124693d871 */ \
     0xfb0bbc5c,                                                        \
     0x452e,                                                            \
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -810,17 +810,16 @@ nsNSSComponent::UnloadEnterpriseRoots(co
   }
   mEnterpriseRoots = nullptr;
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("unloaded enterprise roots"));
 }
 
 NS_IMETHODIMP
 nsNSSComponent::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots)
 {
-  nsNSSShutDownPreventionLock lock;
   MutexAutoLock nsNSSComponentLock(mMutex);
   MOZ_ASSERT(NS_IsMainThread());
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
   NS_ENSURE_ARG_POINTER(enterpriseRoots);
 
   // nsNSSComponent isn't a nsNSSShutDownObject, so we can't check
@@ -828,22 +827,22 @@ nsNSSComponent::GetEnterpriseRoots(nsIX5
   // shuts down, we can use that as a proxy for checking for NSS shutdown.
   // (Of course, it may also be the case that no enterprise roots were imported,
   // so we should just return a null list and NS_OK in this case.)
   if (!mEnterpriseRoots) {
     *enterpriseRoots = nullptr;
     return NS_OK;
   }
   UniqueCERTCertList enterpriseRootsCopy(
-    nsNSSCertList::DupCertList(mEnterpriseRoots, lock));
+    nsNSSCertList::DupCertList(mEnterpriseRoots));
   if (!enterpriseRootsCopy) {
     return NS_ERROR_FAILURE;
   }
   nsCOMPtr<nsIX509CertList> enterpriseRootsCertList(
-    new nsNSSCertList(Move(enterpriseRootsCopy), lock));
+    new nsNSSCertList(Move(enterpriseRootsCopy)));
   if (!enterpriseRootsCertList) {
     return NS_ERROR_FAILURE;
   }
   enterpriseRootsCertList.forget(enterpriseRoots);
   return NS_OK;
 }
 #endif // XP_WIN
 
@@ -992,24 +991,23 @@ public:
   ~LoadLoadableRootsTask();
 
   nsresult Dispatch();
 
   void virtualDestroyNSSReference() override {} // nothing to release
 
 private:
   NS_IMETHOD Run() override;
-  nsresult LoadLoadableRoots(const nsNSSShutDownPreventionLock& proofOfLock);
+  nsresult LoadLoadableRoots();
   RefPtr<nsNSSComponent> mNSSComponent;
   nsCOMPtr<nsIThread> mThread;
 };
 
 LoadLoadableRootsTask::~LoadLoadableRootsTask()
 {
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 nsresult
 LoadLoadableRootsTask::Dispatch()
@@ -1024,32 +1022,31 @@ LoadLoadableRootsTask::Dispatch()
 
   // Note: event must not null out mThread!
   return mThread->Dispatch(this, NS_DISPATCH_NORMAL);
 }
 
 NS_IMETHODIMP
 LoadLoadableRootsTask::Run()
 {
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
-  nsresult rv = LoadLoadableRoots(lock);
+  nsresult rv = LoadLoadableRoots();
   if (NS_FAILED(rv)) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("LoadLoadableRoots failed"));
     // We don't return rv here because then BlockUntilLoadableRootsLoaded will
     // just wait forever. Instead we'll save its value (below) so we can inform
     // code that relies on the roots module being present that loading it
     // failed.
   }
 
   if (NS_SUCCEEDED(rv)) {
-    if (NS_FAILED(LoadExtendedValidationInfo(lock))) {
+    if (NS_FAILED(LoadExtendedValidationInfo())) {
       // This isn't a show-stopper in the same way that failing to load the
       // roots module is.
       MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("failed to load EV info"));
     }
   }
   {
     MonitorAutoLock rootsLoadedLock(mNSSComponent->mLoadableRootsLoadedMonitor);
     mNSSComponent->mLoadableRootsLoaded = true;
@@ -1068,17 +1065,16 @@ nsresult
 nsNSSComponent::HasActiveSmartCards(bool& result)
 {
   MOZ_ASSERT(NS_IsMainThread(), "Main thread only");
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
 #ifndef MOZ_NO_SMART_CARDS
-  nsNSSShutDownPreventionLock lock;
   MutexAutoLock nsNSSComponentLock(mMutex);
 
   AutoSECMODListReadLock secmodLock;
   SECMODModuleList* list = SECMOD_GetDefaultModuleList();
   while (list) {
     if (SECMOD_HasRemovableSlots(list->module)) {
       result = true;
       return NS_OK;
@@ -1093,17 +1089,16 @@ nsNSSComponent::HasActiveSmartCards(bool
 nsresult
 nsNSSComponent::HasUserCertsInstalled(bool& result)
 {
   MOZ_ASSERT(NS_IsMainThread(), "Main thread only");
   if (!NS_IsMainThread()) {
     return NS_ERROR_NOT_SAME_THREAD;
   }
 
-  nsNSSShutDownPreventionLock lock;
   MutexAutoLock nsNSSComponentLock(mMutex);
 
   if (!mNSSInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   result = false;
   UniqueCERTCertList certList(
@@ -1137,17 +1132,16 @@ nsNSSComponent::BlockUntilLoadableRootsL
 
   return mLoadableRootsLoadedResult;
 }
 
 nsresult
 nsNSSComponent::CheckForSmartCardChanges()
 {
 #ifndef MOZ_NO_SMART_CARDS
-  nsNSSShutDownPreventionLock lock;
   MutexAutoLock nsNSSComponentLock(mMutex);
 
   if (!mNSSInitialized) {
     return NS_ERROR_NOT_INITIALIZED;
   }
 
   // SECMOD_UpdateSlotList attempts to acquire the list lock as well,
   // so we have to do this in two steps. The lock protects the list itself, so
@@ -1255,18 +1249,17 @@ GetDirectoryPath(const char* directoryKe
   return directoryWin->GetNativeCanonicalPath(result);
 #else
   return directory->GetNativePath(result);
 #endif
 }
 
 
 nsresult
-LoadLoadableRootsTask::LoadLoadableRoots(
-  const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+LoadLoadableRootsTask::LoadLoadableRoots()
 {
   // Find the best Roots module for our purposes.
   // Prefer the application's installation directory,
   // but also ensure the library is at least the version we expect.
 
