Merge inbound to central, a=merge
authorWes Kocher <wkocher@mozilla.com>
Mon, 24 Jul 2017 18:06:39 -0700
changeset 421720 dcfb58fcb6dd8f6474eed6520ba6272dedded393
parent 421679 f6528783c52507e29d5be409cc8fbf9a394a5ac8 (current diff)
parent 421719 0bd090362de77a8bf247e3c4f97a9f76f9afc04d (diff)
child 421721 a2058025fd776f8e4ec889ab8ba1c217dc390e4f
child 421801 ac8d8ab529f23c2edc2d27a0deb0e296a521dee6
child 421891 661014562d027e9040c8ca0bb6245b9de1614779
push id1517
push userjlorenzo@mozilla.com
push dateThu, 14 Sep 2017 16:50:54 +0000
treeherdermozilla-release@3b41fd564418 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmerge
milestone56.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Merge inbound to central, a=merge MozReview-Commit-ID: 1oTeP8uycV2
--- a/browser/base/content/pageinfo/pageInfo.js
+++ b/browser/base/content/pageinfo/pageInfo.js
@@ -1019,19 +1019,20 @@ function formatNumber(number) {
   return (+number).toLocaleString();  // coerce number to a numeric value before calling toLocaleString()
 }
 
 function formatDate(datestr, unknown) {
   var date = new Date(datestr);
   if (!date.valueOf())
     return unknown;
 
-  const dtOptions = { year: "numeric", month: "long", day: "numeric",
-                      hour: "numeric", minute: "numeric", second: "numeric" };
-  return date.toLocaleString(undefined, dtOptions);
+  const dateTimeFormatter = Services.intl.createDateTimeFormat(undefined, {
+    dateStyle: "long", timeStyle: "long"
+  });
+  return dateTimeFormatter.format(date);
 }
 
 function doCopy() {
   if (!gClipboardHelper)
     return;
 
   var elem = document.commandDispatcher.focusedElement;
 
--- a/browser/components/preferences/cookies.js
+++ b/browser/components/preferences/cookies.js
@@ -492,19 +492,20 @@ var gCookiesWindow = {
         break;
     }
     this._view._rowCount = hostCount.value;
   },
 
   formatExpiresString(aExpires) {
     if (aExpires) {
       var date = new Date(1000 * aExpires);
-      const dtOptions = { year: "numeric", month: "long", day: "numeric",
-                          hour: "numeric", minute: "numeric", second: "numeric" };
-      return date.toLocaleString(undefined, dtOptions);
+      const dateTimeFormatter = Services.intl.createDateTimeFormat(undefined, {
+        dateStyle: "long", timeStyle: "long"
+      });
+      return dateTimeFormatter.format(date);
     }
     return this._bundle.getString("expireAtEndOfSession");
   },
 
   _getUserContextString(aUserContextId) {
     if (parseInt(aUserContextId) == 0) {
       return this._bundle.getString("defaultUserContextLabel");
     }
--- a/browser/components/sessionstore/test/browser_sessionStorage_size.js
+++ b/browser/components/sessionstore/test/browser_sessionStorage_size.js
@@ -5,34 +5,46 @@
 
 const RAND = Math.random();
 const URL = "http://mochi.test:8888/browser/" +
             "browser/components/sessionstore/test/browser_sessionStorage.html" +
             "?" + RAND;
 
 const OUTER_VALUE = "outer-value-" + RAND;
 
+function getEstimateChars() {
+  let snap;
+  if (gMultiProcessBrowser) {
+    snap = Services.telemetry.histogramSnapshots.content["FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS"];
+  } else {
+    snap = Services.telemetry.histogramSnapshots.parent["FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS"];
+  }
+  if (!snap) {
+    return 0;
+  }
+  return snap.counts[4];
+}
+
 // Test that we record the size of messages.
 add_task(async function test_telemetry() {
   Services.telemetry.canRecordExtended = true;
-  let suffix = gMultiProcessBrowser ? "#content" : "";
-  let histogram = Services.telemetry.getHistogramById("FX_SESSION_RESTORE_DOM_STORAGE_SIZE_ESTIMATE_CHARS" + suffix);
-  let snap1 = histogram.snapshot();
+
+  let prev = getEstimateChars()
 
   let tab = BrowserTestUtils.addTab(gBrowser, URL);
   let browser = tab.linkedBrowser;
   await promiseBrowserLoaded(browser);
 
   // Flush to make sure we submitted telemetry data.
   await TabStateFlusher.flush(browser);
 
   // There is no good way to make sure that the parent received the histogram entries from the child processes.
   // Let's stick to the ugly, spinning the event loop until we have a good approach (Bug 1357509).
   await BrowserTestUtils.waitForCondition(() => {
-    return histogram.snapshot().counts[4] > snap1.counts[4];
+    return getEstimateChars() > prev;
   });
 
   Assert.ok(true);
   await promiseRemoveTab(tab);
   Services.telemetry.canRecordExtended = false;
 });
 
 // Lower the size limit for DOM Storage content. Check that DOM Storage
--- a/devtools/shared/fronts/inspector.js
+++ b/devtools/shared/fronts/inspector.js
@@ -18,65 +18,64 @@ const {
   inspectorSpec,
   nodeSpec,
   nodeListSpec,
   walkerSpec
 } = require("devtools/shared/specs/inspector");
 const promise = require("promise");
 const defer = require("devtools/shared/defer");
 const { Task } = require("devtools/shared/task");
-const { Class } = require("sdk/core/heritage");
 const events = require("sdk/event/core");
 const object = require("sdk/util/object");
 const nodeConstants = require("devtools/shared/dom-node-constants.js");
 loader.lazyRequireGetter(this, "CommandUtils",
   "devtools/client/shared/developer-toolbar", true);
 
 const HIDDEN_CLASS = "__fx-devtools-hide-shortcut__";
 
 /**
  * Convenience API for building a list of attribute modifications
  * for the `modifyAttributes` request.
  */
-const AttributeModificationList = Class({
-  initialize: function (node) {
+class AttributeModificationList {
+  constructor(node) {
     this.node = node;
     this.modifications = [];
-  },
+  }
 
-  apply: function () {
+  apply() {
     let ret = this.node.modifyAttributes(this.modifications);
     return ret;
-  },
+  }
 
-  destroy: function () {
+  destroy() {
     this.node = null;
     this.modification = null;
-  },
+  }
 
-  setAttributeNS: function (ns, name, value) {
+  setAttributeNS(ns, name, value) {
     this.modifications.push({
       attributeNamespace: ns,
       attributeName: name,
       newValue: value
     });
-  },
+  }
 
-  setAttribute: function (name, value) {
+  setAttribute(name, value) {
     this.setAttributeNS(undefined, name, value);
-  },
+  }
 
-  removeAttributeNS: function (ns, name) {
+  removeAttributeNS(ns, name) {
     this.setAttributeNS(ns, name, undefined);
-  },
+  }
 
-  removeAttribute: function (name) {
+  removeAttribute(name) {
     this.setAttributeNS(undefined, name, undefined);
   }
-});
+}
 
 /**
  * Client side of the node actor.
  *
  * Node fronts are strored in a tree that mirrors the DOM tree on the
  * server, but with a few key differences:
  *  - Not all children will be necessary loaded for each node.
  *  - The order of children isn't guaranteed to be the same as the DOM.
@@ -343,17 +342,17 @@ const NodeFront = FrontClassWithSpec(nod
   get formProperties() {
     return this._form.props;
   },
 
   /**
    * Return a new AttributeModificationList for this node.
    */
   startModifyingAttributes: function () {
-    return AttributeModificationList(this);
+    return new AttributeModificationList(this);
   },
 
   _cacheAttributes: function () {
     if (typeof this._attrMap != "undefined") {
       return;
     }
     this._attrMap = {};
     for (let attr of this.attributes) {
--- a/devtools/shared/fronts/styles.js
+++ b/devtools/shared/fronts/styles.js
@@ -11,17 +11,16 @@ const {
   preEvent
 } = require("devtools/shared/protocol");
 const {
   pageStyleSpec,
   styleRuleSpec
 } = require("devtools/shared/specs/styles");
 const promise = require("promise");
 const { Task } = require("devtools/shared/task");
-const { Class } = require("sdk/core/heritage");
 const { RuleRewriter } = require("devtools/shared/css/parsing-utils");
 
 /**
  * PageStyleFront, the front object for the PageStyleActor
  */
 const PageStyleFront = FrontClassWithSpec(pageStyleSpec, {
   initialize: function (conn, form, ctx, detail) {
     Front.prototype.initialize.call(this, conn, form, ctx, detail);
@@ -290,74 +289,74 @@ exports.StyleRuleFront = StyleRuleFront;
  * list of modifications that will be applied to a StyleRuleActor.
  * The modifications are processed in the order in which they are
  * added to the RuleModificationList.
  *
  * Objects of this type expose the same API as @see RuleRewriter.
  * This lets the inspector use (mostly) the same code, regardless of
  * whether the server implements setRuleText.
  */
-var RuleModificationList = Class({
+class RuleModificationList {
   /**
    * Initialize a RuleModificationList.
    * @param {StyleRuleFront} rule the associated rule
    */
-  initialize: function (rule) {
+  constructor(rule) {
     this.rule = rule;
     this.modifications = [];
-  },
+  }
 
   /**
    * Apply the modifications in this object to the associated rule.
    *
    * @return {Promise} A promise which will be resolved when the modifications
    *         are complete; @see StyleRuleActor.modifyProperties.
    */
-  apply: function () {
+  apply() {
     return this.rule.modifyProperties(this.modifications);
-  },
+  }
 
   /**
    * Add a "set" entry to the modification list.
    *
    * @param {Number} index index of the property in the rule.
    *                       This can be -1 in the case where
    *                       the rule does not support setRuleText;
    *                       generally for setting properties
    *                       on an element's style.
    * @param {String} name the property's name
    * @param {String} value the property's value
    * @param {String} priority the property's priority, either the empty
    *                          string or "important"
    */
-  setProperty: function (index, name, value, priority) {
+  setProperty(index, name, value, priority) {
     this.modifications.push({
       type: "set",
       name: name,
       value: value,
       priority: priority
     });
-  },
+  }
 
   /**
    * Add a "remove" entry to the modification list.
    *
    * @param {Number} index index of the property in the rule.
    *                       This can be -1 in the case where
    *                       the rule does not support setRuleText;
    *                       generally for setting properties
    *                       on an element's style.
    * @param {String} name the name of the property to remove
    */
-  removeProperty: function (index, name) {
+  removeProperty(index, name) {
     this.modifications.push({
       type: "remove",
       name: name
     });
-  },
+  }
 
   /**
    * Rename a property.  This implementation acts like
    * |removeProperty|, because |setRuleText| is not available.
    *
    * @param {Number} index index of the property in the rule.
    *                       This can be -1 in the case where
    *                       the rule does not support setRuleText;
@@ -365,39 +364,39 @@ var RuleModificationList = Class({
    *                       on an element's style.
    * @param {String} name current name of the property
    *
    * This parameter is also passed, but as it is not used in this
    * implementation, it is omitted.  It is documented here as this
    * code also defined the interface implemented by @see RuleRewriter.
    * @param {String} newName new name of the property
    */
-  renameProperty: function (index, name) {
+  renameProperty(index, name) {
     this.removeProperty(index, name);
-  },
+  }
 
   /**
    * Enable or disable a property.  This implementation acts like
    * |removeProperty| when disabling, or a no-op when enabling,
    * because |setRuleText| is not available.
    *
    * @param {Number} index index of the property in the rule.
    *                       This can be -1 in the case where
    *                       the rule does not support setRuleText;
    *                       generally for setting properties
    *                       on an element's style.
    * @param {String} name current name of the property
    * @param {Boolean} isEnabled true if the property should be enabled;
    *                        false if it should be disabled
    */
-  setPropertyEnabled: function (index, name, isEnabled) {
+  setPropertyEnabled(index, name, isEnabled) {
     if (!isEnabled) {
       this.removeProperty(index, name);
     }
-  },
+  }
 
   /**
    * Create a new property.  This implementation does nothing, because
    * |setRuleText| is not available.
    *
    * These parameters are passed, but as they are not used in this
    * implementation, they are omitted.  They are documented here as
    * this code also defined the interface implemented by @see
@@ -410,12 +409,12 @@ var RuleModificationList = Class({
    *                       on an element's style.
    * @param {String} name name of the new property
    * @param {String} value value of the new property
    * @param {String} priority priority of the new property; either
    *                          the empty string or "important"
    * @param {Boolean} enabled True if the new property should be
    *                          enabled, false if disabled
    */
-  createProperty: function () {
+  createProperty() {
     // Nothing.
-  },
-});
+  }
+}
--- a/dom/base/test/browser_use_counters.js
+++ b/dom/base/test/browser_use_counters.js
@@ -103,25 +103,35 @@ function waitForPageLoad(browser) {
       }
       addEventListener("load", listener, true);
     });
   });
 }
 
 function grabHistogramsFromContent(use_counter_middlefix, page_before = null) {
   let telemetry = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry);
-  let suffix = Services.appinfo.browserTabsRemoteAutostart ? "#content" : "";
-  let gather = () => [
-    telemetry.getHistogramById("USE_COUNTER2_" + use_counter_middlefix + "_PAGE" + suffix).snapshot().sum,
-    telemetry.getHistogramById("USE_COUNTER2_" + use_counter_middlefix + "_DOCUMENT" + suffix).snapshot().sum,
-    telemetry.getHistogramById("CONTENT_DOCUMENTS_DESTROYED" + suffix).snapshot().sum,
-    telemetry.getHistogramById("TOP_LEVEL_CONTENT_DOCUMENTS_DESTROYED" + suffix).snapshot().sum,
-  ];
+  let gather = () => {
+    let snapshots;
+    if (Services.appinfo.browserTabsRemoteAutostart) {
+      snapshots = telemetry.histogramSnapshots.content;
+    } else {
+      snapshots = telemetry.histogramSnapshots.parent;
+    }
+    let checkGet = (probe) => {
+      return snapshots[probe] ? snapshots[probe].sum : 0;
+    };
+    return [
+      checkGet("USE_COUNTER2_" + use_counter_middlefix + "_PAGE"),
+      checkGet("USE_COUNTER2_" + use_counter_middlefix + "_DOCUMENT"),
+      checkGet("CONTENT_DOCUMENTS_DESTROYED"),
+      checkGet("TOP_LEVEL_CONTENT_DOCUMENTS_DESTROYED"),
+    ];
+  };
   return BrowserTestUtils.waitForCondition(() => {
-    return page_before != telemetry.getHistogramById("USE_COUNTER2_" + use_counter_middlefix + "_PAGE" + suffix).snapshot().sum;
+    return page_before != gather()[0];
   }).then(gather, gather);
 }
 
 var check_use_counter_iframe = async function(file, use_counter_middlefix, check_documents=true) {
   info("checking " + file + " with histogram " + use_counter_middlefix);
 
   let newTab = BrowserTestUtils.addTab(gBrowser,  "about:blank");
   gBrowser.selectedTab = newTab;
--- a/dom/browser-element/mochitest/browserElement_ExposableURI.js
+++ b/dom/browser-element/mochitest/browserElement_ExposableURI.js
@@ -41,15 +41,17 @@ function testWyciwyg() {
   }
 
   // file_wyciwyg.html calls document.write() to create a wyciwyg channel.
   iframe.src = 'file_wyciwyg.html';
   iframe.addEventListener('mozbrowserlocationchange', locationchange);
 }
 
 function runTest() {
-  iframe = document.createElement('iframe');
-  iframe.setAttribute('mozbrowser', 'true');
-  document.body.appendChild(iframe);
-  testWyciwyg();
+  SpecialPowers.pushPrefEnv({set: [["network.http.rcwn.enabled", false]]}, _=>{
+    iframe = document.createElement('iframe');
+    iframe.setAttribute('mozbrowser', 'true');
+    document.body.appendChild(iframe);
+    testWyciwyg();
+  });
 }
 
 addEventListener('testready', runTest);
--- a/dom/canvas/CanvasRenderingContext2D.cpp
+++ b/dom/canvas/CanvasRenderingContext2D.cpp
@@ -5227,17 +5227,20 @@ CanvasRenderingContext2D::DrawImage(cons
     AutoLockImage lockImage(container);
     layers::Image* srcImage = lockImage.GetImage();
     if (!srcImage) {
       aError.Throw(NS_ERROR_NOT_AVAILABLE);
       return;
     }
 
     {
-      gl->MakeCurrent();
+      if (!gl->MakeCurrent()) {
+        aError.Throw(NS_ERROR_NOT_AVAILABLE);
+        return;
+      }
       GLuint videoTexture = 0;
       gl->fGenTextures(1, &videoTexture);
       // skiaGL expect upload on drawing, and uses texture 0 for texturing,
       // so we must active texture 0 and bind the texture for it.
       gl->fActiveTexture(LOCAL_GL_TEXTURE0);
       const gl::ScopedBindTexture scopeBindTexture(gl, videoTexture);
 
       gl->fTexImage2D(LOCAL_GL_TEXTURE_2D, 0, LOCAL_GL_RGB, srcImage->GetSize().width, srcImage->GetSize().height, 0, LOCAL_GL_RGB, LOCAL_GL_UNSIGNED_SHORT_5_6_5, nullptr);
--- a/dom/canvas/TexUnpackBlob.cpp
+++ b/dom/canvas/TexUnpackBlob.cpp
@@ -882,17 +882,20 @@ TexUnpackSurface::TexOrSubImage(bool isS
                          srcStride, dstFormat, dstStride, &dstBegin, &tempBuffer))
     {
         return false;
     }
 
     ////
 
     const auto& gl = webgl->gl;
-    MOZ_ALWAYS_TRUE( gl->MakeCurrent() );
+    if (!gl->MakeCurrent()) {
+        *out_error = LOCAL_GL_CONTEXT_LOST;
+        return true;
+    }
 
     gl->fPixelStorei(LOCAL_GL_UNPACK_ALIGNMENT, dstAlignment);
     if (webgl->IsWebGL2()) {
         gl->fPixelStorei(LOCAL_GL_UNPACK_ROW_LENGTH, rowLength);
     }
 
     *out_error = DoTexOrSubImage(isSubImage, gl, target.get(), level, dui, xOffset,
                                  yOffset, zOffset, mWidth, mHeight, mDepth, dstBegin);
--- a/dom/ipc/tests/browser_remote_navigation_delay_telemetry.js
+++ b/dom/ipc/tests/browser_remote_navigation_delay_telemetry.js
@@ -8,45 +8,42 @@ add_task(async function test_memory_dist
     return;
   }
 
   await SpecialPowers.pushPrefEnv({set: [["toolkit.telemetry.enabled", true]]});
   let canRecordExtended = Services.telemetry.canRecordExtended;
   Services.telemetry.canRecordExtended = true;
   registerCleanupFunction(() => Services.telemetry.canRecordExtended = canRecordExtended);
 
-  // Note the #content suffix after the id. This is the only way this API lets us fetch the
-  // histogram entries reported by a content process.
-  let histogram = Services.telemetry.getKeyedHistogramById("FX_TAB_REMOTE_NAVIGATION_DELAY_MS#content");
-  histogram.clear();
+  Services.telemetry.snapshotSubsessionKeyedHistograms(true /*clear*/);
 
   // Open a remote page in a new tab to trigger the WebNavigation:LoadURI.
   let tab1 = await BrowserTestUtils.openNewForegroundTab(gBrowser, "http://example.com");
   ok(tab1.linkedBrowser.isRemoteBrowser, "|tab1| should have a remote browser.");
 
   // Open a new tab with about:robots, so it ends up in the parent process with a non-remote browser.
   let tab2 = await BrowserTestUtils.openNewForegroundTab(gBrowser, "about:robots");
   ok(!tab2.linkedBrowser.isRemoteBrowser, "|tab2| should have a non-remote browser.");
   // Navigate the tab, so it will change remotness and it triggers the SessionStore:restoreTabContent case.
   await BrowserTestUtils.loadURI(tab2.linkedBrowser, "http://example.com");
   ok(tab2.linkedBrowser.isRemoteBrowser, "|tab2| should have a remote browser by now.");
 
   // There is no good way to make sure that the parent received the histogram entries from the child processes.
   // Let's stick to the ugly, spinning the event loop until we have a good approach (Bug 1357509).
   await BrowserTestUtils.waitForCondition(() => {
-    let s = histogram.snapshot();
-    return "WebNavigation:LoadURI" in s && "SessionStore:restoreTabContent" in s;
+    let s = Services.telemetry.snapshotSubsessionKeyedHistograms().content["FX_TAB_REMOTE_NAVIGATION_DELAY_MS"];
+    return s && "WebNavigation:LoadURI" in s && "SessionStore:restoreTabContent" in s;
   });
 
-  let s = histogram.snapshot();
+  let s = Services.telemetry.snapshotSubsessionKeyedHistograms().content["FX_TAB_REMOTE_NAVIGATION_DELAY_MS"];
   let restoreTabSnapshot = s["SessionStore:restoreTabContent"];
   ok(restoreTabSnapshot.sum > 0, "Zero delay for the restoreTabContent case is unlikely.");
   ok(restoreTabSnapshot.sum < 10000, "More than 10 seconds delay for the restoreTabContent case is unlikely.");
 
   let loadURISnapshot = s["WebNavigation:LoadURI"];
   ok(loadURISnapshot.sum > 0, "Zero delay for the LoadURI case is unlikely.");
   ok(loadURISnapshot.sum < 10000, "More than 10 seconds delay for the LoadURI case is unlikely.");
 