   nsAutoString modName;
   nsresult rv = mNSSComponent->GetPIPNSSBundleString("RootCertModuleName",
                                                      modName);
@@ -2259,17 +2252,16 @@ nsNSSComponent::Observe(nsISupports* aSu
   // closing the sql-backed softoken requires sqlite still be available. Thus,
   // we observe "xpcom-shutdown" just in case.
   if (nsCRT::strcmp(aTopic, PROFILE_BEFORE_CHANGE_TOPIC) == 0 ||
       nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("receiving profile change or XPCOM shutdown notification"));
     ShutdownNSS();
   } else if (nsCRT::strcmp(aTopic, NS_PREFBRANCH_PREFCHANGE_TOPIC_ID) == 0) {
-    nsNSSShutDownPreventionLock locker;
     bool clearSessionCache = true;
     NS_ConvertUTF16toUTF8  prefName(someData);
 
     if (prefName.EqualsLiteral("security.tls.version.min") ||
         prefName.EqualsLiteral("security.tls.version.max")) {
       (void) setEnabledTLSVersions();
     } else if (prefName.EqualsLiteral("security.ssl.require_safe_negotiation")) {
       bool requireSafeNegotiation =
@@ -2393,19 +2385,16 @@ nsNSSComponent::RegisterObservers()
 }
 
 #ifdef DEBUG
 NS_IMETHODIMP
 nsNSSComponent::IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result)
 {
   result = false;
 
-  // Create the nsNSSCertificate and get its hash before acquiring mMutex (we
-  // must avoid acquiring mMutex and then creating an
-  // nsNSSShutDownPreventionLock).
   RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert);
   if (!nsc) {
     return NS_ERROR_FAILURE;
   }
   nsAutoString certHash;
   nsresult rv = nsc->GetSha256Fingerprint(certHash);
   if (NS_FAILED(rv)) {
     return rv;
@@ -2422,19 +2411,16 @@ nsNSSComponent::IsCertTestBuiltInRoot(CE
 }
 #endif // DEBUG
 
 NS_IMETHODIMP
 nsNSSComponent::IsCertContentSigningRoot(CERTCertificate* cert, bool& result)
 {
   result = false;
 
-  // Create the nsNSSCertificate and get its hash before acquiring mMutex (we
-  // must avoid acquiring mMutex and then creating an
-  // nsNSSShutDownPreventionLock).
   RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert);
   if (!nsc) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("creating nsNSSCertificate failed"));
     return NS_ERROR_FAILURE;
   }
   nsAutoString certHash;
   nsresult rv = nsc->GetSha256Fingerprint(certHash);
   if (NS_FAILED(rv)) {
@@ -2528,18 +2514,17 @@ getNSSDialogs(void** _result, REFNSIID a
   }
 
   rv = svc->QueryInterface(aIID, _result);
 
   return rv;
 }
 
 nsresult
-setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx,
-            nsNSSShutDownPreventionLock& /*proofOfLock*/)
+setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx)
 {
   MOZ_ASSERT(slot);
   MOZ_ASSERT(ctx);
   NS_ENSURE_ARG_POINTER(slot);
   NS_ENSURE_ARG_POINTER(ctx);
 
   if (PK11_NeedUserInit(slot)) {
     nsCOMPtr<nsITokenPasswordDialogs> dialogs;
--- a/security/manager/ssl/nsNSSComponent.h
+++ b/security/manager/ssl/nsNSSComponent.h
@@ -178,19 +178,16 @@ private:
 #endif // XP_WIN
 
   // mLoadableRootsLoadedMonitor protects mLoadableRootsLoaded.
   mozilla::Monitor mLoadableRootsLoadedMonitor;
   bool mLoadableRootsLoaded;
   nsresult mLoadableRootsLoadedResult;
 
   // mMutex protects all members that are accessed from more than one thread.
-  // While this lock is held, the same thread must not attempt to acquire a
-  // nsNSSShutDownPreventionLock (acquiring a nsNSSShutDownPreventionLock and
-  // then acquiring this lock is fine).
   mozilla::Mutex mMutex;
 
   // The following members are accessed from more than one thread:
   nsCOMPtr<nsIStringBundle> mPIPNSSBundle;
   nsCOMPtr<nsIStringBundle> mNSSErrorsBundle;
   bool mNSSInitialized;
 #ifdef DEBUG
   nsString mTestBuiltInRootHash;
--- a/security/manager/ssl/nsNSSHelper.h
+++ b/security/manager/ssl/nsNSSHelper.h
@@ -47,12 +47,11 @@ pip_ucs2_ascii_conversion_fn(PRBool toUn
                              unsigned int *outBufLen,
                              PRBool swapBytes);
 }
 
 //
 // A function that sets the password on an unitialized slot.
 //
 nsresult
-setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx,
-            nsNSSShutDownPreventionLock& /*proofOfLock*/);
+setPassword(PK11SlotInfo* slot, nsIInterfaceRequestor* ctx);
 
 #endif
--- a/security/manager/ssl/nsNSSIOLayer.cpp
+++ b/security/manager/ssl/nsNSSIOLayer.cpp
@@ -353,17 +353,16 @@ nsNSSSocketInfo::GetNegotiatedNPN(nsACSt
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::GetAlpnEarlySelection(nsACString& aAlpnSelected)
 {
   aAlpnSelected.Truncate();
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   SSLPreliminaryChannelInfo info;
   SECStatus rv = SSL_GetPreliminaryChannelInfo(mFd, &info, sizeof(info));
   if (rv != SECSuccess || !info.canSendEarlyData) {
     return NS_ERROR_NOT_AVAILABLE;
@@ -398,17 +397,16 @@ void
 nsNSSSocketInfo::SetEarlyDataAccepted(bool aAccepted)
 {
   mEarlyDataAccepted = aAccepted;
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::DriveHandshake()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   if (!mFd) {
     return NS_ERROR_FAILURE;
   }
   PRErrorCode errorCode = GetErrorCode();
   if (errorCode) {
@@ -581,17 +579,16 @@ NS_IMETHODIMP
 nsNSSSocketInfo::StartTLS()
 {
   return ActivateSSL();
 }
 
 NS_IMETHODIMP
 nsNSSSocketInfo::SetNPNList(nsTArray<nsCString>& protocolArray)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
   if (!mFd)
     return NS_ERROR_FAILURE;
 
   // the npn list is a concatenated list of 8 bit byte strings.
   nsCString npnList;
 
@@ -611,17 +608,16 @@ nsNSSSocketInfo::SetNPNList(nsTArray<nsC
     return NS_ERROR_FAILURE;
 
   return NS_OK;
 }
 
 nsresult
 nsNSSSocketInfo::ActivateSSL()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (SECSuccess != SSL_OptionSet(mFd, SSL_SECURITY, true))
     return NS_ERROR_FAILURE;
   if (SECSuccess != SSL_ResetHandshake(mFd, false))
     return NS_ERROR_FAILURE;
 
@@ -745,18 +741,17 @@ namespace {
 
 enum Operation { reading, writing, not_reading_or_writing };
 
 int32_t checkHandshake(int32_t bytesTransfered, bool wasReading,
                        PRFileDesc* ssl_layer_fd,
                        nsNSSSocketInfo* socketInfo);
 
 nsNSSSocketInfo*
-getSocketInfoIfRunning(PRFileDesc* fd, Operation op,
-                       const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+getSocketInfoIfRunning(PRFileDesc* fd, Operation op)
 {
   if (!fd || !fd->lower || !fd->secret ||
       fd->identity != nsSSLIOLayerHelpers::nsSSLIOLayerIdentity) {
     NS_ERROR("bad file descriptor passed to getSocketInfoIfRunning");
     PR_SetError(PR_BAD_DESCRIPTOR_ERROR, 0);
     return nullptr;
   }
 
@@ -787,18 +782,17 @@ getSocketInfoIfRunning(PRFileDesc* fd, O
 } // namespace
 
 static PRStatus
 nsSSLIOLayerConnect(PRFileDesc* fd, const PRNetAddr* addr,
                     PRIntervalTime timeout)
 {
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] connecting SSL socket\n",
          (void*) fd));
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   PRStatus status = fd->lower->methods->connect(fd->lower, addr, timeout);
   if (status != PR_SUCCESS) {
     MOZ_LOG(gPIPNSSLog, LogLevel::Error, ("[%p] Lower layer connect error: %d\n",
                                       (void*) fd, PR_GetError()));
     return status;
   }
@@ -960,32 +954,30 @@ bool nsSSLIOLayerHelpers::nsSSLIOLayerIn
 PRDescIdentity nsSSLIOLayerHelpers::nsSSLIOLayerIdentity;
 PRDescIdentity nsSSLIOLayerHelpers::nsSSLPlaintextLayerIdentity;
 PRIOMethods nsSSLIOLayerHelpers::nsSSLIOLayerMethods;
 PRIOMethods nsSSLIOLayerHelpers::nsSSLPlaintextLayerMethods;
 
 static PRStatus
 nsSSLIOLayerClose(PRFileDesc* fd)
 {
-  nsNSSShutDownPreventionLock locker;
   if (!fd)
     return PR_FAILURE;
 
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] Shutting down socket\n",
          (void*) fd));
 
   nsNSSSocketInfo* socketInfo = (nsNSSSocketInfo*) fd->secret;
   MOZ_ASSERT(socketInfo, "nsNSSSocketInfo was null for an fd");
 
-  return socketInfo->CloseSocketAndDestroy(locker);
+  return socketInfo->CloseSocketAndDestroy();
 }
 
 PRStatus
-nsNSSSocketInfo::CloseSocketAndDestroy(
-    const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+nsNSSSocketInfo::CloseSocketAndDestroy()
 {
   PRFileDesc* popped = PR_PopIOLayer(mFd, PR_TOP_IO_LAYER);
   MOZ_ASSERT(popped &&
                popped->identity == nsSSLIOLayerHelpers::nsSSLIOLayerIdentity,
              "SSL Layer not on top of stack");
 
   // The plaintext layer is not always present - so it's not a fatal error if it
   // cannot be removed.
@@ -1351,27 +1343,25 @@ checkHandshake(int32_t bytesTransfered, 
   return bytesTransfered;
 }
 
 } // namespace
 
 static int16_t
 nsSSLIOLayerPoll(PRFileDesc* fd, int16_t in_flags, int16_t* out_flags)
 {
-  nsNSSShutDownPreventionLock locker;
-
   if (!out_flags) {
     NS_WARNING("nsSSLIOLayerPoll called with null out_flags");
     return 0;
   }
 
   *out_flags = 0;
 
   nsNSSSocketInfo* socketInfo =
-    getSocketInfoIfRunning(fd, not_reading_or_writing, locker);
+    getSocketInfoIfRunning(fd, not_reading_or_writing);
 
   if (!socketInfo) {
     // If we get here, it is probably because certificate validation failed
     // and this is the first I/O operation after the failure.
     MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
             ("[%p] polling SSL socket right after certificate verification failed "
                   "or NSS shutdown or SDR logout %d\n",
              fd, (int) in_flags));
@@ -1440,59 +1430,54 @@ static PRFileDesc*
   MOZ_ASSERT_UNREACHABLE("I/O method is invalid");
   PR_SetError(PR_INVALID_METHOD_ERROR, 0);
   return nullptr;
 }
 
 static PRStatus
 PSMGetsockname(PRFileDesc* fd, PRNetAddr* addr)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   return fd->lower->methods->getsockname(fd->lower, addr);
 }
 
 static PRStatus
 PSMGetpeername(PRFileDesc* fd, PRNetAddr* addr)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   return fd->lower->methods->getpeername(fd->lower, addr);
 }
 
 static PRStatus
 PSMGetsocketoption(PRFileDesc* fd, PRSocketOptionData* data)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   return fd->lower->methods->getsocketoption(fd, data);
 }
 
 static PRStatus
 PSMSetsocketoption(PRFileDesc* fd, const PRSocketOptionData* data)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   return fd->lower->methods->setsocketoption(fd, data);
 }
 
 static int32_t
 PSMRecv(PRFileDesc* fd, void* buf, int32_t amount, int flags,
         PRIntervalTime timeout)
 {
-  nsNSSShutDownPreventionLock locker;
-  nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, reading, locker);
+  nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, reading);
   if (!socketInfo)
     return -1;
 
   if (flags != PR_MSG_PEEK && flags != 0) {
     PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
     return -1;
   }
 