-  histogram.clear();
+  Services.telemetry.snapshotSubsessionKeyedHistograms(true /*clear*/);
 
   await BrowserTestUtils.removeTab(tab2);
   await BrowserTestUtils.removeTab(tab1);
 });
--- a/dom/webidl/HTMLIFrameElement.webidl
+++ b/dom/webidl/HTMLIFrameElement.webidl
@@ -19,16 +19,18 @@ interface HTMLIFrameElement : HTMLElemen
            attribute DOMString srcdoc;
   [CEReactions, SetterThrows, Pure]
            attribute DOMString name;
   [PutForwards=value] readonly attribute DOMTokenList sandbox;
            // attribute boolean seamless;
   [CEReactions, SetterThrows, Pure]
            attribute boolean allowFullscreen;
   [CEReactions, SetterThrows, Pure]
+           attribute boolean allowPaymentRequest;
+  [CEReactions, SetterThrows, Pure]
            attribute DOMString width;
   [CEReactions, SetterThrows, Pure]
            attribute DOMString height;
   [CEReactions, SetterThrows, Pure]
            attribute DOMString referrerPolicy;
   [NeedsSubjectPrincipal]
   readonly attribute Document? contentDocument;
   readonly attribute WindowProxy? contentWindow;
--- a/dom/xhr/XMLHttpRequestMainThread.cpp
+++ b/dom/xhr/XMLHttpRequestMainThread.cpp
@@ -3740,17 +3740,17 @@ XMLHttpRequestMainThread::HandleProgress
 
   mProgressTimerIsActive = false;
 
   if (!mProgressSinceLastProgressEvent || mErrorLoad != ErrorType::eOK) {
     return;
   }
 
   if (InUploadPhase()) {
-    if (mUpload && !mUploadComplete) {
+    if (mUpload && !mUploadComplete && mFlagHadUploadListenersOnSend) {
       DispatchProgressEvent(mUpload, ProgressEventType::progress,
                             mUploadTransferred, mUploadTotal);
     }
   } else {
     FireReadystatechangeEvent();
     DispatchProgressEvent(this, ProgressEventType::progress,
                           mLoadTransferred, mLoadTotal);
   }
--- a/gfx/gl/GLContext.cpp
+++ b/gfx/gl/GLContext.cpp
@@ -530,17 +530,19 @@ GLContext::InitWithPrefixImpl(const char
         END_SYMBOLS
     };
 
     if (!LoadGLSymbols(this, prefix, trygl, coreSymbols, "GL"))
         return false;
 
     ////////////////
 
-    MakeCurrent();
+    if (!MakeCurrent()) {
+        return false;
+    }
 
     const std::string versionStr = (const char*)fGetString(LOCAL_GL_VERSION);
     if (versionStr.find("OpenGL ES") == 0) {
         mProfile = ContextProfile::OpenGLES;
     }
 
     uint32_t majorVer, minorVer;
     if (!ParseVersion(versionStr, &majorVer, &minorVer)) {
@@ -2444,18 +2446,19 @@ GLContext::ReadTexImageHelper()
 }
 
 void
 GLContext::FlushIfHeavyGLCallsSinceLastFlush()
 {
     if (!mHeavyGLCallsSinceLastFlush) {
         return;
     }
-    MakeCurrent();
-    fFlush();
+    if (MakeCurrent()) {
+        fFlush();
+    }
 }
 
 /*static*/ bool
 GLContext::ShouldDumpExts()
 {
     return gfxEnv::GlDumpExtensions();
 }
 
@@ -2504,25 +2507,27 @@ SplitByChar(const nsACString& str, const
 
         start = end + 1;
     }
 
     nsDependentCSubstring substr(str, start);
     out->push_back(nsCString(substr));
 }
 
-void
+bool
 GLContext::Readback(SharedSurface* src, gfx::DataSourceSurface* dest)
 {
     MOZ_ASSERT(src && dest);
     MOZ_ASSERT(dest->GetSize() == src->mSize);
     MOZ_ASSERT(dest->GetFormat() == (src->mHasAlpha ? SurfaceFormat::B8G8R8A8
                                                     : SurfaceFormat::B8G8R8X8));
 
-    MakeCurrent();
+    if (!MakeCurrent()) {
+        return false;
+    }
 
     SharedSurface* prev = GetLockedSurface();
 
     const bool needsSwap = src != prev;
     if (needsSwap) {
         if (prev)
             prev->UnlockProd();
         src->LockProd();
@@ -2591,16 +2596,18 @@ GLContext::Readback(SharedSurface* src, 
         fDeleteTextures(1, &tempTex);
     }
 
     if (needsSwap) {
         src->UnlockProd();
         if (prev)
             prev->LockProd();
     }
+
+    return true;
 }
 
 // Do whatever tear-down is necessary after drawing to our offscreen FBO,
 // if it's bound.
 void
 GLContext::AfterGLDrawCall()
 {
     if (mScreen) {
@@ -2892,17 +2899,19 @@ GLContext::GetFB()
 }
 
 bool
 GLContext::InitOffscreen(const gfx::IntSize& size, const SurfaceCaps& caps)
 {
     if (!CreateScreenBuffer(size, caps))
         return false;
 
-    MakeCurrent();
+    if (!MakeCurrent()) {
+        return false;
+    }
     fBindFramebuffer(LOCAL_GL_FRAMEBUFFER, 0);
     fScissor(0, 0, size.width, size.height);
     fViewport(0, 0, size.width, size.height);
 
     mCaps = mScreen->mCaps;
     MOZ_ASSERT(!mCaps.any);
 
     return true;
--- a/gfx/gl/GLContext.h
+++ b/gfx/gl/GLContext.h
@@ -3670,17 +3670,17 @@ public:
 
 protected:
     bool mHeavyGLCallsSinceLastFlush;
 
 public:
     void FlushIfHeavyGLCallsSinceLastFlush();
     static bool ShouldSpew();
     static bool ShouldDumpExts();
-    void Readback(SharedSurface* src, gfx::DataSourceSurface* dest);
+    bool Readback(SharedSurface* src, gfx::DataSourceSurface* dest);
 
     ////
 
     void TexParams_SetClampNoMips(GLenum target = LOCAL_GL_TEXTURE_2D) {
         fTexParameteri(target, LOCAL_GL_TEXTURE_WRAP_S, LOCAL_GL_CLAMP_TO_EDGE);
         fTexParameteri(target, LOCAL_GL_TEXTURE_WRAP_T, LOCAL_GL_CLAMP_TO_EDGE);
         fTexParameteri(target, LOCAL_GL_TEXTURE_MAG_FILTER, LOCAL_GL_NEAREST);
         fTexParameteri(target, LOCAL_GL_TEXTURE_MIN_FILTER, LOCAL_GL_NEAREST);
--- a/gfx/layers/ShareableCanvasLayer.cpp
+++ b/gfx/layers/ShareableCanvasLayer.cpp
@@ -138,17 +138,20 @@ ShareableCanvasLayer::UpdateTarget(DrawT
   uint8_t* destData;
   IntSize destSize;
   int32_t destStride;
   SurfaceFormat destFormat;
   if (aDestTarget->LockBits(&destData, &destSize, &destStride, &destFormat)) {
     if (destSize == readSize && destFormat == format) {
       RefPtr<DataSourceSurface> data =
         Factory::CreateWrappingDataSourceSurface(destData, destStride, destSize, destFormat);
-      mGLContext->Readback(frontbuffer, data);
+      if (!mGLContext->Readback(frontbuffer, data)) {
+        aDestTarget->ReleaseBits(destData);
+        return false;
+      }
       if (needsPremult) {
         gfxUtils::PremultiplyDataSurface(data, data);
       }
       aDestTarget->ReleaseBits(destData);
       return true;
     }
     aDestTarget->ReleaseBits(destData);
   }
@@ -156,17 +159,19 @@ ShareableCanvasLayer::UpdateTarget(DrawT
   RefPtr<DataSourceSurface> resultSurf = GetTempSurface(readSize, format);
   // There will already be a warning from inside of GetTempSurface, but
   // it doesn't hurt to complain:
   if (NS_WARN_IF(!resultSurf)) {
     return false;
   }
 
   // Readback handles Flush/MarkDirty.
-  mGLContext->Readback(frontbuffer, resultSurf);
+  if (!mGLContext->Readback(frontbuffer, resultSurf)) {
+    return false;
+  }
   if (needsPremult) {
     gfxUtils::PremultiplyDataSurface(resultSurf, resultSurf);
   }
 
   aDestTarget->CopySurface(resultSurf,
                            IntRect(0, 0, readSize.width, readSize.height),
                            IntPoint(0, 0));
 
--- a/gfx/layers/basic/BasicCanvasLayer.cpp
+++ b/gfx/layers/basic/BasicCanvasLayer.cpp
@@ -63,17 +63,20 @@ BasicCanvasLayer::UpdateSurface()
   RefPtr<DataSourceSurface> resultSurf = GetTempSurface(readSize, format);
   // There will already be a warning from inside of GetTempSurface, but
   // it doesn't hurt to complain:
   if (NS_WARN_IF(!resultSurf)) {
     return nullptr;
   }
 
   // Readback handles Flush/MarkDirty.
-  mGLContext->Readback(frontbuffer, resultSurf);
+  if (!mGLContext->Readback(frontbuffer, resultSurf)) {
+    NS_WARNING("Failed to read back canvas surface.");
+    return nullptr;
+  }
   if (needsPremult) {
     gfxUtils::PremultiplyDataSurface(resultSurf, resultSurf);
   }
   MOZ_ASSERT(resultSurf);
 
   return resultSurf.forget();
 }
 
--- a/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp
+++ b/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp
@@ -359,20 +359,26 @@ CrossProcessCompositorBridgeParent::Shad
 void
 CrossProcessCompositorBridgeParent::DidComposite(
   uint64_t aId,
   TimeStamp& aCompositeStart,
   TimeStamp& aCompositeEnd)
 {
   sIndirectLayerTreesLock->AssertCurrentThreadOwns();
   if (LayerTransactionParent *layerTree = sIndirectLayerTrees[aId].mLayerTree) {
-    Unused << SendDidComposite(aId, layerTree->GetPendingTransactionId(), aCompositeStart, aCompositeEnd);
-    layerTree->SetPendingTransactionId(0);
+    uint64_t transactionId = layerTree->GetPendingTransactionId();
+    if (transactionId) {
+      Unused << SendDidComposite(aId, transactionId, aCompositeStart, aCompositeEnd);
+      layerTree->SetPendingTransactionId(0);
+    }
   } else if (WebRenderBridgeParent* wrbridge = sIndirectLayerTrees[aId].mWrBridge) {
-    Unused << SendDidComposite(aId, wrbridge->FlushPendingTransactionIds(), aCompositeStart, aCompositeEnd);
+    uint64_t transactionId = wrbridge->FlushPendingTransactionIds();
+    if (transactionId) {
+      Unused << SendDidComposite(aId, transactionId, aCompositeStart, aCompositeEnd);
+    }
   }
 }
 
 void
 CrossProcessCompositorBridgeParent::ForceComposite(LayerTransactionParent* aLayerTree)
 {
   uint64_t id = aLayerTree->GetId();
   MOZ_ASSERT(id != 0);
--- a/gfx/layers/wr/WebRenderBridgeParent.cpp
+++ b/gfx/layers/wr/WebRenderBridgeParent.cpp
@@ -415,20 +415,20 @@ WebRenderBridgeParent::HandleDPEnd(const
       DestroyActor(op);
     }
     return;
   }
   // This ensures that destroy operations are always processed. It is not safe
   // to early-return from RecvDPEnd without doing so.
   AutoWebRenderBridgeParentAsyncMessageSender autoAsyncMessageSender(this, &aToDestroy);
 
-  ++mWrEpoch; // Update webrender epoch
-  ProcessWebRenderCommands(aSize, aCommands, wr::NewEpoch(mWrEpoch),
+  uint32_t wrEpoch = GetNextWrEpoch();
+  ProcessWebRenderCommands(aSize, aCommands, wr::NewEpoch(wrEpoch),
                            aContentSize, dl, dlDesc, aIdNameSpace);
-  HoldPendingTransactionId(mWrEpoch, aTransactionId);
+  HoldPendingTransactionId(wrEpoch, aTransactionId);
 
   mScrollData = aScrollData;
   UpdateAPZ();
 
   if (mIdNameSpace != aIdNameSpace) {
     // Pretend we composited since someone is wating for this event,
     // though DisplayList was not pushed to webrender.
     TimeStamp now = TimeStamp::Now();
@@ -841,18 +841,17 @@ mozilla::ipc::IPCResult
 WebRenderBridgeParent::RecvClearCachedResources()
 {
   if (mDestroyed) {
     return IPC_OK();
   }
   mCompositorBridge->ObserveLayerUpdate(GetLayersId(), GetChildLayerObserverEpoch(), false);
 
   // Clear resources
-  ++mWrEpoch; // Update webrender epoch
-  mApi->ClearRootDisplayList(wr::NewEpoch(mWrEpoch), mPipelineId);
+  mApi->ClearRootDisplayList(wr::NewEpoch(GetNextWrEpoch()), mPipelineId);
   // Schedule composition to clean up Pipeline
   mCompositorScheduler->ScheduleComposition();
   DeleteOldImages();
   // Remove animations.
   for (std::unordered_set<uint64_t>::iterator iter = mActiveAnimations.begin(); iter != mActiveAnimations.end(); iter++) {
     mAnimStorage->ClearById(*iter);
   }
   mActiveAnimations.clear();
@@ -891,17 +890,17 @@ WebRenderBridgeParent::UpdateWebRender(C
   // XXX Stop to clear resources if webreder supports resources sharing between different webrender instances.
   ClearResources();
   mCompositorBridge = cBridge;
   mCompositorScheduler = aScheduler;
   mApi = aApi;
   mCompositableHolder = aHolder;
   mAnimStorage = aAnimStorage;
 
-  ++mWrEpoch; // Update webrender epoch
+  Unused << GetNextWrEpoch(); // Update webrender epoch
   // Register pipeline to updated CompositableHolder.
   mCompositableHolder->AddPipeline(mPipelineId);
 }
 
 mozilla::ipc::IPCResult
 WebRenderBridgeParent::RecvForceComposite()
 {
   if (mDestroyed) {
@@ -1175,22 +1174,26 @@ WebRenderBridgeParent::FlushPendingTrans
   return id;
 }
 
 uint64_t
 WebRenderBridgeParent::FlushTransactionIdsForEpoch(const wr::Epoch& aEpoch)
 {
   uint64_t id = 0;
   while (!mPendingTransactionIds.empty()) {
-    id = mPendingTransactionIds.front().mId;
-    if (mPendingTransactionIds.front().mEpoch == aEpoch) {
-      mPendingTransactionIds.pop();
+    int64_t diff =
+      static_cast<int64_t>(aEpoch.mHandle) - static_cast<int64_t>(mPendingTransactionIds.front().mEpoch.mHandle);
+    if (diff < 0) {
       break;
     }
+    id = mPendingTransactionIds.front().mId;
     mPendingTransactionIds.pop();
+    if (diff == 0) {
+      break;
+    }
   }
   return id;
 }
 
 uint64_t
 WebRenderBridgeParent::GetLayersId() const
 {
   return wr::AsUint64(mPipelineId);
@@ -1265,18 +1268,18 @@ WebRenderBridgeParent::Resume()
 
 void
 WebRenderBridgeParent::ClearResources()
 {
   if (!mApi) {
     return;
   }
 
-  ++mWrEpoch; // Update webrender epoch
-  mApi->ClearRootDisplayList(wr::NewEpoch(mWrEpoch), mPipelineId);
+  uint32_t wrEpoch = GetNextWrEpoch();
+  mApi->ClearRootDisplayList(wr::NewEpoch(wrEpoch), mPipelineId);
   // Schedule composition to clean up Pipeline
   mCompositorScheduler->ScheduleComposition();
   // XXX webrender does not hava a way to delete a group of resources/keys,
   // then delete keys one by one.
   for (std::unordered_set<uint64_t>::iterator iter = mFontKeys.begin(); iter != mFontKeys.end(); iter++) {
     mApi->DeleteFont(wr::AsFontKey(*iter));
   }
   mFontKeys.clear();
@@ -1293,17 +1296,17 @@ WebRenderBridgeParent::ClearResources()
     wr::PipelineId pipelineId = wr::AsPipelineId(iter.Key());
     RefPtr<WebRenderImageHost> host = iter.Data();
     MOZ_ASSERT(host->GetAsyncRef());
     host->ClearWrBridge();
     mCompositableHolder->RemoveAsyncImagePipeline(mApi, pipelineId);
   }
   mAsyncCompositables.Clear();
 
-  mCompositableHolder->RemovePipeline(mPipelineId, wr::NewEpoch(mWrEpoch));
+  mCompositableHolder->RemovePipeline(mPipelineId, wr::NewEpoch(wrEpoch));
 
   for (std::unordered_set<uint64_t>::iterator iter = mActiveAnimations.begin(); iter != mActiveAnimations.end(); iter++) {
     mAnimStorage->ClearById(*iter);
   }
   mActiveAnimations.clear();
 
   if (mWidget) {
     mCompositorScheduler->Destroy();
@@ -1413,10 +1416,17 @@ WebRenderBridgeParent::GetTextureFactory
   MOZ_ASSERT(mApi);
 
   return TextureFactoryIdentifier(LayersBackend::LAYERS_WR,
                                   XRE_GetProcessType(),
                                   mApi->GetMaxTextureSize(),
                                   mApi->GetUseANGLE());
 }
 
+uint32_t
+WebRenderBridgeParent::GetNextWrEpoch()
+{
+  MOZ_RELEASE_ASSERT(mWrEpoch != UINT32_MAX);
+  return ++mWrEpoch;
+}
+
 } // namespace layers
 } // namespace mozilla
--- a/gfx/layers/wr/WebRenderBridgeParent.h
+++ b/gfx/layers/wr/WebRenderBridgeParent.h
@@ -247,16 +247,18 @@ private:
   // If scrollbars need their transforms updated, the provided aTransformArray
   // is populated with the property update details.
   bool PushAPZStateToWR(nsTArray<wr::WrTransformProperty>& aTransformArray);
 
   // Helper method to get an APZC reference from a scroll id. Uses the layers
   // id of this bridge, and may return null if the APZC wasn't found.
   already_AddRefed<AsyncPanZoomController> GetTargetAPZC(const FrameMetrics::ViewID& aId);
 
+  uint32_t GetNextWrEpoch();
+
 private:
   struct PendingTransactionId {
     PendingTransactionId(wr::Epoch aEpoch, uint64_t aId)
       : mEpoch(aEpoch)
       , mId(aId)
     {}
     wr::Epoch mEpoch;
     uint64_t mId;
--- a/ipc/chromium/src/base/histogram.cc
+++ b/ipc/chromium/src/base/histogram.cc
@@ -76,52 +76,42 @@ 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, 0
 0x2d02ef8dL,
 };
 
 typedef Histogram::Count Count;
 
 // static
 const size_t Histogram::kBucketCount_MAX = 16384u;
 
-Histogram* Histogram::FactoryGet(const std::string& name,
-                                 Sample minimum,
+Histogram* Histogram::FactoryGet(Sample minimum,
                                  Sample maximum,
                                  size_t bucket_count,
                                  Flags flags) {
   Histogram* histogram(NULL);
 
   // Defensive code.
   if (minimum < 1)
     minimum = 1;
   if (maximum > kSampleType_MAX - 1)
     maximum = kSampleType_MAX - 1;
 
-  if (!StatisticsRecorder::FindHistogram(name, &histogram)) {
-    // Extra variable is not needed... but this keeps this section basically
-    // identical to other derived classes in this file (and compiler will
-    // optimize away the extra variable.
-    Histogram* tentative_histogram =
-        new Histogram(name, minimum, maximum, bucket_count);
-    tentative_histogram->InitializeBucketRange();
-    tentative_histogram->SetFlags(flags);
-    histogram =
-        StatisticsRecorder::RegisterOrDeleteDuplicate(tentative_histogram);
-  }
+  histogram = new Histogram(minimum, maximum, bucket_count);
+  histogram->InitializeBucketRange();
+  histogram->SetFlags(flags);
 
   DCHECK_EQ(HISTOGRAM, histogram->histogram_type());
   DCHECK(histogram->HasConstructorArguments(minimum, maximum, bucket_count));
   return histogram;
 }
 
-Histogram* Histogram::FactoryTimeGet(const std::string& name,
-                                     TimeDelta minimum,
+Histogram* Histogram::FactoryTimeGet(TimeDelta minimum,
                                      TimeDelta maximum,
                                      size_t bucket_count,
                                      Flags flags) {
-  return FactoryGet(name, minimum.InMilliseconds(), maximum.InMilliseconds(),
+  return FactoryGet(minimum.InMilliseconds(), maximum.InMilliseconds(),
                     bucket_count, flags);
 }
 
 void Histogram::Add(int value) {
   if (value > kSampleType_MAX - 1)
     value = kSampleType_MAX - 1;
   if (value < 0)
     value = 0;
@@ -155,90 +145,16 @@ void Histogram::Clear() {
   ss.Resize(*this);
   sample_ = ss;
 }
 
 void Histogram::SetRangeDescriptions(const DescriptionPair descriptions[]) {
   DCHECK(false);
 }
 