@@ -1508,18 +1493,17 @@ PSMRecv(PRFileDesc* fd, void* buf, int32
 
   return checkHandshake(bytesRead, true, fd, socketInfo);
 }
 
 static int32_t
 PSMSend(PRFileDesc* fd, const void* buf, int32_t amount, int flags,
         PRIntervalTime timeout)
 {
-  nsNSSShutDownPreventionLock locker;
-  nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, writing, locker);
+  nsNSSSocketInfo* socketInfo = getSocketInfoIfRunning(fd, writing);
   if (!socketInfo)
     return -1;
 
   if (flags != 0) {
     PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
     return -1;
   }
 
@@ -1594,18 +1578,17 @@ PSMSend(PRFileDesc* fd, const void* buf,
           ("[%p] wrote %d bytes\n", fd, bytesWritten));
 
   return checkHandshake(bytesWritten, false, fd, socketInfo);
 }
 
 static PRStatus
 PSMBind(PRFileDesc* fd, const PRNetAddr *addr)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker))
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing))
     return PR_FAILURE;
 
   return fd->lower->methods->bind(fd->lower, addr);
 }
 
 static int32_t
 nsSSLIOLayerRead(PRFileDesc* fd, void* buf, int32_t amount)
 {
@@ -1616,18 +1599,17 @@ static int32_t
 nsSSLIOLayerWrite(PRFileDesc* fd, const void* buf, int32_t amount)
 {
   return PSMSend(fd, buf, amount, 0, PR_INTERVAL_NO_TIMEOUT);
 }
 
 static PRStatus
 PSMConnectcontinue(PRFileDesc* fd, int16_t out_flags)
 {
-  nsNSSShutDownPreventionLock locker;
-  if (!getSocketInfoIfRunning(fd, not_reading_or_writing, locker)) {
+  if (!getSocketInfoIfRunning(fd, not_reading_or_writing)) {
     return PR_FAILURE;
   }
 
   return fd->lower->methods->connectcontinue(fd, out_flags);
 }
 
 static int
 PSMAvailable(void)
@@ -2160,18 +2142,16 @@ private:
 //             successful; otherwise nullptr
 // - pRetKey: returns a pointer to a pointer to the corresponding key if
 //            successful; otherwise nullptr
 SECStatus
 nsNSS_SSLGetClientAuthData(void* arg, PRFileDesc* socket,
                            CERTDistNames* caNames, CERTCertificate** pRetCert,
                            SECKEYPrivateKey** pRetKey)
 {
-  nsNSSShutDownPreventionLock locker;
-
   if (!socket || !caNames || !pRetCert || !pRetKey) {
     PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
     return SECFailure;
   }
 
   RefPtr<nsNSSSocketInfo> info(
     BitwiseCast<nsNSSSocketInfo*, PRFilePrivate*>(socket->higher->secret));
 
@@ -2493,17 +2473,16 @@ done:
   }
 }
 
 static PRFileDesc*
 nsSSLIOLayerImportFD(PRFileDesc* fd,
                      nsNSSSocketInfo* infoObject,
                      const char* host)
 {
-  nsNSSShutDownPreventionLock locker;
   PRFileDesc* sslSock = SSL_ImportFD(nullptr, fd);
   if (!sslSock) {
     MOZ_ASSERT_UNREACHABLE("NSS: Error importing socket");
     return nullptr;
   }
   SSL_SetPKCS11PinArg(sslSock, (nsIInterfaceRequestor*) infoObject);
   SSL_HandshakeCallback(sslSock, HandshakeCallback, infoObject);
   SSL_SetCanFalseStartCallback(sslSock, CanFalseStartCallback, infoObject);
@@ -2558,17 +2537,16 @@ static const SSLSignatureScheme sEnabled
   ssl_sig_rsa_pkcs1_sha1,
 };
 
 static nsresult
 nsSSLIOLayerSetOptions(PRFileDesc* fd, bool forSTARTTLS,
                        bool haveProxy, const char* host, int32_t port,
                        nsNSSSocketInfo* infoObject)
 {
-  nsNSSShutDownPreventionLock locker;
   if (forSTARTTLS || haveProxy) {
     if (SECSuccess != SSL_OptionSet(fd, SSL_SECURITY, false)) {
       return NS_ERROR_FAILURE;
     }
   }
 
   SSLVersionRange range;
   if (SSL_VersionRangeGet(fd, &range) != SECSuccess) {
@@ -2733,17 +2711,16 @@ nsSSLIOLayerAddToSocket(int32_t family,
                         nsIProxyInfo* proxy,
                         const OriginAttributes& originAttributes,
                         PRFileDesc* fd,
                         nsISupports** info,
                         bool forSTARTTLS,
                         uint32_t providerFlags,
                         uint32_t providerTlsFlags)
 {
-  nsNSSShutDownPreventionLock locker;
   PRFileDesc* layer = nullptr;
   PRFileDesc* plaintextLayer = nullptr;
   nsresult rv;
   PRStatus stat;
 
   SharedSSLState* sharedState = nullptr;
   RefPtr<SharedSSLState> allocatedState;
   if (providerTlsFlags) {
--- a/security/manager/ssl/nsNSSIOLayer.h
+++ b/security/manager/ssl/nsNSSIOLayer.h
@@ -50,18 +50,17 @@ public:
   nsresult SetFileDescPtr(PRFileDesc* aFilePtr);
 
   bool IsHandshakePending() const { return mHandshakePending; }
   void SetHandshakeNotPending() { mHandshakePending = false; }
 
   void SetTLSVersionRange(SSLVersionRange range) { mTLSVersionRange = range; }
   SSLVersionRange GetTLSVersionRange() const { return mTLSVersionRange; };
 
-  PRStatus CloseSocketAndDestroy(
-                const nsNSSShutDownPreventionLock& proofOfLock);
+  PRStatus CloseSocketAndDestroy();
 
   void SetNegotiatedNPN(const char* value, uint32_t length);
   void SetEarlyDataAccepted(bool aAccepted);
 
   void SetHandshakeCompleted();
   void NoteTimeUntilReady();
 
 
--- a/security/manager/ssl/nsNSSShutDown.h
+++ b/security/manager/ssl/nsNSSShutDown.h
@@ -5,36 +5,16 @@
 #ifndef nsNSSShutDown_h
 #define nsNSSShutDown_h
 
 // This is the vestigial remains of the old NSS shutdown tracking
 // infrastructure. It will be removed entirely in bug 1421084 when we've
 // demonstrated that shutting down NSS only when all non-main-threads have been
 // joined is feasible (and beneficial).
 
-// Yes, this races. We don't care because we're only temporarily using this to
-// silence compiler warnings. Without it every instance of a
-// nsNSSShutDownPreventionLock would be unused, causing the compiler to
-// complain.
-static int sSilenceCompilerWarnings;
-
-class nsNSSShutDownPreventionLock
-{
-public:
-  nsNSSShutDownPreventionLock()
-  {
-    sSilenceCompilerWarnings++;
-  }
-
-  ~nsNSSShutDownPreventionLock()
-  {
-    sSilenceCompilerWarnings--;
-  }
-};
-
 class nsNSSShutDownObject
 {
 public:
   enum class ShutdownCalledFrom {
     List,
     Object,
   };
 
--- a/security/manager/ssl/nsNTLMAuthModule.cpp
+++ b/security/manager/ssl/nsNTLMAuthModule.cpp
@@ -981,20 +981,17 @@ nsNTLMAuthModule::InitTest()
 {
   static bool prefObserved = false;
   if (!prefObserved) {
     mozilla::Preferences::AddBoolVarCache(
       &sNTLMv1Forced, "network.auth.force-generic-ntlm-v1", sNTLMv1Forced);
     prefObserved = true;
   }
 
-  nsNSSShutDownPreventionLock locker;
-  //
   // disable NTLM authentication when FIPS mode is enabled.
-  //
   return PK11_IsFIPS() ? NS_ERROR_NOT_AVAILABLE : NS_OK;
 }
 
 NS_IMETHODIMP
 nsNTLMAuthModule::Init(const char* /*serviceName*/, uint32_t serviceFlags,
                        const char16_t* domain, const char16_t* username,
                        const char16_t* password)
 {
@@ -1022,22 +1019,21 @@ nsNTLMAuthModule::Init(const char* /*ser
 
 NS_IMETHODIMP
 nsNTLMAuthModule::GetNextToken(const void *inToken,
                                uint32_t    inTokenLen,
                                void      **outToken,
                                uint32_t   *outTokenLen)
 {
   nsresult rv;
-  nsNSSShutDownPreventionLock locker;
-  //
+
   // disable NTLM authentication when FIPS mode is enabled.
-  //
-  if (PK11_IsFIPS())
+  if (PK11_IsFIPS()) {
     return NS_ERROR_NOT_AVAILABLE;
+  }
 
   if (mNTLMNegotiateSent) {
     // if inToken is non-null, and we have sent the NTLMSSP_NEGOTIATE (type 1),
     // then the NTLMSSP_CHALLENGE (type 2) is expected
     if (inToken) {
       LogToken("in-token", inToken, inTokenLen);
       // Now generate the NTLMSSP_AUTH (type 3)
       rv = GenerateType3Msg(mDomain, mUsername, mPassword, inToken,
--- a/security/manager/ssl/nsPK11TokenDB.cpp
+++ b/security/manager/ssl/nsPK11TokenDB.cpp
@@ -22,28 +22,27 @@ extern mozilla::LazyLogModule gPIPNSSLog
 
 NS_IMPL_ISUPPORTS(nsPK11Token, nsIPK11Token)
 
 nsPK11Token::nsPK11Token(PK11SlotInfo* slot)
   : mUIContext(new PipUIContext())
 {
   MOZ_ASSERT(slot);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return;
 
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
 
-  Unused << refreshTokenInfo(locker);
+  Unused << refreshTokenInfo();
 }
 
 nsresult
-nsPK11Token::refreshTokenInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+nsPK11Token::refreshTokenInfo()
 {
   mTokenName = PK11_GetTokenName(mSlot.get());
 
   CK_TOKEN_INFO tokInfo;
   nsresult rv = MapSECStatus(PK11_GetTokenInfo(mSlot.get(), &tokInfo));
   if (NS_FAILED(rv)) {
     return rv;
   }
@@ -80,17 +79,16 @@ nsPK11Token::refreshTokenInfo(const nsNS
                          strnlen(ccSerial, sizeof(tokInfo.serialNumber)));
   mTokenSerialNum.Trim(" ", false, true);
 
   return NS_OK;
 }
 
 nsPK11Token::~nsPK11Token()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -104,24 +102,23 @@ nsPK11Token::destructorSafeDestroyNSSRef
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPK11Token::GetAttributeHelper(const nsACString& attribute,
                         /*out*/ nsACString& xpcomOutParam)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // Handle removals/insertions.
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
-    nsresult rv = refreshTokenInfo(locker);
+    nsresult rv = refreshTokenInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
   xpcomOutParam = attribute;
   return NS_OK;
 }
@@ -162,50 +159,47 @@ nsPK11Token::GetTokenSerialNumber(/*out*
   return GetAttributeHelper(mTokenSerialNum, tokenSerialNum);
 }
 
 NS_IMETHODIMP
 nsPK11Token::IsLoggedIn(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   *_retval = PK11_IsLoggedIn(mSlot.get(), 0);
 
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::Login(bool force)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsresult rv;
   bool test;
   rv = this->NeedsLogin(&test);
   if (NS_FAILED(rv)) return rv;
   if (test && force) {
     rv = this->LogoutSimple();
     if (NS_FAILED(rv)) return rv;
   }
-  rv = setPassword(mSlot.get(), mUIContext, locker);
+  rv = setPassword(mSlot.get(), mUIContext);
   if (NS_FAILED(rv)) return rv;
 
   return MapSECStatus(PK11_Authenticate(mSlot.get(), true, mUIContext));
 }
 
 NS_IMETHODIMP
 nsPK11Token::LogoutSimple()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   // PK11_Logout() can fail if the user wasn't logged in beforehand. We want
   // this method to succeed even in this case, so we ignore the return value.
   Unused << PK11_Logout(mSlot.get());
   return NS_OK;
 }
@@ -225,42 +219,39 @@ nsPK11Token::LogoutAndDropAuthenticatedR
     return rv;
 