-// The following methods provide a graphical histogram display.
-void Histogram::WriteHTMLGraph(std::string* output) const {
-  // TBD(jar) Write a nice HTML bar chart, with divs an mouse-overs etc.
-  output->append("<PRE>");
-  WriteAscii(true, "<br>", output);
-  output->append("</PRE>");
-}
-
-void Histogram::WriteAscii(bool graph_it, const std::string& newline,
-                           std::string* output) const {
-  // Get local (stack) copies of all effectively volatile class data so that we
-  // are consistent across our output activities.
-  SampleSet snapshot;
-  SnapshotSample(&snapshot);
-
-  Count sample_count = snapshot.TotalCount();
-
-  WriteAsciiHeader(snapshot, sample_count, output);
-  output->append(newline);
-
-  // Prepare to normalize graphical rendering of bucket contents.
-  double max_size = 0;
-  if (graph_it)
-    max_size = GetPeakBucketSize(snapshot);
-
-  // Calculate space needed to print bucket range numbers.  Leave room to print
-  // nearly the largest bucket range without sliding over the histogram.
-  size_t largest_non_empty_bucket = bucket_count() - 1;
-  while (0 == snapshot.counts(largest_non_empty_bucket)) {
-    if (0 == largest_non_empty_bucket)
-      break;  // All buckets are empty.
-    --largest_non_empty_bucket;
-  }
-
-  // Calculate largest print width needed for any of our bucket range displays.
-  size_t print_width = 1;
-  for (size_t i = 0; i < bucket_count(); ++i) {
-    if (snapshot.counts(i)) {
-      size_t width = GetAsciiBucketRange(i).size() + 1;
-      if (width > print_width)
-        print_width = width;
-    }
-  }
-
-  int64_t remaining = sample_count;
-  int64_t past = 0;
-  // Output the actual histogram graph.
-  for (size_t i = 0; i < bucket_count(); ++i) {
-    Count current = snapshot.counts(i);
-    if (!current && !PrintEmptyBucket(i))
-      continue;
-    remaining -= current;
-    std::string range = GetAsciiBucketRange(i);
-    output->append(range);
-    for (size_t j = 0; range.size() + j < print_width + 1; ++j)
-      output->push_back(' ');
-    if (0 == current &&
-        i < bucket_count() - 1 && 0 == snapshot.counts(i + 1)) {
-      while (i < bucket_count() - 1 && 0 == snapshot.counts(i + 1))
-        ++i;
-      output->append("... ");
-      output->append(newline);
-      continue;  // No reason to plot emptiness.
-    }
-    double current_size = GetBucketSize(current, i);
-    if (graph_it)
-      WriteAsciiBucketGraph(current_size, max_size, output);
-    WriteAsciiBucketContext(past, current, remaining, i, output);
-    output->append(newline);
-    past += current;
-  }
-  DCHECK_EQ(sample_count, past);
-}
-
 //------------------------------------------------------------------------------
 // Methods for the validating a sample and a related histogram.
 //------------------------------------------------------------------------------
 
 Histogram::Inconsistencies
 Histogram::FindCorruption(const SampleSet& snapshot) const
 {
   int inconsistencies = NO_INCONSISTENCIES;
@@ -265,22 +181,20 @@ Histogram::FindCorruption(const SampleSe
     // we'll catch a redundant count that doesn't match the sample count.  We
     // allow for a certain amount of slop before flagging this as an
     // inconsistency.  Even with an inconsistency, we'll snapshot it again (for
     // UMA in about a half hour, so we'll eventually get the data, if it was
     // not the result of a corruption.  If histograms show that 1 is "too tight"
     // then we may try to use 2 or 3 for this slop value.
     const int kCommonRaceBasedCountMismatch = 1;
     if (delta > 0) {
-      UMA_HISTOGRAM_COUNTS("Histogram.InconsistentCountHigh", delta);
       if (delta > kCommonRaceBasedCountMismatch)
         inconsistencies |= COUNT_HIGH_ERROR;
     } else {
       DCHECK_GT(0, delta);
-      UMA_HISTOGRAM_COUNTS("Histogram.InconsistentCountLow", -delta);
       if (-delta > kCommonRaceBasedCountMismatch)
         inconsistencies |= COUNT_LOW_ERROR;
     }
   }
   return static_cast<Inconsistencies>(inconsistencies);
 }
 
 Histogram::ClassType Histogram::histogram_type() const {
@@ -332,51 +246,39 @@ size_t Histogram::SizeOfIncludingThis(mo
 size_t
 Histogram::SampleSet::SizeOfExcludingThis(mozilla::MallocSizeOf aMallocSizeOf)
 {
   // We're not allowed to do deep dives into STL data structures.  This
   // is as close as we can get to measuring this array.
   return aMallocSizeOf(&counts_[0]);
 }
 
-Histogram::Histogram(const std::string& name, Sample minimum,
-                     Sample maximum, size_t bucket_count)
+Histogram::Histogram(Sample minimum, Sample maximum, size_t bucket_count)
   : sample_(),
-    histogram_name_(name),
     declared_min_(minimum),
     declared_max_(maximum),
     bucket_count_(bucket_count),
     flags_(kNoFlags),
     ranges_(bucket_count + 1, 0),
-    range_checksum_(0),
-    recording_enabled_(true) {
+    range_checksum_(0) {
   Initialize();
 }
 
-Histogram::Histogram(const std::string& name, TimeDelta minimum,
-                     TimeDelta maximum, size_t bucket_count)
+Histogram::Histogram(TimeDelta minimum, TimeDelta maximum, size_t bucket_count)
   : sample_(),
-    histogram_name_(name),
     declared_min_(static_cast<int> (minimum.InMilliseconds())),
     declared_max_(static_cast<int> (maximum.InMilliseconds())),
     bucket_count_(bucket_count),
     flags_(kNoFlags),
     ranges_(bucket_count + 1, 0),
-    range_checksum_(0),
-    recording_enabled_(true) {
+    range_checksum_(0) {
   Initialize();
 }
 
 Histogram::~Histogram() {
-  if (StatisticsRecorder::dump_on_exit()) {
-    std::string output;
-    WriteAscii(true, "\n", &output);
-    CHROMIUM_LOG(INFO) << output;
-  }
-
   // Just to make sure most derived class did this properly...
   DCHECK(ValidateBucketRanges());
 }
 
 // Calculate what range of values are held in each bucket.
 // We have to be careful that we don't pick a ratio between starting points in
 // consecutive buckets that is sooo small, that the integer bounds are the same
 // (effectively making one bucket get no values).  We need to avoid:
@@ -555,67 +457,16 @@ double Histogram::GetPeakBucketSize(cons
     double current_size
         = GetBucketSize(snapshot.counts(i), i);
     if (current_size > max)
       max = current_size;
   }
   return max;
 }
 
-void Histogram::WriteAsciiHeader(const SampleSet& snapshot,
-                                 Count sample_count,
-                                 std::string* output) const {
-  StringAppendF(output,
-                "Histogram: %s recorded %d samples",
-                histogram_name().c_str(),
-                sample_count);
-  int64_t snapshot_sum = snapshot.sum();
-  if (0 == sample_count) {
-    DCHECK_EQ(snapshot_sum, 0);
-  } else {
-    double average = static_cast<float>(snapshot_sum) / sample_count;
-
-    StringAppendF(output, ", average = %.1f", average);
-  }
-  if (flags_ & ~kHexRangePrintingFlag)
-    StringAppendF(output, " (flags = 0x%x)", flags_ & ~kHexRangePrintingFlag);
-}
-
-void Histogram::WriteAsciiBucketContext(const int64_t past,
-                                        const Count current,
-                                        const int64_t remaining,
-                                        const size_t i,
-                                        std::string* output) const {
-  double scaled_sum = (past + current + remaining) / 100.0;
-  WriteAsciiBucketValue(current, scaled_sum, output);
-  if (0 < i) {
-    double percentage = past / scaled_sum;
-    StringAppendF(output, " {%3.1f%%}", percentage);
-  }
-}
-
-void Histogram::WriteAsciiBucketValue(Count current, double scaled_sum,
-                                      std::string* output) const {
-  StringAppendF(output, " (%d = %3.1f%%)", current, current/scaled_sum);
-}
-
-void Histogram::WriteAsciiBucketGraph(double current_size, double max_size,
-                                      std::string* output) const {
-  const int k_line_length = 72;  // Maximal horizontal width of graph.
-  int x_count = static_cast<int>(k_line_length * (current_size / max_size)
-                                 + 0.5);
-  int x_remainder = k_line_length - x_count;
-
-  while (0 < x_count--)
-    output->append("-");
-  output->append("O");
-  while (0 < x_remainder--)
-    output->append(" ");
-}
-
 //------------------------------------------------------------------------------
 // Methods for the Histogram::SampleSet class
 //------------------------------------------------------------------------------
 
 Histogram::SampleSet::SampleSet()
     : counts_(),
       sum_(0),
       redundant_count_(0) {
@@ -660,48 +511,43 @@ void Histogram::SampleSet::Add(const Sam
 //------------------------------------------------------------------------------
 // LinearHistogram: This histogram uses a traditional set of evenly spaced
 // buckets.
 //------------------------------------------------------------------------------
 
 LinearHistogram::~LinearHistogram() {
 }
 
-Histogram* LinearHistogram::FactoryGet(const std::string& name,
-                                       Sample minimum,
+Histogram* LinearHistogram::FactoryGet(Sample minimum,
                                        Sample maximum,
                                        size_t bucket_count,
                                        Flags flags) {
   Histogram* histogram(NULL);
 
   if (minimum < 1)
     minimum = 1;
   if (maximum > kSampleType_MAX - 1)
     maximum = kSampleType_MAX - 1;
 
-  if (!StatisticsRecorder::FindHistogram(name, &histogram)) {
-    LinearHistogram* tentative_histogram =
-        new LinearHistogram(name, minimum, maximum, bucket_count);
-    tentative_histogram->InitializeBucketRange();
-    tentative_histogram->SetFlags(flags);
-    histogram =
-        StatisticsRecorder::RegisterOrDeleteDuplicate(tentative_histogram);
-  }
+  LinearHistogram* linear_histogram =
+        new LinearHistogram(minimum, maximum, bucket_count);
+  linear_histogram->InitializeBucketRange();
+  linear_histogram->SetFlags(flags);
+  histogram = linear_histogram;
 
   DCHECK_EQ(LINEAR_HISTOGRAM, histogram->histogram_type());
   DCHECK(histogram->HasConstructorArguments(minimum, maximum, bucket_count));
   return histogram;
 }
 
-Histogram* LinearHistogram::FactoryTimeGet(const std::string& name,
-                                           TimeDelta minimum,
+Histogram* LinearHistogram::FactoryTimeGet(TimeDelta minimum,
                                            TimeDelta maximum,
                                            size_t bucket_count,
                                            Flags flags) {
-  return FactoryGet(name, minimum.InMilliseconds(), maximum.InMilliseconds(),
+  return FactoryGet(minimum.InMilliseconds(), maximum.InMilliseconds(),
                     bucket_count, flags);
 }
 
 Histogram::ClassType LinearHistogram::histogram_type() const {
   return LINEAR_HISTOGRAM;
 }
 
 void LinearHistogram::Accumulate(Sample value, Count count, size_t index) {
@@ -710,28 +556,26 @@ void LinearHistogram::Accumulate(Sample 
 
 void LinearHistogram::SetRangeDescriptions(
     const DescriptionPair descriptions[]) {
   for (int i =0; descriptions[i].description; ++i) {
     bucket_description_[descriptions[i].sample] = descriptions[i].description;
   }
 }
 
-LinearHistogram::LinearHistogram(const std::string& name,
-                                 Sample minimum,
+LinearHistogram::LinearHistogram(Sample minimum,
                                  Sample maximum,
                                  size_t bucket_count)
-    : Histogram(name, minimum >= 1 ? minimum : 1, maximum, bucket_count) {
+    : Histogram(minimum >= 1 ? minimum : 1, maximum, bucket_count) {
 }
 
-LinearHistogram::LinearHistogram(const std::string& name,
-                                 TimeDelta minimum,
+LinearHistogram::LinearHistogram(TimeDelta minimum,
                                  TimeDelta maximum,
                                  size_t bucket_count)
-    : Histogram(name, minimum >= TimeDelta::FromMilliseconds(1) ?
+    : Histogram(minimum >= TimeDelta::FromMilliseconds(1) ?
                                  minimum : TimeDelta::FromMilliseconds(1),
                 maximum, bucket_count) {
 }
 
 void LinearHistogram::InitializeBucketRange() {
   DCHECK_GT(declared_min(), 0);  // 0 is the underflow bucket here.
   double min = declared_min();
   double max = declared_max();
@@ -764,74 +608,69 @@ bool LinearHistogram::PrintEmptyBucket(s
   return bucket_description_.find(ranges(index)) == bucket_description_.end();
 }
 
 
 //------------------------------------------------------------------------------
 // This section provides implementation for BooleanHistogram.
 //------------------------------------------------------------------------------
 
-Histogram* BooleanHistogram::FactoryGet(const std::string& name, Flags flags) {
+Histogram* BooleanHistogram::FactoryGet(Flags flags) {
   Histogram* histogram(NULL);
 
-  if (!StatisticsRecorder::FindHistogram(name, &histogram)) {
-    BooleanHistogram* tentative_histogram = new BooleanHistogram(name);
-    tentative_histogram->InitializeBucketRange();
-    tentative_histogram->SetFlags(flags);
-    histogram =
-        StatisticsRecorder::RegisterOrDeleteDuplicate(tentative_histogram);
-  }
+  BooleanHistogram* tentative_histogram = new BooleanHistogram();
+  tentative_histogram->InitializeBucketRange();
+  tentative_histogram->SetFlags(flags);
+  histogram = tentative_histogram;
 
   DCHECK_EQ(BOOLEAN_HISTOGRAM, histogram->histogram_type());
   return histogram;
 }
 
 Histogram::ClassType BooleanHistogram::histogram_type() const {
   return BOOLEAN_HISTOGRAM;
 }
 
 void BooleanHistogram::AddBoolean(bool value) {
   Add(value ? 1 : 0);
 }
 
-BooleanHistogram::BooleanHistogram(const std::string& name)
-    : LinearHistogram(name, 1, 2, 3) {
+BooleanHistogram::BooleanHistogram()
+    : LinearHistogram(1, 2, 3) {
 }
 
 void
 BooleanHistogram::Accumulate(Sample value, Count count, size_t index)
 {
   // Callers will have computed index based on the non-booleanified value.
   // So we need to adjust the index manually.
   LinearHistogram::Accumulate(!!value, count, value ? 1 : 0);
 }
 
 //------------------------------------------------------------------------------
 // FlagHistogram:
 //------------------------------------------------------------------------------
 
 Histogram *
-FlagHistogram::FactoryGet(const std::string &name, Flags flags)
+FlagHistogram::FactoryGet(Flags flags)
 {
   Histogram *h(nullptr);
 
-  if (!StatisticsRecorder::FindHistogram(name, &h)) {
-    FlagHistogram *fh = new FlagHistogram(name);
-    fh->InitializeBucketRange();
-    fh->SetFlags(flags);
-    size_t zero_index = fh->BucketIndex(0);
-    fh->LinearHistogram::Accumulate(0, 1, zero_index);
-    h = StatisticsRecorder::RegisterOrDeleteDuplicate(fh);
-  }
+  FlagHistogram *fh = new FlagHistogram();
+  fh->InitializeBucketRange();
+  fh->SetFlags(flags);
+  size_t zero_index = fh->BucketIndex(0);
+  fh->LinearHistogram::Accumulate(0, 1, zero_index);
+  h = fh;
 
   return h;
 }
 
-FlagHistogram::FlagHistogram(const std::string &name)
-  : BooleanHistogram(name), mSwitched(false) {
+FlagHistogram::FlagHistogram()
+  : BooleanHistogram(), mSwitched(false) {
 }
 
 Histogram::ClassType
 FlagHistogram::histogram_type() const
 {
   return FLAG_HISTOGRAM;
 }
 
@@ -884,32 +723,30 @@ FlagHistogram::Clear() {
   LinearHistogram::Accumulate(0, 1, zero_index);
 }
 
 //------------------------------------------------------------------------------
 // CountHistogram:
 //------------------------------------------------------------------------------
 
 Histogram *
-CountHistogram::FactoryGet(const std::string &name, Flags flags)
+CountHistogram::FactoryGet(Flags flags)
 {
   Histogram *h(nullptr);
 
-  if (!StatisticsRecorder::FindHistogram(name, &h)) {
-    CountHistogram *fh = new CountHistogram(name);
-    fh->InitializeBucketRange();
-    fh->SetFlags(flags);
-    h = StatisticsRecorder::RegisterOrDeleteDuplicate(fh);
-  }
+  CountHistogram *fh = new CountHistogram();
+  fh->InitializeBucketRange();
+  fh->SetFlags(flags);
+  h = fh;
 
   return h;
 }
 
-CountHistogram::CountHistogram(const std::string &name)
-  : LinearHistogram(name, 1, 2, 3) {
+CountHistogram::CountHistogram()
+  : LinearHistogram(1, 2, 3) {
 }
 
 Histogram::ClassType
 CountHistogram::histogram_type() const
 {
   return COUNT_HISTOGRAM;
 }
 
@@ -937,55 +774,50 @@ CountHistogram::AddSampleSet(const Sampl
   }
 }
 
 
 //------------------------------------------------------------------------------
 // CustomHistogram:
 //------------------------------------------------------------------------------
 
-Histogram* CustomHistogram::FactoryGet(const std::string& name,
-                                       const std::vector<Sample>& custom_ranges,
+Histogram* CustomHistogram::FactoryGet(const std::vector<Sample>& custom_ranges,
                                        Flags flags) {
   Histogram* histogram(NULL);
 
   // Remove the duplicates in the custom ranges array.
   std::vector<int> ranges = custom_ranges;
   ranges.push_back(0);  // Ensure we have a zero value.
   std::sort(ranges.begin(), ranges.end());
   ranges.erase(std::unique(ranges.begin(), ranges.end()), ranges.end());
   if (ranges.size() <= 1) {
     DCHECK(false);
     // Note that we pushed a 0 in above, so for defensive code....
     ranges.push_back(1);  // Put in some data so we can index to [1].
   }
 
   DCHECK_LT(ranges.back(), kSampleType_MAX);
 
-  if (!StatisticsRecorder::FindHistogram(name, &histogram)) {
-    CustomHistogram* tentative_histogram = new CustomHistogram(name, ranges);
-    tentative_histogram->InitializedCustomBucketRange(ranges);
-    tentative_histogram->SetFlags(flags);
-    histogram =
-        StatisticsRecorder::RegisterOrDeleteDuplicate(tentative_histogram);
-  }
+  CustomHistogram* custom_histogram = new CustomHistogram(ranges);
+  custom_histogram->InitializedCustomBucketRange(ranges);
+  custom_histogram->SetFlags(flags);
+  histogram = custom_histogram;
 
   DCHECK_EQ(histogram->histogram_type(), CUSTOM_HISTOGRAM);
   DCHECK(histogram->HasConstructorArguments(ranges[1], ranges.back(),
                                             ranges.size()));
   return histogram;
 }
 
 Histogram::ClassType CustomHistogram::histogram_type() const {
   return CUSTOM_HISTOGRAM;
 }
 
-CustomHistogram::CustomHistogram(const std::string& name,
-                                 const std::vector<Sample>& custom_ranges)
-    : Histogram(name, custom_ranges[1], custom_ranges.back(),
+CustomHistogram::CustomHistogram(const std::vector<Sample>& custom_ranges)
+    : Histogram(custom_ranges[1], custom_ranges.back(),
                 custom_ranges.size()) {
   DCHECK_GT(custom_ranges.size(), 1u);
   DCHECK_EQ(custom_ranges[0], 0);
 }
 
 void CustomHistogram::InitializedCustomBucketRange(
     const std::vector<Sample>& custom_ranges) {
   DCHECK_GT(custom_ranges.size(), 1u);
@@ -995,182 +827,9 @@ void CustomHistogram::InitializedCustomB
     SetBucketRange(index, custom_ranges[index]);
   ResetRangeChecksum();
 }
 
 double CustomHistogram::GetBucketSize(Count current, size_t i) const {
   return 1;
 }
 