   return nssComponent->LogoutAuthenticatedPK11();
 }
 
 NS_IMETHODIMP
 nsPK11Token::Reset()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   return MapSECStatus(PK11_ResetToken(mSlot.get(), nullptr));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit)
 {
   NS_ENSURE_ARG_POINTER(aNeedsUserInit);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   *aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::CheckPassword(const nsACString& password, bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   SECStatus srv =
     PK11_CheckUserPassword(mSlot.get(), PromiseFlatCString(password).get());
   if (srv != SECSuccess) {
     *_retval =  false;
     PRErrorCode error = PR_GetError();
@@ -272,17 +263,16 @@ nsPK11Token::CheckPassword(const nsACStr
     *_retval =  true;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::InitPassword(const nsACString& initialPassword)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
   // PSM initializes the sqlite-backed softoken with an empty password. The
   // implementation considers this not to be a password (GetHasPassword returns
   // false), but we can't actually call PK11_InitPin again. Instead, we call
@@ -297,17 +287,16 @@ nsPK11Token::InitPassword(const nsACStri
   }
   return MapSECStatus(PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::ChangePassword(const nsACString& oldPassword,
                             const nsACString& newPassword)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   // PK11_ChangePW() has different semantics for the empty string and for
   // nullptr. In order to support this difference, we need to check IsVoid() to
   // find out if our caller supplied null/undefined args or just empty strings.
   // See Bug 447589.
   return MapSECStatus(PK11_ChangePW(
@@ -316,34 +305,32 @@ nsPK11Token::ChangePassword(const nsACSt
     newPassword.IsVoid() ? nullptr : PromiseFlatCString(newPassword).get()));
 }
 
 NS_IMETHODIMP
 nsPK11Token::GetHasPassword(bool* hasPassword)
 {
   NS_ENSURE_ARG_POINTER(hasPassword);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // PK11_NeedLogin returns true if the token is currently configured to require
   // the user to log in (whether or not the user is actually logged in makes no
   // difference).
   *hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPK11Token::NeedsLogin(bool* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   *_retval = PK11_NeedLogin(mSlot.get());
 
   return NS_OK;
 }
 
@@ -352,30 +339,28 @@ nsPK11Token::NeedsLogin(bool* _retval)
 NS_IMPL_ISUPPORTS(nsPK11TokenDB, nsIPK11TokenDB)
 
 nsPK11TokenDB::nsPK11TokenDB()
 {
 }
 
 nsPK11TokenDB::~nsPK11TokenDB()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
@@ -387,17 +372,16 @@ nsPK11TokenDB::GetInternalKeyToken(nsIPK
 }
 
 NS_IMETHODIMP
 nsPK11TokenDB::FindTokenByName(const nsACString& tokenName,
                        /*out*/ nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   nsresult rv = BlockUntilLoadableRootsLoaded();
   if (NS_FAILED(rv)) {
     return rv;
   }
--- a/security/manager/ssl/nsPK11TokenDB.h
+++ b/security/manager/ssl/nsPK11TokenDB.h
@@ -26,17 +26,17 @@ public:
 
   explicit nsPK11Token(PK11SlotInfo *slot);
 
 protected:
   virtual ~nsPK11Token();
 
 private:
   friend class nsPK11TokenDB;
-  nsresult refreshTokenInfo(const nsNSSShutDownPreventionLock& proofOfLock);
+  nsresult refreshTokenInfo();
 
   nsCString mTokenName;
   nsCString mTokenLabel;
   nsCString mTokenManufacturerID;
   nsCString mTokenHWVersion;
   nsCString mTokenFWVersion;
   nsCString mTokenSerialNum;
   mozilla::UniquePK11SlotInfo mSlot;
--- a/security/manager/ssl/nsPKCS11Slot.cpp
+++ b/security/manager/ssl/nsPKCS11Slot.cpp
@@ -22,27 +22,26 @@ using mozilla::LogLevel;
 extern mozilla::LazyLogModule gPIPNSSLog;
 
 NS_IMPL_ISUPPORTS(nsPKCS11Slot, nsIPKCS11Slot)
 
 nsPKCS11Slot::nsPKCS11Slot(PK11SlotInfo* slot)
 {
   MOZ_ASSERT(slot);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return;
 
   mSlot.reset(PK11_ReferenceSlot(slot));
   mSeries = PK11_GetSlotSeries(slot);
-  Unused << refreshSlotInfo(locker);
+  Unused << refreshSlotInfo();
 }
 
 nsresult
-nsPKCS11Slot::refreshSlotInfo(const nsNSSShutDownPreventionLock& /*proofOfLock*/)
+nsPKCS11Slot::refreshSlotInfo()
 {
   CK_SLOT_INFO slotInfo;
   nsresult rv = MapSECStatus(PK11_GetSlotInfo(mSlot.get(), &slotInfo));
   if (NS_FAILED(rv)) {
     return rv;
   }
 
   // Set the Description field
@@ -71,17 +70,16 @@ nsPKCS11Slot::refreshSlotInfo(const nsNS
   mSlotFWVersion.Append('.');
   mSlotFWVersion.AppendInt(slotInfo.firmwareVersion.minor);
 
   return NS_OK;
 }
 
 nsPKCS11Slot::~nsPKCS11Slot()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -95,36 +93,34 @@ nsPKCS11Slot::destructorSafeDestroyNSSRe
 {
   mSlot = nullptr;
 }
 
 nsresult
 nsPKCS11Slot::GetAttributeHelper(const nsACString& attribute,
                          /*out*/ nsACString& xpcomOutParam)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
-    nsresult rv = refreshSlotInfo(locker);
+    nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
   xpcomOutParam = attribute;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetName(/*out*/ nsACString& name)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   // |csn| is non-owning.
   char* csn = PK11_GetSlotName(mSlot.get());
   if (csn && *csn) {
     name = csn;
   } else if (PK11_HasRootCerts(mSlot.get())) {
@@ -164,54 +160,51 @@ nsPKCS11Slot::GetFWVersion(/*out*/ nsACS
   return GetAttributeHelper(mSlotFWVersion, fwVersion);
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetToken(nsIPK11Token** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   nsCOMPtr<nsIPK11Token> token = new nsPK11Token(mSlot.get());
   token.forget(_retval);
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetTokenName(/*out*/ nsACString& tokenName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (!PK11_IsPresent(mSlot.get())) {
     tokenName.SetIsVoid(true);
     return NS_OK;
   }
 
   if (PK11_GetSlotSeries(mSlot.get()) != mSeries) {
-    nsresult rv = refreshSlotInfo(locker);
+    nsresult rv = refreshSlotInfo();
     if (NS_FAILED(rv)) {
       return rv;
     }
   }
 
   tokenName = PK11_GetTokenName(mSlot.get());
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Slot::GetStatus(uint32_t* _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (PK11_IsDisabled(mSlot.get())) {
     *_retval = SLOT_DISABLED;
   } else if (!PK11_IsPresent(mSlot.get())) {
     *_retval = SLOT_NOT_PRESENT;
   } else if (PK11_NeedLogin(mSlot.get()) && PK11_NeedUserInit(mSlot.get())) {
@@ -228,26 +221,24 @@ nsPKCS11Slot::GetStatus(uint32_t* _retva
 }
 