-//------------------------------------------------------------------------------
-// The next section handles global (central) support for all histograms, as well
-// as startup/teardown of this service.
-//------------------------------------------------------------------------------
-
-// This singleton instance should be started during the single threaded portion
-// of main(), and hence it is not thread safe.  It initializes globals to
-// provide support for all future calls.
-StatisticsRecorder::StatisticsRecorder() {
-  DCHECK(!histograms_);
-  if (lock_ == NULL) {
-    // This will leak on purpose. It's the only way to make sure we won't race
-    // against the static uninitialization of the module while one of our
-    // static methods relying on the lock get called at an inappropriate time
-    // during the termination phase. Since it's a static data member, we will
-    // leak one per process, which would be similar to the instance allocated
-    // during static initialization and released only on  process termination.
-    lock_ = new base::Lock;
-  }
-  base::AutoLock auto_lock(*lock_);
-  histograms_ = new HistogramMap;
-}
-
-StatisticsRecorder::~StatisticsRecorder() {
-  DCHECK(histograms_ && lock_);
-
-  if (dump_on_exit_) {
-    std::string output;
-    WriteGraph("", &output);
-    CHROMIUM_LOG(INFO) << output;
-  }
-  // Clean up.
-  HistogramMap* histograms = NULL;
-  {
-    base::AutoLock auto_lock(*lock_);
-    histograms = histograms_;
-    histograms_ = NULL;
-    for (HistogramMap::iterator it = histograms->begin();
-         histograms->end() != it;
-         ++it) {
-      // No other clients permanently hold Histogram references, so we
-      // have the only one and it is safe to delete it.
-      delete it->second;
-    }
-  }
-  delete histograms;
-  // We don't delete lock_ on purpose to avoid having to properly protect
-  // against it going away after we checked for NULL in the static methods.
-}
-
-// static
-bool StatisticsRecorder::IsActive() {
-  if (lock_ == NULL)
-    return false;
-  base::AutoLock auto_lock(*lock_);
-  return NULL != histograms_;
-}
-
-Histogram* StatisticsRecorder::RegisterOrDeleteDuplicate(Histogram* histogram) {
-  DCHECK(histogram->HasValidRangeChecksum());
-  if (lock_ == NULL)
-    return histogram;
-  base::AutoLock auto_lock(*lock_);
-  if (!histograms_)
-    return histogram;
-  const std::string name = histogram->histogram_name();
-  HistogramMap::iterator it = histograms_->find(name);
-  // Avoid overwriting a previous registration.
-  if (histograms_->end() == it) {
-    (*histograms_)[name] = histogram;
-  } else {
-    delete histogram;  // We already have one by this name.
-    histogram = it->second;
-  }
-  return histogram;
-}
-
-// static
-void StatisticsRecorder::WriteHTMLGraph(const std::string& query,
-                                        std::string* output) {
-  if (!IsActive())
-    return;
-  output->append("<html><head><title>About Histograms");
-  if (!query.empty())
-    output->append(" - " + query);
-  output->append("</title>"
-                 // We'd like the following no-cache... but it doesn't work.
-                 // "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">"
-                 "</head><body>");
-
-  Histograms snapshot;
-  GetSnapshot(query, &snapshot);
-  for (Histograms::iterator it = snapshot.begin();
-       it != snapshot.end();
-       ++it) {
-    (*it)->WriteHTMLGraph(output);
-    output->append("<br><hr><br>");
-  }
-  output->append("</body></html>");
-}
-
-// static
-void StatisticsRecorder::WriteGraph(const std::string& query,
-                                    std::string* output) {
-  if (!IsActive())
-    return;
-  if (query.length())
-    StringAppendF(output, "Collections of histograms for %s\n", query.c_str());
-  else
-    output->append("Collections of all histograms\n");
-
-  Histograms snapshot;
-  GetSnapshot(query, &snapshot);
-  for (Histograms::iterator it = snapshot.begin();
-       it != snapshot.end();
-       ++it) {
-    (*it)->WriteAscii(true, "\n", output);
-    output->append("\n");
-  }
-}
-
-// static
-void StatisticsRecorder::GetHistograms(Histograms* output) {
-  if (lock_ == NULL)
-    return;
-  base::AutoLock auto_lock(*lock_);
-  if (!histograms_)
-    return;
-  for (HistogramMap::iterator it = histograms_->begin();
-       histograms_->end() != it;
-       ++it) {
-    DCHECK_EQ(it->first, it->second->histogram_name());
-    output->push_back(it->second);
-  }
-}
-
-bool StatisticsRecorder::FindHistogram(const std::string& name,
-                                       Histogram** histogram) {
-  if (lock_ == NULL)
-    return false;
-  base::AutoLock auto_lock(*lock_);
-  if (!histograms_)
-    return false;
-  HistogramMap::iterator it = histograms_->find(name);
-  if (histograms_->end() == it)
-    return false;
-  *histogram = it->second;
-  return true;
-}
-
-// private static
-void StatisticsRecorder::GetSnapshot(const std::string& query,
-                                     Histograms* snapshot) {
-  if (lock_ == NULL)
-    return;
-  base::AutoLock auto_lock(*lock_);
-  if (!histograms_)
-    return;
-  for (HistogramMap::iterator it = histograms_->begin();
-       histograms_->end() != it;
-       ++it) {
-    if (it->first.find(query) != std::string::npos)
-      snapshot->push_back(it->second);
-  }
-}
-
-// static
-StatisticsRecorder::HistogramMap* StatisticsRecorder::histograms_ = NULL;
-// static
-base::Lock* StatisticsRecorder::lock_ = NULL;
-// static
-bool StatisticsRecorder::dump_on_exit_ = false;
-
 }  // namespace base
--- a/ipc/chromium/src/base/histogram.h
+++ b/ipc/chromium/src/base/histogram.h
@@ -51,216 +51,16 @@
 #include <vector>
 
 #include "base/time.h"
 #include "base/lock.h"
 
 namespace base {
 
 //------------------------------------------------------------------------------
-// Provide easy general purpose histogram in a macro, just like stats counters.
-// The first four macros use 50 buckets.
-
-#define HISTOGRAM_TIMES(name, sample) HISTOGRAM_CUSTOM_TIMES( \
-    name, sample, base::TimeDelta::FromMilliseconds(1), \
-    base::TimeDelta::FromSeconds(10), 50)
-
-#define HISTOGRAM_COUNTS(name, sample) HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 1000000, 50)
-
-#define HISTOGRAM_COUNTS_100(name, sample) HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 100, 50)
-
-#define HISTOGRAM_COUNTS_10000(name, sample) HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 10000, 50)
-
-#define HISTOGRAM_CUSTOM_COUNTS(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryGet(name, min, max, bucket_count, \
-                                            base::Histogram::kNoFlags); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-#define HISTOGRAM_PERCENTAGE(name, under_one_hundred) \
-    HISTOGRAM_ENUMERATION(name, under_one_hundred, 101)
-
-// For folks that need real specific times, use this to select a precise range
-// of times you want plotted, and the number of buckets you want used.
-#define HISTOGRAM_CUSTOM_TIMES(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryTimeGet(name, min, max, bucket_count, \
-                                                base::Histogram::kNoFlags); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->AddTime(sample); \
-  } while (0)
-
-// DO NOT USE THIS.  It is being phased out, in favor of HISTOGRAM_CUSTOM_TIMES.
-#define HISTOGRAM_CLIPPED_TIMES(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryTimeGet(name, min, max, bucket_count, \
-                                                base::Histogram::kNoFlags); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    if ((sample) < (max)) counter->AddTime(sample); \
-  } while (0)
-
-// Support histograming of an enumerated value.  The samples should always be
-// less than boundary_value.
-
-#define HISTOGRAM_ENUMERATION(name, sample, boundary_value) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::LinearHistogram::FactoryGet(name, 1, boundary_value, \
-          boundary_value + 1, base::Histogram::kNoFlags); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-#define HISTOGRAM_CUSTOM_ENUMERATION(name, sample, custom_ranges) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::CustomHistogram::FactoryGet(name, custom_ranges, \
-                                                  base::Histogram::kNoFlags); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-
-//------------------------------------------------------------------------------
-// Define Debug vs non-debug flavors of macros.
-#ifndef NDEBUG
-
-#define DHISTOGRAM_TIMES(name, sample) HISTOGRAM_TIMES(name, sample)
-#define DHISTOGRAM_COUNTS(name, sample) HISTOGRAM_COUNTS(name, sample)
-#define DHISTOGRAM_PERCENTAGE(name, under_one_hundred) HISTOGRAM_PERCENTAGE(\
-    name, under_one_hundred)
-#define DHISTOGRAM_CUSTOM_TIMES(name, sample, min, max, bucket_count) \
-    HISTOGRAM_CUSTOM_TIMES(name, sample, min, max, bucket_count)
-#define DHISTOGRAM_CLIPPED_TIMES(name, sample, min, max, bucket_count) \
-    HISTOGRAM_CLIPPED_TIMES(name, sample, min, max, bucket_count)
-#define DHISTOGRAM_CUSTOM_COUNTS(name, sample, min, max, bucket_count) \
-    HISTOGRAM_CUSTOM_COUNTS(name, sample, min, max, bucket_count)
-#define DHISTOGRAM_ENUMERATION(name, sample, boundary_value) \
-    HISTOGRAM_ENUMERATION(name, sample, boundary_value)
-#define DHISTOGRAM_CUSTOM_ENUMERATION(name, sample, custom_ranges) \
-    HISTOGRAM_CUSTOM_ENUMERATION(name, sample, custom_ranges)
-
-#else  // NDEBUG
-
-#define DHISTOGRAM_TIMES(name, sample) do {} while (0)
-#define DHISTOGRAM_COUNTS(name, sample) do {} while (0)
-#define DHISTOGRAM_PERCENTAGE(name, under_one_hundred) do {} while (0)
-#define DHISTOGRAM_CUSTOM_TIMES(name, sample, min, max, bucket_count) \
-    do {} while (0)
-#define DHISTOGRAM_CLIPPED_TIMES(name, sample, min, max, bucket_count) \
-    do {} while (0)
-#define DHISTOGRAM_CUSTOM_COUNTS(name, sample, min, max, bucket_count) \
-    do {} while (0)
-#define DHISTOGRAM_ENUMERATION(name, sample, boundary_value) do {} while (0)
-#define DHISTOGRAM_CUSTOM_ENUMERATION(name, sample, custom_ranges) \
-    do {} while (0)
-
-#endif  // NDEBUG
-
-//------------------------------------------------------------------------------
-// The following macros provide typical usage scenarios for callers that wish
-// to record histogram data, and have the data submitted/uploaded via UMA.
-// Not all systems support such UMA, but if they do, the following macros
-// should work with the service.
-
-#define UMA_HISTOGRAM_TIMES(name, sample) UMA_HISTOGRAM_CUSTOM_TIMES( \
-    name, sample, base::TimeDelta::FromMilliseconds(1), \
-    base::TimeDelta::FromSeconds(10), 50)
-
-#define UMA_HISTOGRAM_MEDIUM_TIMES(name, sample) UMA_HISTOGRAM_CUSTOM_TIMES( \
-    name, sample, base::TimeDelta::FromMilliseconds(10), \
-    base::TimeDelta::FromMinutes(3), 50)
-
-// Use this macro when times can routinely be much longer than 10 seconds.
-#define UMA_HISTOGRAM_LONG_TIMES(name, sample) UMA_HISTOGRAM_CUSTOM_TIMES( \
-    name, sample, base::TimeDelta::FromMilliseconds(1), \
-    base::TimeDelta::FromHours(1), 50)
-
-#define UMA_HISTOGRAM_CUSTOM_TIMES(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryTimeGet(name, min, max, bucket_count, \
-            base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->AddTime(sample); \
-  } while (0)
-
-// DO NOT USE THIS.  It is being phased out, in favor of HISTOGRAM_CUSTOM_TIMES.
-#define UMA_HISTOGRAM_CLIPPED_TIMES(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryTimeGet(name, min, max, bucket_count, \
-           base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    if ((sample) < (max)) counter->AddTime(sample); \
-  } while (0)
-
-#define UMA_HISTOGRAM_COUNTS(name, sample) UMA_HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 1000000, 50)
-
-#define UMA_HISTOGRAM_COUNTS_100(name, sample) UMA_HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 100, 50)
-
-#define UMA_HISTOGRAM_COUNTS_10000(name, sample) UMA_HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 10000, 50)
-
-#define UMA_HISTOGRAM_CUSTOM_COUNTS(name, sample, min, max, bucket_count) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::Histogram::FactoryGet(name, min, max, bucket_count, \
-          base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-#define UMA_HISTOGRAM_MEMORY_KB(name, sample) UMA_HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1000, 500000, 50)
-
-#define UMA_HISTOGRAM_MEMORY_MB(name, sample) UMA_HISTOGRAM_CUSTOM_COUNTS( \
-    name, sample, 1, 1000, 50)
-
-#define UMA_HISTOGRAM_PERCENTAGE(name, under_one_hundred) \
-    UMA_HISTOGRAM_ENUMERATION(name, under_one_hundred, 101)
-
-#define UMA_HISTOGRAM_BOOLEAN(name, sample) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::BooleanHistogram::FactoryGet(name, \
-          base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->AddBoolean(sample); \
-  } while (0)
-
-#define UMA_HISTOGRAM_ENUMERATION(name, sample, boundary_value) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::LinearHistogram::FactoryGet(name, 1, boundary_value, \
-          boundary_value + 1, base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-#define UMA_HISTOGRAM_CUSTOM_ENUMERATION(name, sample, custom_ranges) do { \
-    static base::Histogram* counter(NULL); \
-    if (!counter) \
-      counter = base::CustomHistogram::FactoryGet(name, custom_ranges, \
-          base::Histogram::kUmaTargetedHistogramFlag); \
-    DCHECK_EQ(name, counter->histogram_name()); \
-    counter->Add(sample); \
-  } while (0)
-
-//------------------------------------------------------------------------------
 
 class BooleanHistogram;
 class CustomHistogram;
 class Histogram;
 class LinearHistogram;
 
 class Histogram {
  public:
@@ -368,56 +168,45 @@ class Histogram {
     // and also the snapshotting code may asynchronously get a mismatch (though
     // generally either race based mismatch cause is VERY rare).
     int64_t redundant_count_;
   };
 
   //----------------------------------------------------------------------------
   // minimum should start from 1. 0 is invalid as a minimum. 0 is an implicit
   // default underflow bucket.
-  static Histogram* FactoryGet(const std::string& name,
-                               Sample minimum,
+  static Histogram* FactoryGet(Sample minimum,
                                Sample maximum,
                                size_t bucket_count,
                                Flags flags);
-  static Histogram* FactoryTimeGet(const std::string& name,
-                                   base::TimeDelta minimum,
+  static Histogram* FactoryTimeGet(base::TimeDelta minimum,
                                    base::TimeDelta maximum,
                                    size_t bucket_count,
                                    Flags flags);
 
+  virtual ~Histogram();
+
   void Add(int value);
   void Subtract(int value);
 
-  // TODO: Currently recording_enabled_ is not used by any Histogram class, but
-  //       rather examined only by the telemetry code (via IsRecordingEnabled).
-  //       Move handling to Histogram's Add() etc after simplifying Histogram.
-  void SetRecordingEnabled(bool aEnabled) { recording_enabled_ = aEnabled; };
-  bool IsRecordingEnabled() const { return recording_enabled_; };
-
   // This method is an interface, used only by BooleanHistogram.
   virtual void AddBoolean(bool value);
 
   // Accept a TimeDelta to increment.
   void AddTime(TimeDelta time) {
     Add(static_cast<int>(time.InMilliseconds()));
   }
 
   virtual void AddSampleSet(const SampleSet& sample);
 
   virtual void Clear();
 
   // This method is an interface, used only by LinearHistogram.
   virtual void SetRangeDescriptions(const DescriptionPair descriptions[]);
 
-  // The following methods provide graphical histogram displays.
-  void WriteHTMLGraph(std::string* output) const;
-  void WriteAscii(bool graph_it, const std::string& newline,
-                  std::string* output) const;
-
   // Support generic flagging of Histograms.
   // 0x1 Currently used to mark this histogram to be recorded by UMA..
   // 0x8000 means print ranges in hex.
   void SetFlags(Flags flags) { flags_ = static_cast<Flags> (flags_ | flags); }
   void ClearFlags(Flags flags) { flags_ = static_cast<Flags>(flags_ & ~flags); }
   int flags() const { return flags_; }
 
   // Check to see if bucket ranges, counts and tallies in the snapshot are
@@ -426,17 +215,16 @@ class Histogram {
   // a SnapShot process, but should otherwise be false at all times (unless we
   // have memory over-writes, or DRAM failures).
   virtual Inconsistencies FindCorruption(const SampleSet& snapshot) const;
 
   //----------------------------------------------------------------------------
   // Accessors for factory constuction, serialization and testing.
   //----------------------------------------------------------------------------
   virtual ClassType histogram_type() const;
-  const std::string& histogram_name() const { return histogram_name_; }
   Sample declared_min() const { return declared_min_; }
   Sample declared_max() const { return declared_max_; }
   virtual Sample ranges(size_t i) const;
   uint32_t range_checksum() const { return range_checksum_; }
   virtual size_t bucket_count() const;
 
   // Do a safe atomic snapshot of sample data.  The caller is assumed to
   // have exclusive access to the destination, |*sample|, and no locking
@@ -448,22 +236,18 @@ class Histogram {
 
   virtual bool HasConstructorTimeDeltaArguments(TimeDelta minimum,
                                                 TimeDelta maximum,
                                                 size_t bucket_count);
   // Return true iff the range_checksum_ matches current ranges_ vector.
   bool HasValidRangeChecksum() const;
 
  protected:
-  Histogram(const std::string& name, Sample minimum,
-            Sample maximum, size_t bucket_count);
-  Histogram(const std::string& name, TimeDelta minimum,
-            TimeDelta maximum, size_t bucket_count);
-
-  virtual ~Histogram();
+  Histogram(Sample minimum, Sample maximum, size_t bucket_count);
+  Histogram(TimeDelta minimum, TimeDelta maximum, size_t bucket_count);
 
   // Initialize ranges_ mapping.
   void InitializeBucketRange();
 
   // Method to override to skip the display of the i'th bucket if it's empty.
   virtual bool PrintEmptyBucket(size_t index) const;
 
   //----------------------------------------------------------------------------
@@ -499,58 +283,34 @@ class Histogram {
 
   virtual uint32_t CalculateRangeChecksum() const;
 
   // Finally, provide the state that changes with the addition of each new
   // sample.
   SampleSet sample_;
 
  private:
-  friend class StatisticsRecorder;  // To allow it to delete duplicates.
-
   // Post constructor initialization.
   void Initialize();
 
   // Checksum function for accumulating range values into a checksum.
   static uint32_t Crc32(uint32_t sum, Sample range);
 
   //----------------------------------------------------------------------------
   // Helpers for emitting Ascii graphic.  Each method appends data to output.
 
   // Find out how large the (graphically) the largest bucket will appear to be.
   double GetPeakBucketSize(const SampleSet& snapshot) const;
 
-  // Write a common header message describing this histogram.
-  void WriteAsciiHeader(const SampleSet& snapshot,
-                        Count sample_count, std::string* output) const;
-
-  // Write information about previous, current, and next buckets.
-  // Information such as cumulative percentage, etc.
-  void WriteAsciiBucketContext(const int64_t past, const Count current,
-                               const int64_t remaining, const size_t i,
-                               std::string* output) const;
-
-  // Write textual description of the bucket contents (relative to histogram).
-  // Output is the count in the buckets, as well as the percentage.
-  void WriteAsciiBucketValue(Count current, double scaled_sum,
-                             std::string* output) const;
-
-  // Produce actual graph (set of blank vs non blank char's) for a bucket.
-  void WriteAsciiBucketGraph(double current_size, double max_size,
-                             std::string* output) const;
-
   //----------------------------------------------------------------------------
   // Table for generating Crc32 values.
   static const uint32_t kCrcTable[256];
   //----------------------------------------------------------------------------
   // Invariant values set at/near construction time
 
-  // ASCII version of original name given to the constructor.  All identically
-  // named instances will be coalesced cross-project.
-  const std::string histogram_name_;
   Sample declared_min_;  // Less than this goes into counts_[0]
   Sample declared_max_;  // Over this goes into counts_[bucket_count_ - 1].
   size_t bucket_count_;  // Dimension of counts_[].
 