 NS_IMPL_ISUPPORTS(nsPKCS11Module, nsIPKCS11Module)
 
 nsPKCS11Module::nsPKCS11Module(SECMODModule* module)
 {
   MOZ_ASSERT(module);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return;
 
   mModule.reset(SECMOD_ReferenceModule(module));
 }
 
 nsPKCS11Module::~nsPKCS11Module()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   destructorSafeDestroyNSSReference();
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
@@ -260,28 +251,26 @@ void
 nsPKCS11Module::destructorSafeDestroyNSSReference()
 {
   mModule = nullptr;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetName(/*out*/ nsACString& name)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   name = mModule->commonName;
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::GetLibName(/*out*/ nsACString& libName)
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   if (mModule->dllName) {
     libName = mModule->dllName;
   } else {
     libName.SetIsVoid(true);
   }
@@ -289,17 +278,16 @@ nsPKCS11Module::GetLibName(/*out*/ nsACS
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::FindSlotByName(const nsACString& name,
                        /*out*/ nsIPKCS11Slot** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown())
     return NS_ERROR_NOT_AVAILABLE;
 
   const nsCString& flatName = PromiseFlatCString(name);
   MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Getting \"%s\"", flatName.get()));
   UniquePK11SlotInfo slotInfo;
   UniquePK11SlotList slotList(PK11_FindSlotsByNames(mModule->dllName,
                                                     flatName.get() /*slotName*/,
@@ -328,17 +316,16 @@ nsPKCS11Module::FindSlotByName(const nsA
   return NS_OK;
 }
 
 NS_IMETHODIMP
 nsPKCS11Module::ListSlots(nsISimpleEnumerator** _retval)
 {
   NS_ENSURE_ARG_POINTER(_retval);
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
   nsresult rv = CheckForSmartCardChanges();
   if (NS_FAILED(rv)) {
     return rv;
   }
 
--- a/security/manager/ssl/nsPKCS11Slot.h
+++ b/security/manager/ssl/nsPKCS11Slot.h
@@ -32,17 +32,17 @@ private:
   nsCString mSlotDesc;
   nsCString mSlotManufacturerID;
   nsCString mSlotHWVersion;
   nsCString mSlotFWVersion;
   int mSeries;
 
   virtual void virtualDestroyNSSReference() override;
   void destructorSafeDestroyNSSReference();
-  nsresult refreshSlotInfo(const nsNSSShutDownPreventionLock& proofOfLock);
+  nsresult refreshSlotInfo();
   nsresult GetAttributeHelper(const nsACString& attribute,
                       /*out*/ nsACString& xpcomOutParam);
 };
 
 class nsPKCS11Module : public nsIPKCS11Module,
                        public nsNSSShutDownObject
 {
 public:
--- a/security/manager/ssl/nsPKCS12Blob.cpp
+++ b/security/manager/ssl/nsPKCS12Blob.cpp
@@ -37,32 +37,30 @@ nsPKCS12Blob::nsPKCS12Blob()
   , mTmpFile(nullptr)
 {
   mUIContext = new PipUIContext();
 }
 
 // destructor
 nsPKCS12Blob::~nsPKCS12Blob()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
 
   shutdown(ShutdownCalledFrom::Object);
 }
 
 // nsPKCS12Blob::ImportFromFile
 //
 // Given a file handle, read a PKCS#12 blob from that file, decode it, and
 // import the results into the internal database.
 nsresult
 nsPKCS12Blob::ImportFromFile(nsIFile *file)
 {
-  nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_OK;
 
   RetryReason wantRetry;
 
   do {
     rv = ImportFromFileHelper(file, im_standard_prompt, wantRetry);
 
     if (NS_SUCCEEDED(rv) && wantRetry == rr_auto_retry_empty_password_flavors) {
@@ -74,17 +72,16 @@ nsPKCS12Blob::ImportFromFile(nsIFile *fi
   return rv;
 }
 
 nsresult
 nsPKCS12Blob::ImportFromFileHelper(nsIFile *file,
                                    nsPKCS12Blob::ImportMode aImportMode,
                                    nsPKCS12Blob::RetryReason &aWantRetry)
 {
-  nsNSSShutDownPreventionLock locker;
   nsresult rv = NS_OK;
   SECStatus srv = SECSuccess;
   SEC_PKCS12DecoderContext *dcx = nullptr;
   SECItem unicodePw = { siBuffer, nullptr, 0  };
 
   aWantRetry = rr_do_not_retry;
 
   UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
@@ -183,17 +180,16 @@ isExtractable(SECKEYPrivateKey *privKey)
 // nsPKCS12Blob::ExportToFile
 //
 // Having already loaded the certs, form them into a blob (loading the keys
 // also), encode the blob, and stuff it into the file.
 nsresult
 nsPKCS12Blob::ExportToFile(nsIFile *file,
                            nsIX509Cert **certs, int numCerts)
 {
-  nsNSSShutDownPreventionLock locker;
   nsresult rv;
   SECStatus srv = SECSuccess;
   SEC_PKCS12ExportContext *ecx = nullptr;
   SEC_PKCS12SafeInfo *certSafe = nullptr, *keySafe = nullptr;
   SECItem unicodePw;
   nsAutoString filePath;
   int i;
   nsCOMPtr<nsIFile> localFileRef;
@@ -384,17 +380,16 @@ nsPKCS12Blob::getPKCS12FilePassword(SECI
 }
 