   // Flag the histogram for recording by UMA via metric_services.h.
   Flags flags_;
 
   // For each index, show the least value that can be stored in the
@@ -559,58 +319,51 @@ class Histogram {
   // The dimension of ranges_ is bucket_count + 1.
   Ranges ranges_;
 
   // For redundancy, we store a checksum of all the sample ranges when ranges
   // are generated.  If ever there is ever a difference, then the histogram must
   // have been corrupted.
   uint32_t range_checksum_;
 
-  // When false, new samples are completely ignored.
-  mozilla::Atomic<bool, mozilla::Relaxed> recording_enabled_;
-
   DISALLOW_COPY_AND_ASSIGN(Histogram);
 };
 
 //------------------------------------------------------------------------------
 
 // LinearHistogram is a more traditional histogram, with evenly spaced
 // buckets.
 class LinearHistogram : public Histogram {
  public:
   virtual ~LinearHistogram();
 
   /* minimum should start from 1. 0 is as minimum is invalid. 0 is an implicit
      default underflow bucket. */
-  static Histogram* FactoryGet(const std::string& name,
-                               Sample minimum,
+  static Histogram* FactoryGet(Sample minimum,
                                Sample maximum,
                                size_t bucket_count,
                                Flags flags);
-  static Histogram* FactoryTimeGet(const std::string& name,
-                                   TimeDelta minimum,
+  static Histogram* FactoryTimeGet(TimeDelta minimum,
                                    TimeDelta maximum,
                                    size_t bucket_count,
                                    Flags flags);
 
   // Overridden from Histogram:
   virtual ClassType histogram_type() const;
 
   virtual void Accumulate(Sample value, Count count, size_t index);
 
   // Store a list of number/text values for use in rendering the histogram.
   // The last element in the array has a null in its "description" slot.
   virtual void SetRangeDescriptions(const DescriptionPair descriptions[]);
 
  protected:
-  LinearHistogram(const std::string& name, Sample minimum,
-                  Sample maximum, size_t bucket_count);
+  LinearHistogram(Sample minimum, Sample maximum, size_t bucket_count);
 
-  LinearHistogram(const std::string& name, TimeDelta minimum,
-                  TimeDelta maximum, size_t bucket_count);
+  LinearHistogram(TimeDelta minimum, TimeDelta maximum, size_t bucket_count);
 
   // Initialize ranges_ mapping.
   void InitializeBucketRange();
   virtual double GetBucketSize(Count current, size_t i) const;
 
   // If we have a description for a bucket, then return that.  Otherwise
   // let parent class provide a (numeric) description.
   virtual const std::string GetAsciiBucketRange(size_t i) const;
@@ -629,152 +382,88 @@ class LinearHistogram : public Histogram
   DISALLOW_COPY_AND_ASSIGN(LinearHistogram);
 };
 
 //------------------------------------------------------------------------------
 
 // BooleanHistogram is a histogram for booleans.
 class BooleanHistogram : public LinearHistogram {
  public:
-  static Histogram* FactoryGet(const std::string& name, Flags flags);
+  static Histogram* FactoryGet(Flags flags);
 
   virtual ClassType histogram_type() const;
 
   virtual void AddBoolean(bool value);
 
   virtual void Accumulate(Sample value, Count count, size_t index);
 
  protected:
-  explicit BooleanHistogram(const std::string& name);
+  explicit BooleanHistogram();
 
   DISALLOW_COPY_AND_ASSIGN(BooleanHistogram);
 };
 
 //------------------------------------------------------------------------------
 
 // FlagHistogram is like boolean histogram, but only allows a single off/on value.
 class FlagHistogram : public BooleanHistogram
 {
 public:
-  static Histogram *FactoryGet(const std::string &name, Flags flags);
+  static Histogram *FactoryGet(Flags flags);
 
   virtual ClassType histogram_type() const;
 
   virtual void Accumulate(Sample value, Count count, size_t index);
 
   virtual void AddSampleSet(const SampleSet& sample);
 
   virtual void Clear();
 
 private:
-  explicit FlagHistogram(const std::string &name);
+  explicit FlagHistogram();
   bool mSwitched;
 
   DISALLOW_COPY_AND_ASSIGN(FlagHistogram);
 };
 
 // CountHistogram only allows a single monotic counter value.
 class CountHistogram : public LinearHistogram
 {
 public:
-  static Histogram *FactoryGet(const std::string &name, Flags flags);
+  static Histogram *FactoryGet(Flags flags);
 
   virtual ClassType histogram_type() const;
 
   virtual void Accumulate(Sample value, Count count, size_t index);
 
   virtual void AddSampleSet(const SampleSet& sample);
 
 private:
-  explicit CountHistogram(const std::string &name);
+  explicit CountHistogram();
 
   DISALLOW_COPY_AND_ASSIGN(CountHistogram);
 };
 
 //------------------------------------------------------------------------------
 
 // CustomHistogram is a histogram for a set of custom integers.
 class CustomHistogram : public Histogram {
  public:
 
-  static Histogram* FactoryGet(const std::string& name,
-                               const std::vector<Sample>& custom_ranges,
+  static Histogram* FactoryGet(const std::vector<Sample>& custom_ranges,
                                Flags flags);
 
   // Overridden from Histogram:
   virtual ClassType histogram_type() const;
 
  protected:
-  CustomHistogram(const std::string& name,
-                  const std::vector<Sample>& custom_ranges);
+  explicit CustomHistogram(const std::vector<Sample>& custom_ranges);
 
   // Initialize ranges_ mapping.
   void InitializedCustomBucketRange(const std::vector<Sample>& custom_ranges);
   virtual double GetBucketSize(Count current, size_t i) const;
 
   DISALLOW_COPY_AND_ASSIGN(CustomHistogram);
 };
 
-//------------------------------------------------------------------------------
-// StatisticsRecorder handles all histograms in the system.  It provides a
-// general place for histograms to register, and supports a global API for
-// accessing (i.e., dumping, or graphing) the data in all the histograms.
-
-class StatisticsRecorder {
- public:
-  typedef std::vector<Histogram*> Histograms;
-
-  StatisticsRecorder();
-
-  ~StatisticsRecorder();
-
-  // Find out if histograms can now be registered into our list.
-  static bool IsActive();
-
-  // Register, or add a new histogram to the collection of statistics. If an
-  // identically named histogram is already registered, then the argument
-  // |histogram| will deleted.  The returned value is always the registered
-  // histogram (either the argument, or the pre-existing registered histogram).
-  static Histogram* RegisterOrDeleteDuplicate(Histogram* histogram);
-
-  // Methods for printing histograms.  Only histograms which have query as
-  // a substring are written to output (an empty string will process all
-  // registered histograms).
-  static void WriteHTMLGraph(const std::string& query, std::string* output);
-  static void WriteGraph(const std::string& query, std::string* output);
-
-  // Method for extracting histograms which were marked for use by UMA.
-  static void GetHistograms(Histograms* output);
-
-  // Find a histogram by name. It matches the exact name. This method is thread
-  // safe.  If a matching histogram is not found, then the |histogram| is
-  // not changed.
-  static bool FindHistogram(const std::string& query, Histogram** histogram);
-
-  static bool dump_on_exit() { return dump_on_exit_; }
-
-  static void set_dump_on_exit(bool enable) { dump_on_exit_ = enable; }
-
-  // GetSnapshot copies some of the pointers to registered histograms into the
-  // caller supplied vector (Histograms).  Only histograms with names matching
-  // query are returned. The query must be a substring of histogram name for its
-  // pointer to be copied.
-  static void GetSnapshot(const std::string& query, Histograms* snapshot);
-
-
- private:
-  // We keep all registered histograms in a map, from name to histogram.
-  typedef std::map<std::string, Histogram*> HistogramMap;
-
-  static HistogramMap* histograms_;
-
-  // lock protects access to the above map.
-  static Lock* lock_;
-
-  // Dump all known histograms to log.
-  static bool dump_on_exit_;
-
-  DISALLOW_COPY_AND_ASSIGN(StatisticsRecorder);
-};
-
 }  // namespace base
 
 #endif  // BASE_METRICS_HISTOGRAM_H_
--- a/ipc/chromium/src/base/message_pump_win.cc
+++ b/ipc/chromium/src/base/message_pump_win.cc
@@ -156,18 +156,16 @@ void MessagePumpForUI::PumpOutPendingPai
   for (peek_count = 0; peek_count < kMaxPeekCount; ++peek_count) {
     MSG msg;
     if (!PeekMessage(&msg, NULL, 0, 0, PM_REMOVE | PM_QS_PAINT))
       break;
     ProcessMessageHelper(msg);
     if (state_->should_quit)  // Handle WM_QUIT.
       break;
   }
-  // Histogram what was really being used, to help to adjust kMaxPeekCount.
-  DHISTOGRAM_COUNTS("Loop.PumpOutPendingPaintMessages Peeks", peek_count);
 }
 
 //-----------------------------------------------------------------------------
 // MessagePumpForUI private:
 
 // static
 LRESULT CALLBACK MessagePumpForUI::WndProcThunk(
     HWND hwnd, UINT message, WPARAM wparam, LPARAM lparam) {
--- a/ipc/ipdl/message-metadata.ini
+++ b/ipc/ipdl/message-metadata.ini
@@ -24,8 +24,21 @@ segment_capacity = 8192
 segment_capacity = 8192
 [PWyciwygChannel::SetSecurityInfo]
 segment_capacity = 8192
 [PMessagePort::PostMessages]
 segment_capacity = 12288
 [PMessagePort::ReceiveData]
 segment_capacity = 12288
 
+#------------------------------------------------------------
+# Small-size messages.
+#------------------------------------------------------------
+[PCompositorBridge::DidComposite]
+segment_capacity = 128
+[PBrowser::RealMouseMoveEvent]
+segment_capacity = 192
+[PCompositorBridge::PTextureConstructor]
+segment_capacity = 192
+[PLayerTransaction::InitReadLocks]
+segment_capacity = 256
+[PHttpBackgroundChannel::OnStopRequest]
+segment_capacity = 192
--- a/js/src/gc/GCRuntime.h
+++ b/js/src/gc/GCRuntime.h
@@ -799,19 +799,26 @@ class GCRuntime
 
     static bool initializeSweepActions();
 
     void setGrayRootsTracer(JSTraceDataOp traceOp, void* data);
     MOZ_MUST_USE bool addBlackRootsTracer(JSTraceDataOp traceOp, void* data);
     void removeBlackRootsTracer(JSTraceDataOp traceOp, void* data);
 
     bool triggerGCForTooMuchMalloc() {
+        if (!triggerGC(JS::gcreason::TOO_MUCH_MALLOC))
+            return false;
+
+        // Even though this method may be called off the main thread it is safe
+        // to access mallocCounter here since triggerGC() will return false in
+        // that case.
         stats().recordTrigger(mallocCounter.bytes(), mallocCounter.maxBytes());
-        return triggerGC(JS::gcreason::TOO_MUCH_MALLOC);
+        return true;
     }
+
     int32_t getMallocBytes() const { return mallocCounter.bytes(); }
     size_t maxMallocBytesAllocated() const { return mallocCounter.maxBytes(); }
     bool isTooMuchMalloc() const { return mallocCounter.isTooMuchMalloc(); }
     void resetMallocBytes() { mallocCounter.reset(); }
     void setMaxMallocBytes(size_t value);
     void updateMallocCounter(JS::Zone* zone, size_t nbytes);
 
     void setGCCallback(JSGCCallback callback, void* data);
@@ -925,17 +932,18 @@ class GCRuntime
     void bufferGrayRoots();
 
     /*
      * Concurrent sweep infrastructure.
      */
     void startTask(GCParallelTask& task, gcstats::PhaseKind phase, AutoLockHelperThreadState& locked);
     void joinTask(GCParallelTask& task, gcstats::PhaseKind phase, AutoLockHelperThreadState& locked);
 
-  private:
+    // Delete an empty zone group after its contents have been merged.
+    void deleteEmptyZoneGroup(ZoneGroup* group);
 
   private:
     enum IncrementalResult
     {
         Reset = 0,
         Ok
     };
 
@@ -1084,17 +1092,20 @@ class GCRuntime
   public:
     JSRuntime* const rt;
 
     /* Embedders can use this zone and group however they wish. */
     UnprotectedData<JS::Zone*> systemZone;
     UnprotectedData<ZoneGroup*> systemZoneGroup;
 
     // List of all zone groups (protected by the GC lock).
-    ActiveThreadOrGCTaskData<ZoneGroupVector> groups;
+  private:
+    ActiveThreadOrGCTaskData<ZoneGroupVector> groups_;
+  public:
+    ZoneGroupVector& groups() { return groups_.ref(); }
 
     // The unique atoms zone, which has no zone group.
     WriteOnceData<Zone*> atomsZone;
 
   private:
     UnprotectedData<gcstats::Statistics> stats_;
   public:
     gcstats::Statistics& stats() { return stats_.ref(); }
--- a/js/src/gc/Zone.cpp
+++ b/js/src/gc/Zone.cpp
@@ -68,31 +68,34 @@ JS::Zone::Zone(JSRuntime* rt, ZoneGroup*
     AutoLockGC lock(rt);
     threshold.updateAfterGC(8192, GC_NORMAL, rt->gc.tunables, rt->gc.schedulingState, lock);
     setGCMaxMallocBytes(rt->gc.maxMallocBytesAllocated() * 0.9);
     jitCodeCounter.setMax(jit::MaxCodeBytesPerProcess * 0.8);
 }
 
 Zone::~Zone()
 {
+    MOZ_ASSERT(compartments_.ref().empty());
+
     JSRuntime* rt = runtimeFromAnyThread();
     if (this == rt->gc.systemZone)
         rt->gc.systemZone = nullptr;
 
     js_delete(debuggers.ref());
     js_delete(jitZone_.ref());
 
 #ifdef DEBUG
     // Avoid assertion destroying the weak map list if the embedding leaked GC things.
     if (!rt->gc.shutdownCollectedEverything())
         gcWeakMapList().clear();
 #endif
 }
 
-bool Zone::init(bool isSystemArg)
+bool
+Zone::init(bool isSystemArg)
 {
     isSystem = isSystemArg;
     return uniqueIds().init() &&
            gcSweepGroupEdges().init() &&
            gcWeakKeys().init() &&
            typeDescrObjects().init() &&
            markedAtoms().init() &&
            atomCache().init() &&
@@ -371,16 +374,31 @@ Zone::addTypeDescrObject(JSContext* cx, 
     if (!typeDescrObjects().put(obj)) {
         ReportOutOfMemory(cx);
         return false;
     }
 
     return true;
 }
 
+void
+Zone::deleteEmptyCompartment(JSCompartment* comp)
+{
+    MOZ_ASSERT(comp->zone() == this);
+    MOZ_ASSERT(arenas.checkEmptyArenaLists());
+    for (auto& i : compartments()) {
+        if (i == comp) {
+            compartments().erase(&i);
+            comp->destroy(runtimeFromActiveCooperatingThread()->defaultFreeOp());
+            return;
+        }
+    }
+    MOZ_CRASH("Compartment not found");
+}
+
 ZoneList::ZoneList()
   : head(nullptr), tail(nullptr)
 {}
 
 ZoneList::ZoneList(Zone* zone)
   : head(zone), tail(zone)
 {
     MOZ_RELEASE_ASSERT(!zone->isOnList());
--- a/js/src/gc/Zone.h
+++ b/js/src/gc/Zone.h
@@ -156,16 +156,17 @@ namespace JS {
 // to delete the last compartment in a live zone.
 struct Zone : public JS::shadow::Zone,
               public js::gc::GraphNodeBase<JS::Zone>,
               public js::MallocProvider<JS::Zone>
 {
     explicit Zone(JSRuntime* rt, js::ZoneGroup* group);
     ~Zone();
     MOZ_MUST_USE bool init(bool isSystem);
+    void destroy(js::FreeOp *fop);
 
   private:
     js::ZoneGroup* const group_;
   public:
     js::ZoneGroup* group() const {
         return group_;
     }
 
@@ -617,16 +618,19 @@ struct Zone : public JS::shadow::Zone,
 
     bool keepShapeTables() const {
         return keepShapeTables_;
     }
     void setKeepShapeTables(bool b) {
         keepShapeTables_ = b;
     }
 
+    // Delete an empty compartment after its contents have been merged.
+    void deleteEmptyCompartment(JSCompartment* comp);
+
   private:
     js::ZoneGroupData<js::jit::JitZone*> jitZone_;
 
     js::ActiveThreadData<bool> gcScheduled_;
     js::ZoneGroupData<bool> gcPreserveCode_;
     js::ZoneGroupData<bool> keepShapeTables_;
 
     // Allow zones to be linked into a list
@@ -649,18 +653,18 @@ namespace js {
 class ZoneGroupsIter
 {
     gc::AutoEnterIteration iterMarker;
     ZoneGroup** it;
     ZoneGroup** end;
 
   public:
     explicit ZoneGroupsIter(JSRuntime* rt) : iterMarker(&rt->gc) {
-        it = rt->gc.groups.ref().begin();
-        end = rt->gc.groups.ref().end();
+        it = rt->gc.groups().begin();
+        end = rt->gc.groups().end();
 
         if (!done() && (*it)->usedByHelperThread)
             next();
     }
 
     bool done() const { return it == end; }
 
     void next() {
--- a/js/src/gc/ZoneGroup.cpp
+++ b/js/src/gc/ZoneGroup.cpp
@@ -125,9 +125,25 @@ ZoneGroup::ionLazyLinkListAdd(jit::IonBu
 {
     MOZ_ASSERT(CurrentThreadCanAccessRuntime(runtime),
                "Should only be mutated by the active thread.");
     MOZ_ASSERT(this == builder->script()->zone()->group());
     ionLazyLinkList().insertFront(builder);
     ionLazyLinkListSize_++;
 }
 
+void
+ZoneGroup::deleteEmptyZone(Zone* zone)
+{
+    MOZ_ASSERT(CurrentThreadCanAccessRuntime(runtime));
+    MOZ_ASSERT(zone->group() == this);
+    MOZ_ASSERT(zone->compartments().empty());
+    for (auto& i : zones()) {
+        if (i == zone) {
+            zones().erase(&i);
+            zone->destroy(runtime->defaultFreeOp());
+            return;
+        }
+    }
+    MOZ_CRASH("Zone not found");
+}
+
 } // namespace js
--- a/js/src/gc/ZoneGroup.h
+++ b/js/src/gc/ZoneGroup.h
@@ -71,16 +71,19 @@ class ZoneGroup
     inline gc::StoreBuffer& storeBuffer();
 
     inline bool isCollecting();
     inline bool isGCScheduled();
 
     // See the useExclusiveLocking field above.
     void setUseExclusiveLocking() { useExclusiveLocking = true; }
 
+    // Delete an empty zone after its contents have been merged.
+    void deleteEmptyZone(Zone* zone);
+
 #ifdef DEBUG
   private:
     // The number of possible bailing places encounters before forcefully bailing
     // in that place. Zero means inactive.
     ZoneGroupData<uint32_t> ionBailAfter_;
 
   public:
     void* addressOfIonBailAfter() { return &ionBailAfter_; }
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1382431.js
@@ -0,0 +1,6 @@
+if (helperThreadCount() === 0)
+   quit();
+
+var fe = "vv";
+for (i = 0; i < 24; i++) fe += fe;
+offThreadCompileScript(fe, {});
--- a/js/src/jscompartment.h
+++ b/js/src/jscompartment.h
@@ -858,16 +858,17 @@ struct JSCompartment
     bool isAccessValid() const { return validAccessPtr ? *validAccessPtr : true; }
     void setValidAccessPtr(bool* accessp) { validAccessPtr = accessp; }
 
   public:
     JSCompartment(JS::Zone* zone, const JS::CompartmentOptions& options);
     ~JSCompartment();
 
     MOZ_MUST_USE bool init(JSContext* maybecx);
+    void destroy(js::FreeOp* fop);
 
     MOZ_MUST_USE inline bool wrap(JSContext* cx, JS::MutableHandleValue vp);
 
     MOZ_MUST_USE bool wrap(JSContext* cx, js::MutableHandleString strp);
     MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandleObject obj);
     MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandle<js::PropertyDescriptor> desc);
     MOZ_MUST_USE bool wrap(JSContext* cx, JS::MutableHandle<JS::GCVector<JS::Value>> vec);
     MOZ_MUST_USE bool rewrap(JSContext* cx, JS::MutableHandleObject obj, JS::HandleObject existing);
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -1215,21 +1215,22 @@ GCRuntime::finish()
 #endif
 
     /* Delete all remaining zones. */
     if (rt->gcInitialized) {
         AutoSetThreadIsSweeping threadIsSweeping;
         for (ZonesIter zone(rt, WithAtoms); !zone.done(); zone.next()) {
             for (CompartmentsInZoneIter comp(zone); !comp.done(); comp.next())
                 js_delete(comp.get());
+            zone->compartments().clear();
             js_delete(zone.get());
         }
     }
 
-    groups.ref().clear();
+    groups().clear();
 
     FreeChunkPool(rt, fullChunks_.ref());
     FreeChunkPool(rt, availableChunks_.ref());
     FreeChunkPool(rt, emptyChunks_.ref());
 
     FinishTrace();
 
     for (ZoneGroupsIter group(rt); !group.done(); group.next())
@@ -3478,63 +3479,80 @@ UniqueIdGCPolicy::needsSweep(Cell** cell
 }
 
 void
 JS::Zone::sweepUniqueIds(js::FreeOp* fop)
 {
     uniqueIds().sweep();
 }
 
+void
+JSCompartment::destroy(FreeOp* fop)
+{
+    JSRuntime* rt = fop->runtime();
+    if (auto callback = rt->destroyCompartmentCallback)
+        callback(fop, this);
+    if (principals())
+        JS_DropPrincipals(TlsContext.get(), principals());
+    fop->delete_(this);
+    rt->gc.stats().sweptCompartment();
+}
+
+void
+Zone::destroy(FreeOp* fop)
+{
+    fop->delete_(this);
+    fop->runtime()->gc.stats().sweptZone();
+}
+
 /*
  * It's simpler if we preserve the invariant that every zone has at least one
  * compartment. If we know we're deleting the entire zone, then
  * SweepCompartments is allowed to delete all compartments. In this case,
  * |keepAtleastOne| is false. If some objects remain in the zone so that it
  * cannot be deleted, then we set |keepAtleastOne| to true, which prohibits
  * SweepCompartments from deleting every compartment. Instead, it preserves an
  * arbitrary compartment in the zone.
  */
 void
 Zone::sweepCompartments(FreeOp* fop, bool keepAtleastOne, bool destroyingRuntime)
 {
-    JSRuntime* rt = runtimeFromActiveCooperatingThread();
-    JSDestroyCompartmentCallback callback = rt->destroyCompartmentCallback;
+    MOZ_ASSERT(!compartments().empty());
+
+    mozilla::DebugOnly<JSRuntime*> rt = runtimeFromActiveCooperatingThread();
 
     JSCompartment** read = compartments().begin();
     JSCompartment** end = compartments().end();
     JSCompartment** write = read;
     bool foundOne = false;
     while (read < end) {
         JSCompartment* comp = *read++;
         MOZ_ASSERT(!rt->isAtomsCompartment(comp));
 
         /*
          * Don't delete the last compartment if all the ones before it were
          * deleted and keepAtleastOne is true.
          */
         bool dontDelete = read == end && !foundOne && keepAtleastOne;
         if ((!comp->marked && !dontDelete) || destroyingRuntime) {
-            if (callback)
-                callback(fop, comp);
-            if (comp->principals())
-                JS_DropPrincipals(TlsContext.get(), comp->principals());
-            js_delete(comp);
-            rt->gc.stats().sweptCompartment();
+            comp->destroy(fop);
         } else {
             *write++ = comp;
             foundOne = true;
         }
     }
     compartments().shrinkTo(write - compartments().begin());
     MOZ_ASSERT_IF(keepAtleastOne, !compartments().empty());
 }
 
 void
 GCRuntime::sweepZones(FreeOp* fop, ZoneGroup* group, bool destroyingRuntime)
 {
+    MOZ_ASSERT(!group->zones().empty());
+
     Zone** read = group->zones().begin();
     Zone** end = group->zones().end();
     Zone** write = read;
 
     while (read < end) {
         Zone* zone = *read++;
 
         if (zone->wasGCStarted()) {
@@ -3553,18 +3571,17 @@ GCRuntime::sweepZones(FreeOp* fop, ZoneG
 #ifdef DEBUG
                 if (!zone->arenas.checkEmptyArenaLists())
                     arenasEmptyAtShutdown = false;
 #endif
 
                 zone->sweepCompartments(fop, false, destroyingRuntime);
                 MOZ_ASSERT(zone->compartments().empty());
                 MOZ_ASSERT_IF(arenasEmptyAtShutdown, zone->typeDescrObjects().empty());
-                fop->delete_(zone);
-                stats().sweptZone();
+                zone->destroy(fop);
                 continue;
             }
             zone->sweepCompartments(fop, true, destroyingRuntime);
         }
         *write++ = zone;
     }
     group->zones().shrinkTo(write - group->zones().begin());
 }
@@ -3575,32 +3592,32 @@ GCRuntime::sweepZoneGroups(FreeOp* fop, 
     MOZ_ASSERT_IF(destroyingRuntime, numActiveZoneIters == 0);
     MOZ_ASSERT_IF(destroyingRuntime, arenasEmptyAtShutdown);
 
     if (rt->gc.numActiveZoneIters)
         return;
 
     assertBackgroundSweepingFinished();
 
-    ZoneGroup** read = groups.ref().begin();
-    ZoneGroup** end = groups.ref().end();
+    ZoneGroup** read = groups().begin();
+    ZoneGroup** end = groups().end();
     ZoneGroup** write = read;
 
     while (read < end) {
         ZoneGroup* group = *read++;
         sweepZones(fop, group, destroyingRuntime);
 
         if (group->zones().empty()) {
             MOZ_ASSERT(numActiveZoneIters == 0);
             fop->delete_(group);
         } else {
             *write++ = group;
         }
     }
-    groups.ref().shrinkTo(write - groups.ref().begin());
+    groups().shrinkTo(write - groups().begin());
 }
 
 #ifdef DEBUG
 static const char*
 AllocKindToAscii(AllocKind kind)
 {
     switch(kind) {
 #define MAKE_CASE(allocKind, traceKind, type, sizedType) \
@@ -7362,17 +7379,17 @@ js::NewCompartment(JSContext* cx, JSPrin
         if (zoneSpec == JS::SystemZone) {
             MOZ_RELEASE_ASSERT(!rt->gc.systemZone);
             rt->gc.systemZone = zone;
             zone->isSystem = true;
         }
     }
 
     if (groupHolder) {
-        if (!rt->gc.groups.ref().append(group)) {
+        if (!rt->gc.groups().append(group)) {
             ReportOutOfMemory(cx);
             return nullptr;
         }
 
         // Lazily set the runtime's system zone group.
         if (zoneSpec == JS::SystemZone || zoneSpec == JS::NewZoneInSystemZoneGroup) {
             MOZ_RELEASE_ASSERT(!rt->gc.systemZoneGroup);
             rt->gc.systemZoneGroup = group;
@@ -7392,16 +7409,20 @@ gc::MergeCompartments(JSCompartment* sou
     // The source compartment must be specifically flagged as mergable.  This
     // also implies that the compartment is not visible to the debugger.
     MOZ_ASSERT(source->creationOptions_.mergeable());
     MOZ_ASSERT(source->creationOptions_.invisibleToDebugger());
 
     MOZ_ASSERT(source->creationOptions().addonIdOrNull() ==
                target->creationOptions().addonIdOrNull());
 
+    MOZ_ASSERT(!source->hasBeenEntered());
+    MOZ_ASSERT(source->zone()->compartments().length() == 1);
+    MOZ_ASSERT(source->zone()->group()->zones().length() == 1);
+
     JSContext* cx = source->runtimeFromActiveCooperatingThread()->activeContextFromOwnThread();
 
     MOZ_ASSERT(!source->zone()->wasGCStarted());
     MOZ_ASSERT(!target->zone()->wasGCStarted());
     JS::AutoAssertNoGC nogc(cx);
 
     AutoTraceSession session(cx->runtime());
 
@@ -7484,16 +7505,42 @@ gc::MergeCompartments(JSCompartment* sou
             JSScript* key = r.front().key();
             const char* value = r.front().value();
             if (!target->scriptNameMap->putNew(key, value))
                 oomUnsafe.crash("Failed to add an entry in the script name map.");
         }
 
         source->scriptNameMap->clear();
     }
+
+    // The source compartment is now completely empty, and is the only
+    // compartment in its zone, which is the only zone in its group. Delete
+    // compartment, zone and group without waiting for this to be cleaned up by
+    // a full GC.
+
+    Zone* sourceZone = source->zone();
+    ZoneGroup* sourceGroup = sourceZone->group();
+    sourceZone->deleteEmptyCompartment(source);
+    sourceGroup->deleteEmptyZone(sourceZone);
+    cx->runtime()->gc.deleteEmptyZoneGroup(sourceGroup);
+}
+
+void
+GCRuntime::deleteEmptyZoneGroup(ZoneGroup* group)
+{
+    MOZ_ASSERT(group->zones().empty());
+    MOZ_ASSERT(groups().length() > 1);
+    for (auto& i : groups()) {
+        if (i == group) {
+            groups().erase(&i);
+            js_delete(group);
+            return;
+        }
+    }
+    MOZ_CRASH("ZoneGroup not found");
 }
 
 void
 GCRuntime::runDebugGC()
 {
 #ifdef JS_GC_ZEAL
     if (TlsContext.get()->suppressGC)
         return;
--- a/js/src/vm/HelperThreads.cpp
+++ b/js/src/vm/HelperThreads.cpp
@@ -1593,19 +1593,20 @@ GlobalHelperThreadState::mergeParseTaskC
         JS::FinishIncrementalGC(cx, JS::gcreason::API);
 
     // After we call LeaveParseTaskZone() it's not safe to GC until we have
     // finished merging the contents of the parse task's compartment into the
     // destination compartment.
     JS::AutoAssertNoGC nogc(cx);
 
     LeaveParseTaskZone(cx->runtime(), parseTask);
-    AutoCompartment ac(cx, parseTask->parseGlobal);
 
     {
+        AutoCompartment ac(cx, parseTask->parseGlobal);
+
         // Generator functions don't have Function.prototype as prototype but a
         // different function object, so the IdentifyStandardPrototype trick
         // below won't work.  Just special-case it.
         GlobalObject* parseGlobal = &parseTask->parseGlobal->as<GlobalObject>();
         JSObject* parseTaskStarGenFunctionProto = parseGlobal->getStarGeneratorFunctionPrototype();
 
         // Module objects don't have standard prototypes either.
         JSObject* moduleProto = parseGlobal->maybeGetModulePrototype();
--- a/js/xpconnect/src/XPCShellImpl.cpp
+++ b/js/xpconnect/src/XPCShellImpl.cpp
@@ -30,18 +30,16 @@
 #include "BackstagePass.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIPrincipal.h"
 #include "nsJSUtils.h"
 #include "gfxPrefs.h"
 #include "nsIXULRuntime.h"
 #include "GeckoProfiler.h"
 
-#include "base/histogram.h"
-
 #ifdef ANDROID
 #include <android/log.h>
 #endif
 
 #ifdef XP_WIN
 #include "mozilla/widget/AudioSession.h"
 #include <windows.h>
 #if defined(MOZ_SANDBOX)
@@ -1220,21 +1218,16 @@ XRE_XPCShellMain(int argc, char** argv, 
     gErrFile = stderr;
     gOutFile = stdout;
     gInFile = stdin;
 
     NS_LogInit();
 
     mozilla::LogModule::Init();
 
-    // A initializer to initialize histogram collection
-    // used by telemetry.
-    auto telStats =
-       mozilla::MakeUnique<base::StatisticsRecorder>();
-
     char aLocal;
     profiler_init(&aLocal);
 
     if (PR_GetEnv("MOZ_CHAOSMODE")) {
         ChaosFeature feature = ChaosFeature::Any;
         long featureInt = strtol(PR_GetEnv("MOZ_CHAOSMODE"), nullptr, 16);
         if (featureInt) {
             // NOTE: MOZ_CHAOSMODE=0 or a non-hex value maps to Any feature.
@@ -1554,18 +1547,16 @@ XRE_XPCShellMain(int argc, char** argv, 
 
     if (!XRE_ShutdownTestShell())
         NS_ERROR("problem shutting down testshell");
 
     // no nsCOMPtrs are allowed to be alive when you call NS_ShutdownXPCOM
     rv = NS_ShutdownXPCOM( nullptr );
     MOZ_ASSERT(NS_SUCCEEDED(rv), "NS_ShutdownXPCOM failed");
 
-    telStats = nullptr;
-
 #ifdef MOZ_CRASHREPORTER
     // Shut down the crashreporter service to prevent leaking some strings it holds.
     if (CrashReporter::GetEnabled())
         CrashReporter::UnsetExceptionHandler();
 #endif
 
     // This must precede NS_LogTerm(), otherwise xpcshell return non-zero
     // during some tests, which causes failures.
--- a/layout/painting/nsCSSRendering.cpp
+++ b/layout/painting/nsCSSRendering.cpp
@@ -828,23 +828,22 @@ nsCSSRendering::PaintBorderWithStyleBord
     }
 
     // Creating the border image renderer will request a decode, and we rely on
     // that happening.
     Maybe<nsCSSBorderImageRenderer> renderer =
       nsCSSBorderImageRenderer::CreateBorderImageRenderer(aPresContext, aForFrame, aBorderArea,
                                                           aStyleBorder, aDirtyRect, aSkipSides,
                                                           irFlags, &result);
-    if (aStyleBorder.IsBorderImageLoaded()) {
-      if (renderer) {
-        result &= renderer->DrawBorderImage(aPresContext, aRenderingContext,
-                                            aForFrame, aDirtyRect);
-      }
-
-      return result;
+    // renderer was created successfully, which means border image is ready to
+    // be used.
+    if (renderer) {
+      MOZ_ASSERT(result == DrawResult::SUCCESS);
+      return renderer->DrawBorderImage(aPresContext, aRenderingContext,
+                                       aForFrame, aDirtyRect);
     }
   }
 
   DrawResult result = DrawResult::SUCCESS;
 
   // If we had a border-image, but it wasn't loaded, then we should return
   // DrawResult::NOT_READY; we'll want to try again if we do a paint with sync
   // decoding enabled.
--- a/modules/libpref/Preferences.cpp
+++ b/modules/libpref/Preferences.cpp
@@ -95,23 +95,29 @@ void
 Preferences::DirtyCallback()
 {
   if (!XRE_IsParentProcess()) {
     // TODO: this should really assert because you can't set prefs in a
     // content process. But so much code currently does this that we just
     // ignore it for now.
     return;
   }
-  if (gHashTable && sPreferences && !sPreferences->mDirty) {
+  if (!gHashTable || !sPreferences) {
+    return;
+  }
+  if (sPreferences->mProfileShutdown) {
+    NS_WARNING("Setting user pref after profile shutdown.");
+    return;
+  }
+  if (!sPreferences->mDirty) {
     sPreferences->mDirty = true;
 
-    NS_WARNING_ASSERTION(!sPreferences->mProfileShutdown,
-                         "Setting user pref after profile shutdown.");
-
-    if (sPreferences->AllowOffMainThreadSave() && !sPreferences->mSavePending) {
+    if (sPreferences->mCurrentFile &&
+        sPreferences->AllowOffMainThreadSave()
+        && !sPreferences->mSavePending) {
       sPreferences->mSavePending = true;
       static const int PREF_DELAY_MS = 500;
       NS_DelayedDispatchToCurrentThread(
         mozilla::NewRunnableMethod("Preferences::SavePrefFileAsynchronous",
                                    sPreferences,
                                    &Preferences::SavePrefFileAsynchronous),
         PREF_DELAY_MS);
     }
@@ -777,34 +783,40 @@ Preferences::Init()
 
   observerService->AddObserver(this, "load-extension-defaults", true);
   observerService->AddObserver(this, "suspend_process_notification", true);
 
   return(rv);
 }
 
 // static
-nsresult
-Preferences::ResetAndReadUserPrefs()
+void
+Preferences::InitializeUserPrefs()
 {
+  MOZ_ASSERT(!sPreferences->mCurrentFile, "Should only initialize prefs once");
+
+  // prefs which are set before we initialize the profile are silently discarded.
+  // This is stupid, but there are various tests which depend on this behavior.
   sPreferences->ResetUserPrefs();
 
-  MOZ_ASSERT(!sPreferences->mCurrentFile, "Should only initialize prefs once");
+  nsCOMPtr<nsIFile> prefsFile = sPreferences->ReadSavedPrefs();
+  sPreferences->ReadUserOverridePrefs();
 
-  nsresult rv = sPreferences->UseDefaultPrefFile();
-  sPreferences->UseUserPrefFile();
+  sPreferences->mDirty = false;
+
+  // Don't set mCurrentFile until we're done so that dirty flags work properly
+  sPreferences->mCurrentFile = prefsFile.forget();
 
   // Migrate the old prerelease telemetry pref
   if (!Preferences::GetBool(kOldTelemetryPref, true)) {
     Preferences::SetBool(kTelemetryPref, false);
     Preferences::ClearUser(kOldTelemetryPref);
   }
 
   sPreferences->NotifyServiceObservers(NS_PREFSERVICE_READ_TOPIC_ID);
-  return rv;
 }
 
 NS_IMETHODIMP
 Preferences::Observe(nsISupports *aSubject, const char *aTopic,
                      const char16_t *someData)
 {
   if (MOZ_UNLIKELY(!XRE_IsParentProcess())) {
     return NS_ERROR_NOT_AVAILABLE;
@@ -1077,46 +1089,44 @@ Preferences::NotifyServiceObservers(cons
     return NS_ERROR_FAILURE;
 
   nsISupports *subject = (nsISupports *)((nsIPrefService *)this);
   observerService->NotifyObservers(subject, aTopic, nullptr);
 
   return NS_OK;
 }
 
-nsresult
-Preferences::UseDefaultPrefFile()
+already_AddRefed<nsIFile>
+Preferences::ReadSavedPrefs()
 {
   nsCOMPtr<nsIFile> file;
   nsresult rv = NS_GetSpecialDirectory(NS_APP_PREFS_50_FILE,
                                        getter_AddRefs(file));
   if (NS_WARN_IF(NS_FAILED(rv))) {
-    return rv;
+    return nullptr;
   }
 
-  mCurrentFile = file;
-
   rv = openPrefFile(file);
   if (rv == NS_ERROR_FILE_NOT_FOUND) {
     // this is a normal case for new users
     Telemetry::ScalarSet(Telemetry::ScalarID::PREFERENCES_CREATED_NEW_USER_PREFS_FILE, true);
     rv = NS_OK;
   } else if (NS_FAILED(rv)) {
     // Save a backup copy of the current (invalid) prefs file, since all prefs
     // from the error line to the end of the file will be lost (bug 361102).
     // TODO we should notify the user about it (bug 523725).
     Telemetry::ScalarSet(Telemetry::ScalarID::PREFERENCES_PREFS_FILE_WAS_INVALID, true);
     MakeBackupPrefFile(file);
   }
 
-  return rv;
+  return file.forget();
 }
 
 void
-Preferences::UseUserPrefFile()
+Preferences::ReadUserOverridePrefs()
 {
   nsCOMPtr<nsIFile> aFile;
   nsresult rv = NS_GetSpecialDirectory(NS_APP_PREFS_50_DIR,
                                        getter_AddRefs(aFile));
   if (NS_WARN_IF(NS_FAILED(rv))) {
     return;
   }
 
--- a/modules/libpref/Preferences.h
+++ b/modules/libpref/Preferences.h
@@ -67,19 +67,19 @@ public:
   nsresult Init();
 
   /**
    * Returns true if the Preferences service is available, false otherwise.
    */
   static bool IsServiceAvailable();
 
   /**
-   * Reset loaded user prefs then read them
+   * Initialize user prefs from prefs.js/user.js
    */
-  static nsresult ResetAndReadUserPrefs();
+  static void InitializeUserPrefs();
 
   /**
    * Returns the singleton instance which is addreffed.
    */
   static Preferences* GetInstanceForService();
 
   /**
    * Finallizes global members.
@@ -431,23 +431,27 @@ public:
   nsresult SavePrefFileBlocking();
   nsresult SavePrefFileAsynchronous();
 
 protected:
   virtual ~Preferences();
 
   nsresult NotifyServiceObservers(const char *aSubject);
   /**
-   * Reads the default pref file or, if that failed, try to save a new one.
+   * Loads the prefs.js file from the profile, or creates a new one.
    *
-   * @return NS_OK if either action succeeded,
-   *         or the error code related to the read attempt.
+   * @return the prefs file if successful, or nullptr on failure.
    */
-  nsresult UseDefaultPrefFile();
-  void UseUserPrefFile();
+  already_AddRefed<nsIFile> ReadSavedPrefs();
+
+  /**
+   * Loads the user.js file from the profile if present.
+   */
+  void ReadUserOverridePrefs();
+
   nsresult MakeBackupPrefFile(nsIFile *aFile);
 
   // Default pref file save can be blocking or not.
   enum class SaveMethod {
     Blocking,
     Asynchronous
   };
 
--- a/netwerk/protocol/http/nsHttpConnectionMgr.cpp
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.cpp
@@ -784,18 +784,19 @@ nsHttpConnectionMgr::FindCoalescableConn
 
 void
 nsHttpConnectionMgr::UpdateCoalescingForNewConn(nsHttpConnection *newConn,
                                                 nsConnectionEntry *ent)
 {
     MOZ_ASSERT(OnSocketThread(), "not on socket thread");
     MOZ_ASSERT(newConn);
     MOZ_ASSERT(newConn->ConnectionInfo());
-    MOZ_ASSERT(ent);
+    MOZ_DIAGNOSTIC_ASSERT(ent);
     MOZ_ASSERT(mCT.GetWeak(newConn->ConnectionInfo()->HashKey()) == ent);
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
 
     nsHttpConnection *existingConn = FindCoalescableConnection(ent, true);
     if (existingConn) {
         LOG(("UpdateCoalescingForNewConn() found existing active conn that could have served newConn "
              "graceful close of newConn=%p to migrate to existingConn %p\n", newConn, existingConn));
         newConn->DontReuse();
         return;
     }
@@ -1248,16 +1249,17 @@ nsHttpConnectionMgr::AtActiveConnectionL
     bool result = (totalCount >= maxPersistConns);
     LOG(("AtActiveConnectionLimit result: %s", result ? "true" : "false"));
     return result;
 }
 
 void
 nsHttpConnectionMgr::ClosePersistentConnections(nsConnectionEntry *ent)
 {
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
     LOG(("nsHttpConnectionMgr::ClosePersistentConnections [ci=%s]\n",
          ent->mConnInfo->HashKey().get()));
     while (ent->mIdleConns.Length()) {
         RefPtr<nsHttpConnection> conn(ent->mIdleConns[0]);
         ent->mIdleConns.RemoveElementAt(0);
         mNumIdleConns--;
         conn->Close(NS_ERROR_ABORT);
     }
@@ -1656,16 +1658,17 @@ nsHttpConnectionMgr::TryDispatchTransact
     return NS_ERROR_NOT_AVAILABLE;                /* queue it */
 }
 
 nsresult
 nsHttpConnectionMgr::DispatchTransaction(nsConnectionEntry *ent,
                                          nsHttpTransaction *trans,
                                          nsHttpConnection *conn)
 {
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
     uint32_t caps = trans->Caps();
     int32_t priority = trans->Priority();
     nsresult rv;
 