 // inputToDecoder
 //
 // Given a decoder, read bytes from file and input them to the decoder.
 nsresult
 nsPKCS12Blob::inputToDecoder(SEC_PKCS12DecoderContext *dcx, nsIFile *file)
 {
-  nsNSSShutDownPreventionLock locker;
   nsresult rv;
   SECStatus srv;
   uint32_t amount;
   char buf[PIP_PKCS12_BUFFER_SIZE];
 
   nsCOMPtr<nsIInputStream> fileStream;
   rv = NS_NewLocalFileInputStream(getter_AddRefs(fileStream), file);
 
@@ -424,17 +419,16 @@ nsPKCS12Blob::inputToDecoder(SEC_PKCS12D
 }
 
 // nickname_collision
 // what to do when the nickname collides with one already in the db.
 // TODO: not handled, throw a dialog allowing the nick to be changed?
 SECItem *
 nsPKCS12Blob::nickname_collision(SECItem *oldNick, PRBool *cancel, void *wincx)
 {
-  nsNSSShutDownPreventionLock locker;
   *cancel = false;
   int count = 1;
   nsCString nickname;
   nsAutoString nickFromProp;
   nsresult rv = GetPIPNSSBundleString("P12DefaultNickname", nickFromProp);
   if (NS_FAILED(rv)) {
     return nullptr;
   }
--- a/security/manager/ssl/nsRandomGenerator.cpp
+++ b/security/manager/ssl/nsRandomGenerator.cpp
@@ -14,17 +14,16 @@ NS_IMPL_ISUPPORTS(nsRandomGenerator, nsI
 
 NS_IMETHODIMP
 nsRandomGenerator::GenerateRandomBytes(uint32_t aLength,
                                        uint8_t** aBuffer)
 {
   NS_ENSURE_ARG_POINTER(aBuffer);
   *aBuffer = nullptr;
 
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   mozilla::UniquePK11SlotInfo slot(PK11_GetInternalSlot());
   if (!slot) {
     return NS_ERROR_FAILURE;
   }
@@ -42,14 +41,13 @@ nsRandomGenerator::GenerateRandomBytes(u
 
   *aBuffer = buf;
 
   return NS_OK;
 }
 
 nsRandomGenerator::~nsRandomGenerator()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
--- a/security/manager/ssl/nsSSLStatus.cpp
+++ b/security/manager/ssl/nsSSLStatus.cpp
@@ -390,17 +390,16 @@ nsSSLStatus::nsSSLStatus()
 , mHaveCertErrorBits(false)
 {
 }
 
 NS_IMPL_ISUPPORTS(nsSSLStatus, nsISSLStatus, nsISerializable, nsIClassInfo)
 
 nsSSLStatus::~nsSSLStatus()
 {
-  nsNSSShutDownPreventionLock locker;
   if (isAlreadyShutDown()) {
     return;
   }
   shutdown(ShutdownCalledFrom::Object);
 }
 
 void
 nsSSLStatus::SetServerCert(nsNSSCertificate* aServerCert, EVStatus aEVStatus)
@@ -410,23 +409,22 @@ nsSSLStatus::SetServerCert(nsNSSCertific
   mServerCert = aServerCert;
   mIsEV = (aEVStatus == EVStatus::EV);
   mHasIsEVStatus = true;
 }
 
 nsresult
 nsSSLStatus::SetSucceededCertChain(UniqueCERTCertList aCertList)
 {
-  nsNSSShutDownPreventionLock lock;
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
 
   // nsNSSCertList takes ownership of certList
-  mSucceededCertChain = new nsNSSCertList(Move(aCertList), lock);
+  mSucceededCertChain = new nsNSSCertList(Move(aCertList));
 
   return NS_OK;
 }
 
 void
 nsSSLStatus::SetFailedCertChain(nsIX509CertList* aX509CertList)
 {
   mFailedCertChain = aX509CertList;
--- a/services/crypto/component/IdentityCryptoService.cpp
+++ b/services/crypto/component/IdentityCryptoService.cpp
@@ -54,17 +54,16 @@ public:
   NS_DECL_NSIIDENTITYKEYPAIR
 
   KeyPair(SECKEYPrivateKey* aPrivateKey, SECKEYPublicKey* aPublicKey,
           nsIEventTarget* aOperationThread);
 
 private:
   ~KeyPair() override
   {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return;
     }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
@@ -96,17 +95,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   KeyGenRunnable(KeyType keyType, nsIIdentityKeyGenCallback * aCallback,
                  nsIEventTarget* aOperationThread);
 
 private:
   ~KeyGenRunnable() override
   {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return;
     }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
@@ -134,17 +132,16 @@ public:
   NS_DECL_NSIRUNNABLE
 
   SignRunnable(const nsACString & textToSign, SECKEYPrivateKey * privateKey,
                nsIIdentitySignCallback * aCallback);
 
 private:
   ~SignRunnable() override
   {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       return;
     }
     destructorSafeDestroyNSSReference();
     shutdown(ShutdownCalledFrom::Object);
   }
 
   void virtualDestroyNSSReference() override
@@ -436,17 +433,16 @@ GenerateDSAKeyPair(PK11SlotInfo * slot,
   return GenerateKeyPair(slot, privateKey, publicKey, CKM_DSA_KEY_PAIR_GEN,
                          &pqgParams);
 }
 
 NS_IMETHODIMP
 KeyGenRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       mRv = NS_ERROR_NOT_AVAILABLE;
     } else {
       // We always want to use the internal slot for BrowserID; in particular,
       // we want to avoid smartcard slots.
       PK11SlotInfo *slot = PK11_GetInternalSlot();
       if (!slot) {
         mRv = NS_ERROR_UNEXPECTED;
@@ -495,17 +491,16 @@ SignRunnable::SignRunnable(const nsACStr
   , mRv(NS_ERROR_NOT_INITIALIZED)
 {
 }
 
 NS_IMETHODIMP
 SignRunnable::Run()
 {
   if (!NS_IsMainThread()) {
-    nsNSSShutDownPreventionLock locker;
     if (isAlreadyShutDown()) {
       mRv = NS_ERROR_NOT_AVAILABLE;
     } else {
       // We need the output in PKCS#11 format, not DER encoding, so we must use
       // PK11_HashBuf and PK11_Sign instead of SEC_SignData.
 
       SECItem sig = { siBuffer, nullptr, 0 };
       int sigLength = PK11_SignatureLen(mPrivateKey);