     LOG(("nsHttpConnectionMgr::DispatchTransaction "
          "[ent-ci=%s %p trans=%p caps=%x conn=%p priority=%d]\n",
          ent->mConnInfo->HashKey().get(), ent, trans, caps, conn, priority));
 
@@ -1751,16 +1754,17 @@ NS_IMPL_ISUPPORTS0(ConnectionHandle)
 nsresult
 nsHttpConnectionMgr::DispatchAbstractTransaction(nsConnectionEntry *ent,
                                                  nsAHttpTransaction *aTrans,
                                                  uint32_t caps,
                                                  nsHttpConnection *conn,
                                                  int32_t priority)
 {
     MOZ_DIAGNOSTIC_ASSERT(ent);
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
     nsresult rv;
     MOZ_ASSERT(!conn->UsingSpdy(),
                "Spdy Must Not Use DispatchAbstractTransaction");
     LOG(("nsHttpConnectionMgr::DispatchAbstractTransaction "
          "[ci=%s trans=%p caps=%x conn=%p]\n",
          ent->mConnInfo->HashKey().get(), aTrans, caps, conn));
 
     RefPtr<nsAHttpTransaction> transaction(aTrans);
@@ -1899,16 +1903,17 @@ nsHttpConnectionMgr::ProcessNewTransacti
     return rv;
 }
 
 
 void
 nsHttpConnectionMgr::AddActiveConn(nsHttpConnection *conn,
                                    nsConnectionEntry *ent)
 {
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
     ent->mActiveConns.AppendElement(conn);
     mNumActiveConns++;
     ActivateTimeoutTick();
 }
 
 void
 nsHttpConnectionMgr::DecrementActiveConnCount(nsHttpConnection *conn)
 {
@@ -2086,17 +2091,18 @@ nsHttpConnectionMgr::OnMsgProcessAllSpdy
 }
 
 // Given a connection entry, return an active h2 connection
 // that can be directly activated or null
 nsHttpConnection *
 nsHttpConnectionMgr::GetSpdyActiveConn(nsConnectionEntry *ent)
 {
     MOZ_ASSERT(OnSocketThread(), "not on socket thread");
-    MOZ_ASSERT(ent);
+    MOZ_DIAGNOSTIC_ASSERT(ent);
+    CheckConnEntryMustBeInmCT(ent->mConnInfo);
 
     nsHttpConnection *experienced = nullptr;
     nsHttpConnection *noExperience = nullptr;
     uint32_t activeLen = ent->mActiveConns.Length();
     nsHttpConnectionInfo *ci = ent->mConnInfo;
     uint32_t index;
 
     // activeLen should generally be 1.. this is a setup race being resolved
@@ -2408,16 +2414,17 @@ nsHttpConnectionMgr::OnMsgCancelTransact
         // so we want to cancel any null transactions related to this connection
         // entry. They are just optimizations, but they aren't hooked up to
         // anything that might get canceled from the rest of gecko, so best
         // to assume that's what was meant by the cancel we did receive if
         // it only applied to something in the queue.
         for (uint32_t index = 0;
              ent && (index < ent->mActiveConns.Length());
              ++index) {
+            CheckConnEntryMustBeInmCT(ent->mConnInfo);
             nsHttpConnection *activeConn = ent->mActiveConns[index];
             nsAHttpTransaction *liveTransaction = activeConn->Transaction();
             if (liveTransaction && liveTransaction->IsNullTransaction()) {
                 LOG(("nsHttpConnectionMgr::OnMsgCancelTransaction [trans=%p] "
                      "also canceling Null Transaction %p on conn %p\n",
                      trans, liveTransaction, activeConn));
                 activeConn->CloseTransaction(liveTransaction, closeCode);
             }
@@ -4056,16 +4063,17 @@ NS_IMETHODIMP
 nsHttpConnectionMgr::
 nsHalfOpenSocket::OnOutputStreamReady(nsIAsyncOutputStream *out)
 {
     MOZ_ASSERT(OnSocketThread(), "not on socket thread");
     MOZ_DIAGNOSTIC_ASSERT(mStreamOut || mBackupStreamOut);
     MOZ_DIAGNOSTIC_ASSERT(out == mStreamOut || out == mBackupStreamOut,
                           "stream mismatch");
     MOZ_DIAGNOSTIC_ASSERT(mEnt);
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
 
     LOG(("nsHalfOpenSocket::OnOutputStreamReady [this=%p ent=%s %s]\n",
          this, mEnt->mConnInfo->Origin(),
          out == mStreamOut ? "primary" : "backup"));
 
     mEnt->mDoNotDestroy = true;
     gHttpHandler->ConnMgr()->RecvdConnect();
 
@@ -4114,32 +4122,36 @@ nsHalfOpenSocket::OnOutputStreamReady(ns
         if (mEnt->mUseFastOpen) {
             gHttpHandler->IncrementFastOpenConsecutiveFailureCounter();
             mEnt->mUseFastOpen = false;
         }
 
         mFastOpenInProgress = false;
         mConnectionNegotiatingFastOpen = nullptr;
     }
+
     MOZ_DIAGNOSTIC_ASSERT(mEnt);
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
     nsresult rv =  SetupConn(out, false);
     if (mEnt) {
         mEnt->mDoNotDestroy = false;
     }
     return rv;
 }
 
 bool
 nsHttpConnectionMgr::
 nsHalfOpenSocket::FastOpenEnabled()
 {
     LOG(("nsHalfOpenSocket::FastOpenEnabled [this=%p]\n", this));
 
     MOZ_DIAGNOSTIC_ASSERT(mEnt);
 
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
+
     if (!mEnt) {
         return false;
     }
 
     // If mEnt is present this HalfOpen must be in the mHalfOpens,
     // but we want to be sure!!!
     if (!mEnt->mHalfOpens.Contains(this)) {
         return false;
@@ -4182,36 +4194,39 @@ nsHalfOpenSocket::FastOpenEnabled()
 nsresult
 nsHttpConnectionMgr::
 nsHalfOpenSocket::StartFastOpen()
 {
     MOZ_DIAGNOSTIC_ASSERT(mStreamOut);
     MOZ_DIAGNOSTIC_ASSERT(!mBackupTransport);
     MOZ_DIAGNOSTIC_ASSERT(mEnt);
 
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
+
     LOG(("nsHalfOpenSocket::StartFastOpen [this=%p]\n",
          this));
 
     RefPtr<nsHalfOpenSocket> deleteProtector(this);
 
     mFastOpenInProgress = true;
+    mEnt->mDoNotDestroy = true;
     // Remove this HalfOpen from mEnt->mHalfOpens.
     // The new connection will take care of closing this HalfOpen from now on!
     if (!mEnt->mHalfOpens.RemoveElement(this)) {
         MOZ_ASSERT(false, "HalfOpen is not in mHalfOpens!");
         mSocketTransport->SetFastOpenCallback(nullptr);
         CancelBackupTimer();
         mStreamOut = nullptr;
         mStreamIn = nullptr;
         mSocketTransport = nullptr;
         mFastOpenInProgress = false;
         Abandon();
         return NS_ERROR_ABORT;
     }
-    mEnt->mDoNotDestroy = true;
+
     MOZ_ASSERT(gHttpHandler->ConnMgr()->mNumHalfOpenConns);
     if (gHttpHandler->ConnMgr()->mNumHalfOpenConns) { // just in case
         gHttpHandler->ConnMgr()->mNumHalfOpenConns--;
     }
 
     // Count this socketTransport as connected.
     gHttpHandler->ConnMgr()->RecvdConnect();
 
@@ -4238,16 +4253,19 @@ nsHalfOpenSocket::StartFastOpen()
         mFastOpenInProgress = false;
 
         // The connection is responsible to take care of the halfOpen so we
         // need to clean it up.
         Abandon();
     } else {
         LOG(("nsHalfOpenSocket::StartFastOpen [this=%p conn=%p]\n",
              this, mConnectionNegotiatingFastOpen.get()));
+
+        gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
+
         mEnt->mHalfOpenFastOpenBackups.AppendElement(this);
         // SetupBackupTimer should setup timer which will hold a ref to this
         // halfOpen. It will failed only if it cannot create timer. Anyway just
         // to be sure I will add this deleteProtector!!!
         if (!mSynTimer) {
             // For Fast Open we will setup backup timer also for
             // NullTransaction.
             // So maybe it is not set and we need to set it here.
@@ -4262,16 +4280,18 @@ nsHalfOpenSocket::StartFastOpen()
 
 void
 nsHttpConnectionMgr::
 nsHalfOpenSocket::SetFastOpenConnected(nsresult aError, bool aWillRetry)
 {
     MOZ_DIAGNOSTIC_ASSERT(mFastOpenInProgress);
     MOZ_DIAGNOSTIC_ASSERT(mEnt);
 
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
+
     LOG(("nsHalfOpenSocket::SetFastOpenConnected [this=%p conn=%p error=%x]\n",
          this, mConnectionNegotiatingFastOpen.get(),
          static_cast<uint32_t>(aError)));
 
     // mConnectionNegotiatingFastOpen is set after a StartFastOpen creates
     // and activates a nsHttpConnection successfully (SetupConn calls
     // DispatchTransaction and DispatchAbstractTransaction which calls
     // conn->Activate).
@@ -4322,16 +4342,17 @@ nsHalfOpenSocket::SetFastOpenConnected(n
             }
         }
         // We are doing a restart without fast open, so the easiest way is to
         // return mSocketTransport to the halfOpenSock and destroy connection.
         // This makes http2 implemenntation easier.
         // mConnectionNegotiatingFastOpen is going away and halfOpen is taking
         // this mSocketTransport so add halfOpen to mEnt and update
         // mNumActiveConns.
+        gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
         mEnt->mHalfOpens.AppendElement(this);
         gHttpHandler->ConnMgr()->mNumHalfOpenConns++;
         gHttpHandler->ConnMgr()->StartedConnect();
 
         // Restore callbacks.
         mStreamOut->AsyncWait(this, 0, 0, nullptr);
         mSocketTransport->SetEventSink(this, nullptr);
         mSocketTransport->SetSecurityCallbacks(this);
@@ -4380,16 +4401,18 @@ void
 nsHttpConnectionMgr::
 nsHalfOpenSocket::CancelFastOpenConnection()
 {
     MOZ_DIAGNOSTIC_ASSERT(mFastOpenInProgress);
 
     LOG(("nsHalfOpenSocket::CancelFastOpenConnection [this=%p conn=%p]\n",
          this, mConnectionNegotiatingFastOpen.get()));
 
+    gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
+
     RefPtr<nsHalfOpenSocket> deleteProtector(this);
     mEnt->mHalfOpenFastOpenBackups.RemoveElement(this);
     mSocketTransport->SetFastOpenCallback(nullptr);
     mConnectionNegotiatingFastOpen->SetFastOpen(false);
     RefPtr<nsAHttpTransaction> trans =
         mConnectionNegotiatingFastOpen->CloseConnectionFastOpenTakesTooLongOrError(true);
     mSocketTransport = nullptr;
     mStreamOut = nullptr;
@@ -4589,16 +4612,17 @@ nsHalfOpenSocket::SetupConn(nsIAsyncOutp
 
     // If this connection has a transaction get reference to its
     // ConnectionHandler.
     if (aFastOpen) {
         MOZ_DIAGNOSTIC_ASSERT(mEnt);
         MOZ_DIAGNOSTIC_ASSERT(static_cast<int32_t>(mEnt->mIdleConns.IndexOf(conn)) == -1);
         int32_t idx = mEnt->mActiveConns.IndexOf(conn);
         if (NS_SUCCEEDED(rv) && (idx != -1)) {
+            gHttpHandler->ConnMgr()->CheckConnEntryMustBeInmCT(mEnt->mConnInfo);
             mConnectionNegotiatingFastOpen = conn;
         } else {
             conn->SetFastOpen(false);
         }
     }
 
     // If this halfOpenConn was speculative, but at the ende the conn got a
     // non-null transaction than this halfOpen is not speculative anymore!
@@ -5148,10 +5172,22 @@ nsHttpConnectionMgr::MoveToWildCardConnE
         if (ent->mIdleConns[i] == proxyConn) {
             ent->mIdleConns.RemoveElementAt(i);
             wcEnt->mIdleConns.InsertElementAt(0, proxyConn);
             return;
         }
     }
 }
 
+void
+nsHttpConnectionMgr::CheckConnEntryMustBeInmCT(nsHttpConnectionInfo *ci)
+{
+    nsConnectionEntry *ent = mCT.GetWeak(ci->HashKey());
+    MOZ_DIAGNOSTIC_ASSERT(ent);
+    if (ent->mHowItWasRemoved == nsConnectionEntry::CONN_ENTRY_CLEAR_CONNECTION_HISTORY) {
+        MOZ_DIAGNOSTIC_ASSERT(false);
+    } else if (ent->mHowItWasRemoved == nsConnectionEntry::CONN_ENTRY_REMOVED_SHUTDOWN) {
+        MOZ_DIAGNOSTIC_ASSERT(false);
+    }
+}
+
 } // namespace net
 } // namespace mozilla
--- a/netwerk/protocol/http/nsHttpConnectionMgr.h
+++ b/netwerk/protocol/http/nsHttpConnectionMgr.h
@@ -742,16 +742,19 @@ private:
     // saves a lot of hashtable lookups
     bool mActiveTabTransactionsExist;
     bool mActiveTabUnthrottledTransactionsExist;
 
     void LogActiveTransactions(char);
 
     nsTArray<RefPtr<PendingTransactionInfo>>*
     GetTransactionPendingQHelper(nsConnectionEntry *ent, nsAHttpTransaction *trans);
+
+    // This is only a diagnostic check end it will e removed soon.
+    void CheckConnEntryMustBeInmCT(nsHttpConnectionInfo *ci);
 };
 
 NS_DEFINE_STATIC_IID_ACCESSOR(nsHttpConnectionMgr::nsHalfOpenSocket, NS_HALFOPENSOCKET_IID)
 
 } // namespace net
 } // namespace mozilla
 
 #endif // !nsHttpConnectionMgr_h__
--- a/security/nss/.gitignore
+++ b/security/nss/.gitignore
@@ -13,8 +13,9 @@ GPATH
 GRTAGS
 GTAGS
 #*
 .#*
 .ycm_extra_conf.py*
 fuzz/libFuzzer/*
 fuzz/corpus
 fuzz/out
+.chk
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-825e5d444e99
+f212be04f3d0
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -1,32 +1,33 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -e
 
 if [ $# -lt 3 ]; then
   echo "Usage: $0 <repo> <branch> <directory>" 1>&2
   exit 2
 fi
 
 REPO=$1
 COMMIT=$2
 DIR=$3
 
 echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
 if [ -f $DIR/.git-copy ]; then
   CURRENT=$(cat $DIR/.git-copy)
   if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+    # On the off chance that $COMMIT is a remote head.
     ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
   else
     ACTUAL=$COMMIT
   fi
-  if [ CURRENT = ACTUAL ]; then
+  if [ "$CURRENT" = "$ACTUAL" ]; then
     echo "Up to date."
+    exit
   fi
 fi
 
-mkdir -p $DIR
-git -C $DIR init -q
+git init -q $DIR
 git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
 git -C $DIR reset --hard git-copy-tmp
-git -C $DIR show-ref HEAD | cut -c 1-40 - > $DIR/.git-copy
+git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
 rm -rf $DIR/.git
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -221,17 +221,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \006\003\125\004\003\023\022\107\154\157\142\141\154\123\151\147
 \156\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\025\113\132\303\224
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA - R2"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
 # Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
@@ -354,17 +354,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
 \004\003\023\012\107\154\157\142\141\154\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\017\206\046\346\015
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 #
 # Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
 # Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -849,17 +849,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\000\233\176\006\111\243\076\142\271\325\356\220\110\161
 \051\357\127
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
 # Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
 # Not Valid Before: Sun May 18 00:00:00 2008
 # Not Valid After : Thu May 17 23:59:59 2018
@@ -1122,17 +1122,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 \040\050\062\060\064\070\051
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\070\143\336\370
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Baltimore CyberTrust Root"
 #
 # Issuer: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
 # Serial Number: 33554617 (0x20000b9)
 # Subject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
@@ -1397,17 +1397,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
 \167\157\162\153\061\041\060\037\006\003\125\004\003\023\030\101
 \144\144\124\162\165\163\164\040\103\154\141\163\163\040\061\040
 \103\101\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AddTrust External Root"
 #
 # Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
@@ -1549,308 +1549,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\105\170\164\145\162\156\141\154\040\103\101\040\122\157\157
 \164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Public Services Root"
-#
-# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:41:50 2000
-# Not Valid After : Sat May 30 10:41:50 2020
-# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
-# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\025\060\202\002\375\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101\144
-\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103\101
-\040\122\157\157\164\060\036\027\015\060\060\060\065\063\060\061
-\060\064\061\065\060\132\027\015\062\060\060\065\063\060\061\060
-\064\061\065\060\132\060\144\061\013\060\011\006\003\125\004\006
-\023\002\123\105\061\024\060\022\006\003\125\004\012\023\013\101
-\144\144\124\162\165\163\164\040\101\102\061\035\060\033\006\003
-\125\004\013\023\024\101\144\144\124\162\165\163\164\040\124\124
-\120\040\116\145\164\167\157\162\153\061\040\060\036\006\003\125
-\004\003\023\027\101\144\144\124\162\165\163\164\040\120\165\142
-\154\151\143\040\103\101\040\122\157\157\164\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\351\032\060\217
-\203\210\024\301\040\330\074\233\217\033\176\003\164\273\332\151
-\323\106\245\370\216\302\014\021\220\121\245\057\146\124\100\125
-\352\333\037\112\126\356\237\043\156\364\071\313\241\271\157\362
-\176\371\135\207\046\141\236\034\370\342\354\246\201\370\041\305
-\044\314\021\014\077\333\046\162\172\307\001\227\007\027\371\327
-\030\054\060\175\016\172\036\142\036\306\113\300\375\175\142\167
-\323\104\036\047\366\077\113\104\263\267\070\331\071\037\140\325
-\121\222\163\003\264\000\151\343\363\024\116\356\321\334\011\317
-\167\064\106\120\260\370\021\362\376\070\171\367\007\071\376\121
-\222\227\013\133\010\137\064\206\001\255\210\227\353\146\315\136
-\321\377\334\175\362\204\332\272\167\255\334\200\010\307\247\207
-\326\125\237\227\152\350\310\021\144\272\347\031\051\077\021\263
-\170\220\204\040\122\133\021\357\170\320\203\366\325\110\220\320
-\060\034\317\200\371\140\376\171\344\210\362\335\000\353\224\105
-\353\145\224\151\100\272\300\325\264\270\272\175\004\021\250\353
-\061\005\226\224\116\130\041\216\237\320\140\375\002\003\001\000
-\001\243\201\321\060\201\316\060\035\006\003\125\035\016\004\026
-\004\024\201\076\067\330\222\260\037\167\237\134\264\253\163\252
-\347\366\064\140\057\372\060\013\006\003\125\035\017\004\004\003
-\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060
-\003\001\001\377\060\201\216\006\003\125\035\043\004\201\206\060
-\201\203\200\024\201\076\067\330\222\260\037\167\237\134\264\253
-\163\252\347\366\064\140\057\372\241\150\244\146\060\144\061\013
-\060\011\006\003\125\004\006\023\002\123\105\061\024\060\022\006
-\003\125\004\012\023\013\101\144\144\124\162\165\163\164\040\101
-\102\061\035\060\033\006\003\125\004\013\023\024\101\144\144\124
-\162\165\163\164\040\124\124\120\040\116\145\164\167\157\162\153
-\061\040\060\036\006\003\125\004\003\023\027\101\144\144\124\162
-\165\163\164\040\120\165\142\154\151\143\040\103\101\040\122\157
-\157\164\202\001\001\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\003\367\025\112\370\044\332
-\043\126\026\223\166\335\066\050\271\256\033\270\303\361\144\272
-\040\030\170\225\051\047\127\005\274\174\052\364\271\121\125\332
-\207\002\336\017\026\027\061\370\252\171\056\011\023\273\257\262
-\040\031\022\345\223\371\113\371\203\350\104\325\262\101\045\277
-\210\165\157\377\020\374\112\124\320\137\360\372\357\066\163\175
-\033\066\105\306\041\155\264\025\270\116\317\234\134\245\075\132
-\000\216\006\343\074\153\062\173\362\237\360\266\375\337\360\050
-\030\110\360\306\274\320\277\064\200\226\302\112\261\155\216\307
-\220\105\336\057\147\254\105\004\243\172\334\125\222\311\107\146
-\330\032\214\307\355\234\116\232\340\022\273\265\152\114\204\341
-\341\042\015\207\000\144\376\214\175\142\071\145\246\357\102\266
-\200\045\022\141\001\250\044\023\160\000\021\046\137\372\065\120
-\305\110\314\006\107\350\047\330\160\215\137\144\346\241\104\046
-\136\042\354\222\315\377\102\232\104\041\155\134\305\343\042\035
-\137\107\022\347\316\137\135\372\330\252\261\063\055\331\166\362
-\116\072\063\014\053\263\055\220\006
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AddTrust Public Services Root"
-# Issuer: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Public CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:41:50 2000
-# Not Valid After : Sat May 30 10:41:50 2020
-# Fingerprint (MD5): C1:62:3E:23:C5:82:73:9C:03:59:4B:2B:E9:77:49:7F
-# Fingerprint (SHA1): 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Public Services Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\052\266\050\110\136\170\373\363\255\236\171\020\335\153\337\231
-\162\054\226\345
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\301\142\076\043\305\202\163\234\003\131\113\053\351\167\111\177
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\040\060\036\006\003\125\004\003\023\027\101
-\144\144\124\162\165\163\164\040\120\165\142\154\151\143\040\103
-\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "AddTrust Qualified Certificates Root"
-#
-# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:44:50 2000
-# Not Valid After : Sat May 30 10:44:50 2020
-# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
-# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\036\060\202\003\006\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061\024
-\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
-\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
-\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101\144
-\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145\144
-\040\103\101\040\122\157\157\164\060\036\027\015\060\060\060\065
-\063\060\061\060\064\064\065\060\132\027\015\062\060\060\065\063
-\060\061\060\064\064\065\060\132\060\147\061\013\060\011\006\003
-\125\004\006\023\002\123\105\061\024\060\022\006\003\125\004\012
-\023\013\101\144\144\124\162\165\163\164\040\101\102\061\035\060
-\033\006\003\125\004\013\023\024\101\144\144\124\162\165\163\164
-\040\124\124\120\040\116\145\164\167\157\162\153\061\043\060\041
-\006\003\125\004\003\023\032\101\144\144\124\162\165\163\164\040
-\121\165\141\154\151\146\151\145\144\040\103\101\040\122\157\157
-\164\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\344\036\232\376\334\011\132\207\244\237\107\276\021\137
-\257\204\064\333\142\074\171\170\267\351\060\265\354\014\034\052
-\304\026\377\340\354\161\353\212\365\021\156\355\117\015\221\322
-\022\030\055\111\025\001\302\244\042\023\307\021\144\377\042\022
-\232\271\216\134\057\010\317\161\152\263\147\001\131\361\135\106
-\363\260\170\245\366\016\102\172\343\177\033\314\320\360\267\050
-\375\052\352\236\263\260\271\004\252\375\366\307\264\261\270\052
-\240\373\130\361\031\240\157\160\045\176\076\151\112\177\017\042
-\330\357\255\010\021\232\051\231\341\252\104\105\232\022\136\076
-\235\155\122\374\347\240\075\150\057\360\113\160\174\023\070\255
-\274\025\045\361\326\316\253\242\300\061\326\057\237\340\377\024
-\131\374\204\223\331\207\174\114\124\023\353\237\321\055\021\370
-\030\072\072\336\045\331\367\323\100\355\244\006\022\304\073\341
-\221\301\126\065\360\024\334\145\066\011\156\253\244\007\307\065
-\321\302\003\063\066\133\165\046\155\102\361\022\153\103\157\113
-\161\224\372\064\035\355\023\156\312\200\177\230\057\154\271\145
-\330\351\002\003\001\000\001\243\201\324\060\201\321\060\035\006
-\003\125\035\016\004\026\004\024\071\225\213\142\213\134\311\324
-\200\272\130\017\227\077\025\010\103\314\230\247\060\013\006\003
-\125\035\017\004\004\003\002\001\006\060\017\006\003\125\035\023
-\001\001\377\004\005\060\003\001\001\377\060\201\221\006\003\125
-\035\043\004\201\211\060\201\206\200\024\071\225\213\142\213\134
-\311\324\200\272\130\017\227\077\025\010\103\314\230\247\241\153
-\244\151\060\147\061\013\060\011\006\003\125\004\006\023\002\123
-\105\061\024\060\022\006\003\125\004\012\023\013\101\144\144\124
-\162\165\163\164\040\101\102\061\035\060\033\006\003\125\004\013
-\023\024\101\144\144\124\162\165\163\164\040\124\124\120\040\116
-\145\164\167\157\162\153\061\043\060\041\006\003\125\004\003\023
-\032\101\144\144\124\162\165\163\164\040\121\165\141\154\151\146
-\151\145\144\040\103\101\040\122\157\157\164\202\001\001\060\015
-\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001
-\001\000\031\253\165\352\370\213\145\141\225\023\272\151\004\357
-\206\312\023\240\307\252\117\144\033\077\030\366\250\055\054\125
-\217\005\267\060\352\102\152\035\300\045\121\055\247\277\014\263
-\355\357\010\177\154\074\106\032\352\030\103\337\166\314\371\146
-\206\234\054\150\365\351\027\370\061\263\030\304\326\110\175\043
-\114\150\301\176\273\001\024\157\305\331\156\336\273\004\102\152
-\370\366\134\175\345\332\372\207\353\015\065\122\147\320\236\227
-\166\005\223\077\225\307\001\346\151\125\070\177\020\141\231\311
-\343\137\246\312\076\202\143\110\252\342\010\110\076\252\362\262
-\205\142\246\264\247\331\275\067\234\150\265\055\126\175\260\267
-\077\240\261\007\326\351\117\334\336\105\161\060\062\177\033\056
-\011\371\277\122\241\356\302\200\076\006\134\056\125\100\301\033
-\365\160\105\260\334\135\372\366\162\132\167\322\143\315\317\130
-\211\000\102\143\077\171\071\320\104\260\202\156\101\031\350\335
-\340\301\210\132\321\036\161\223\037\044\060\164\345\036\250\336
-\074\047\067\177\203\256\236\167\317\360\060\261\377\113\231\350
-\306\241
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "AddTrust Qualified Certificates Root"
-# Issuer: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Serial Number: 1 (0x1)
-# Subject: CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
-# Not Valid Before: Tue May 30 10:44:50 2000
-# Not Valid After : Sat May 30 10:44:50 2020
-# Fingerprint (MD5): 27:EC:39:47:CD:DA:5A:AF:E2:9A:01:65:21:A9:4C:BB
-# Fingerprint (SHA1): 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "AddTrust Qualified Certificates Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\115\043\170\354\221\225\071\265\000\177\165\217\003\073\041\036
-\305\115\213\317
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\047\354\071\107\315\332\132\257\342\232\001\145\041\251\114\273
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\123\105\061
-\024\060\022\006\003\125\004\012\023\013\101\144\144\124\162\165
-\163\164\040\101\102\061\035\060\033\006\003\125\004\013\023\024
-\101\144\144\124\162\165\163\164\040\124\124\120\040\116\145\164
-\167\157\162\153\061\043\060\041\006\003\125\004\003\023\032\101
-\144\144\124\162\165\163\164\040\121\165\141\154\151\146\151\145
-\144\040\103\101\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Entrust Root Certification Authority"
 #
 # Issuer: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
 # Serial Number: 1164660820 (0x456b5054)
 # Subject: CN=Entrust Root Certification Authority,OU="(c) 2006 Entrust, Inc.",OU=www.entrust.net/CPS is incorporated by reference,O="Entrust, Inc.",C=US
@@ -2135,145 +1844,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\022\107\145\157\124\162\165\163\164\040\107\154\157\142\141
 \154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\002\064\126
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "GeoTrust Global CA 2"
-#
-# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Not Valid Before: Thu Mar 04 05:00:00 2004
-# Not Valid After : Mon Mar 04 05:00:00 2019
-# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
-# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\146\060\202\002\116\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061\026
-\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165\163
-\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003\023
-\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141\154
-\040\103\101\040\062\060\036\027\015\060\064\060\063\060\064\060
-\065\060\060\060\060\132\027\015\061\071\060\063\060\064\060\065
-\060\060\060\060\132\060\104\061\013\060\011\006\003\125\004\006
-\023\002\125\123\061\026\060\024\006\003\125\004\012\023\015\107
-\145\157\124\162\165\163\164\040\111\156\143\056\061\035\060\033
-\006\003\125\004\003\023\024\107\145\157\124\162\165\163\164\040
-\107\154\157\142\141\154\040\103\101\040\062\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\357\074\115\100
-\075\020\337\073\123\000\341\147\376\224\140\025\076\205\210\361
-\211\015\220\310\050\043\231\005\350\053\040\235\306\363\140\106
-\330\301\262\325\214\061\331\334\040\171\044\201\277\065\062\374
-\143\151\333\261\052\153\356\041\130\362\010\351\170\313\157\313
-\374\026\122\310\221\304\377\075\163\336\261\076\247\302\175\146
-\301\365\176\122\044\032\342\325\147\221\320\202\020\327\170\113
-\117\053\102\071\275\144\055\100\240\260\020\323\070\110\106\210
-\241\014\273\072\063\052\142\230\373\000\235\023\131\177\157\073
-\162\252\356\246\017\206\371\005\141\352\147\177\014\067\226\213
-\346\151\026\107\021\302\047\131\003\263\246\140\302\041\100\126
-\372\240\307\175\072\023\343\354\127\307\263\326\256\235\211\200
-\367\001\347\054\366\226\053\023\015\171\054\331\300\344\206\173
-\113\214\014\162\202\212\373\027\315\000\154\072\023\074\260\204
-\207\113\026\172\051\262\117\333\035\324\013\363\146\067\275\330
-\366\127\273\136\044\172\270\074\213\271\372\222\032\032\204\236
-\330\164\217\252\033\177\136\364\376\105\042\041\002\003\001\000
-\001\243\143\060\141\060\017\006\003\125\035\023\001\001\377\004
-\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004
-\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251\020
-\025\130\040\005\011\060\037\006\003\125\035\043\004\030\060\026
-\200\024\161\070\066\362\002\061\123\107\053\156\272\145\106\251
-\020\025\130\040\005\011\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\003\367\265\053\253\135
-\020\374\173\262\262\136\254\233\016\176\123\170\131\076\102\004
-\376\165\243\255\254\201\116\327\002\213\136\304\055\310\122\166
-\307\054\037\374\201\062\230\321\113\306\222\223\063\065\061\057
-\374\330\035\104\335\340\201\177\235\351\213\341\144\221\142\013
-\071\010\214\254\164\235\131\331\172\131\122\227\021\271\026\173
-\157\105\323\226\331\061\175\002\066\017\234\073\156\317\054\015
-\003\106\105\353\240\364\177\110\104\306\010\100\314\336\033\160
-\265\051\255\272\213\073\064\145\165\033\161\041\035\054\024\012
-\260\226\225\270\326\352\362\145\373\051\272\117\352\221\223\164
-\151\266\362\377\341\032\320\014\321\166\205\313\212\045\275\227
-\136\054\157\025\231\046\347\266\051\377\042\354\311\002\307\126
-\000\315\111\271\263\154\173\123\004\032\342\250\311\252\022\005
-\043\302\316\347\273\004\002\314\300\107\242\344\304\051\057\133
-\105\127\211\121\356\074\353\122\010\377\007\065\036\237\065\152
-\107\112\126\230\321\132\205\037\214\365\042\277\253\316\203\363
-\342\042\051\256\175\203\100\250\272\154
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "GeoTrust Global CA 2"
-# Issuer: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Serial Number: 1 (0x1)
-# Subject: CN=GeoTrust Global CA 2,O=GeoTrust Inc.,C=US
-# Not Valid Before: Thu Mar 04 05:00:00 2004
-# Not Valid After : Mon Mar 04 05:00:00 2019
-# Fingerprint (MD5): 0E:40:A7:6C:DE:03:5D:8F:D1:0F:E4:D1:8D:F9:6C:A9
-# Fingerprint (SHA1): A9:E9:78:08:14:37:58:88:F2:05:19:B0:6D:2B:0D:2B:60:16:90:7D
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GeoTrust Global CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\251\351\170\010\024\067\130\210\362\005\031\260\155\053\015\053
-\140\026\220\175
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\016\100\247\154\336\003\135\217\321\017\344\321\215\371\154\251
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\104\061\013\060\011\006\003\125\004\006\023\002\125\123\061
-\026\060\024\006\003\125\004\012\023\015\107\145\157\124\162\165
-\163\164\040\111\156\143\056\061\035\060\033\006\003\125\004\003
-\023\024\107\145\157\124\162\165\163\164\040\107\154\157\142\141
-\154\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Universal CA"
 #
 # Issuer: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA,O=GeoTrust Inc.,C=US
@@ -2423,17 +2004,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\025\107\145\157\124\162\165\163\164\040\125\156\151\166\145
 \162\163\141\154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Universal CA 2"
 #
 # Issuer: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=GeoTrust Universal CA 2,O=GeoTrust Inc.,C=US
@@ -2583,17 +2164,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \023\027\107\145\157\124\162\165\163\164\040\125\156\151\166\145
 \162\163\141\154\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Visa eCommerce Root"
 #
 # Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
 # Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
 # Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
@@ -2723,17 +2304,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\157\155\155\145\162\143\145\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
 \034\142
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certum Root CA"
 #
 # Issuer: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
 # Serial Number: 65568 (0x10020)
 # Subject: CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL
@@ -2842,17 +2423,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\040\123\160\056\040\172\040\157\056\157\056\061\022\060\020
 \006\003\125\004\003\023\011\103\145\162\164\165\155\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\001\000\040
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Comodo AAA Services root"
 #
 # Issuer: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number: 1 (0x1)
 # Subject: CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -2992,322 +2573,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\014\030\101\101\101\040\103\145\162\164\151\146\151
 \143\141\164\145\040\123\145\162\166\151\143\145\163
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Secure Services root"
-#
-# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
-# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\077\060\202\003\047\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060\132
-\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132\060
-\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003\125
-\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164\151
-\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163\060
-\202\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001
-\005\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000
-\300\161\063\202\212\320\160\353\163\207\202\100\325\035\344\313
-\311\016\102\220\371\336\064\271\241\272\021\364\045\205\363\314
-\162\155\362\173\227\153\263\007\361\167\044\221\137\045\217\366
-\164\075\344\200\302\370\074\015\363\277\100\352\367\310\122\321
-\162\157\357\310\253\101\270\156\056\027\052\225\151\014\315\322
-\036\224\173\055\224\035\252\165\327\263\230\313\254\274\144\123
-\100\274\217\254\254\066\313\134\255\273\335\340\224\027\354\321
-\134\320\277\357\245\225\311\220\305\260\254\373\033\103\337\172
-\010\135\267\270\362\100\033\053\047\236\120\316\136\145\202\210
-\214\136\323\116\014\172\352\010\221\266\066\252\053\102\373\352
-\302\243\071\345\333\046\070\255\213\012\356\031\143\307\034\044
-\337\003\170\332\346\352\301\107\032\013\013\106\011\335\002\374
-\336\313\207\137\327\060\143\150\241\256\334\062\241\272\276\376
-\104\253\150\266\245\027\025\375\275\325\247\247\232\344\104\063
-\351\210\216\374\355\121\353\223\161\116\255\001\347\104\216\253
-\055\313\250\376\001\111\110\360\300\335\307\150\330\222\376\075
-\002\003\001\000\001\243\201\307\060\201\304\060\035\006\003\125
-\035\016\004\026\004\024\074\330\223\210\302\300\202\011\314\001
-\231\006\223\040\351\236\160\011\143\117\060\016\006\003\125\035
-\017\001\001\377\004\004\003\002\001\006\060\017\006\003\125\035
-\023\001\001\377\004\005\060\003\001\001\377\060\201\201\006\003
-\125\035\037\004\172\060\170\060\073\240\071\240\067\206\065\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\143\141\056\143\157\155\057\123\145\143\165\162\145\103\145\162
-\164\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163
-\056\143\162\154\060\071\240\067\240\065\206\063\150\164\164\160
-\072\057\057\143\162\154\056\143\157\155\157\144\157\056\156\145
-\164\057\123\145\143\165\162\145\103\145\162\164\151\146\151\143
-\141\164\145\123\145\162\166\151\143\145\163\056\143\162\154\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202
-\001\001\000\207\001\155\043\035\176\133\027\175\301\141\062\317
-\217\347\363\212\224\131\146\340\236\050\250\136\323\267\364\064
-\346\252\071\262\227\026\305\202\157\062\244\351\214\347\257\375
-\357\302\350\271\113\252\243\364\346\332\215\145\041\373\272\200
-\353\046\050\205\032\376\071\214\336\133\004\004\264\124\371\243
-\147\236\101\372\011\122\314\005\110\250\311\077\041\004\036\316
-\110\153\374\205\350\302\173\257\177\267\314\370\137\072\375\065
-\306\015\357\227\334\114\253\021\341\153\313\061\321\154\373\110
-\200\253\334\234\067\270\041\024\113\015\161\075\354\203\063\156
-\321\156\062\026\354\230\307\026\213\131\246\064\253\005\127\055
-\223\367\252\023\313\322\023\342\267\056\073\315\153\120\027\011
-\150\076\265\046\127\356\266\340\266\335\271\051\200\171\175\217
-\243\360\244\050\244\025\304\205\364\047\324\153\277\345\134\344
-\145\002\166\124\264\343\067\146\044\323\031\141\310\122\020\345
-\213\067\232\271\251\371\035\277\352\231\222\141\226\377\001\315
-\241\137\015\274\161\274\016\254\013\035\107\105\035\301\354\174
-\354\375\051
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Comodo Secure Services root"
-# Issuer: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Secure Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): D3:D9:BD:AE:9F:AC:67:24:B3:C8:1B:52:E1:B9:A9:BD
-# Fingerprint (SHA1): 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Secure Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\112\145\325\364\035\357\071\270\270\220\112\112\323\144\201\063
-\317\307\241\321
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\323\331\275\256\237\254\147\044\263\310\033\122\341\271\251\275
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\176\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\044\060\042\006\003
-\125\004\003\014\033\123\145\143\165\162\145\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Comodo Trusted Services root"
-#
-# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
-# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\103\060\202\003\053\240\003\002\001\002\002\001\001
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061\033
-\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145\162
-\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016\006
-\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032\060
-\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040\103
-\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003\125
-\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162\164
-\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145\163
-\060\036\027\015\060\064\060\061\060\061\060\060\060\060\060\060
-\132\027\015\062\070\061\062\063\061\062\063\065\071\065\071\132
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163\060\202\001\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202\001
-\001\000\337\161\157\066\130\123\132\362\066\124\127\200\304\164
-\010\040\355\030\177\052\035\346\065\232\036\045\254\234\345\226
-\176\162\122\240\025\102\333\131\335\144\172\032\320\270\173\335
-\071\025\274\125\110\304\355\072\000\352\061\021\272\362\161\164
-\032\147\270\317\063\314\250\061\257\243\343\327\177\277\063\055
-\114\152\074\354\213\303\222\322\123\167\044\164\234\007\156\160
-\374\275\013\133\166\272\137\362\377\327\067\113\112\140\170\367
-\360\372\312\160\264\352\131\252\243\316\110\057\251\303\262\013
-\176\027\162\026\014\246\007\014\033\070\317\311\142\267\077\240
-\223\245\207\101\362\267\160\100\167\330\276\024\174\343\250\300
-\172\216\351\143\152\321\017\232\306\322\364\213\072\024\004\126
-\324\355\270\314\156\365\373\342\054\130\275\177\117\153\053\367
-\140\044\130\044\316\046\357\064\221\072\325\343\201\320\262\360
-\004\002\327\133\267\076\222\254\153\022\212\371\344\005\260\073
-\221\111\134\262\353\123\352\370\237\107\206\356\277\225\300\300
-\006\237\322\133\136\021\033\364\307\004\065\051\322\125\134\344
-\355\353\002\003\001\000\001\243\201\311\060\201\306\060\035\006
-\003\125\035\016\004\026\004\024\305\173\130\275\355\332\045\151
-\322\367\131\026\250\263\062\300\173\047\133\364\060\016\006\003
-\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
-\125\035\023\001\001\377\004\005\060\003\001\001\377\060\201\203
-\006\003\125\035\037\004\174\060\172\060\074\240\072\240\070\206
-\066\150\164\164\160\072\057\057\143\162\154\056\143\157\155\157
-\144\157\143\141\056\143\157\155\057\124\162\165\163\164\145\144
-\103\145\162\164\151\146\151\143\141\164\145\123\145\162\166\151
-\143\145\163\056\143\162\154\060\072\240\070\240\066\206\064\150
-\164\164\160\072\057\057\143\162\154\056\143\157\155\157\144\157
-\056\156\145\164\057\124\162\165\163\164\145\144\103\145\162\164
-\151\146\151\143\141\164\145\123\145\162\166\151\143\145\163\056
-\143\162\154\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\003\202\001\001\000\310\223\201\073\211\264\257\270\204
-\022\114\215\322\360\333\160\272\127\206\025\064\020\271\057\177
-\036\260\250\211\140\241\212\302\167\014\120\112\233\000\213\330
-\213\364\101\342\320\203\212\112\034\024\006\260\243\150\005\160
-\061\060\247\123\233\016\351\112\240\130\151\147\016\256\235\366
-\245\054\101\277\074\006\153\344\131\314\155\020\361\226\157\037
-\337\364\004\002\244\237\105\076\310\330\372\066\106\104\120\077
-\202\227\221\037\050\333\030\021\214\052\344\145\203\127\022\022
-\214\027\077\224\066\376\135\260\300\004\167\023\270\364\025\325
-\077\070\314\224\072\125\320\254\230\365\272\000\137\340\206\031
-\201\170\057\050\300\176\323\314\102\012\365\256\120\240\321\076
-\306\241\161\354\077\240\040\214\146\072\211\264\216\324\330\261
-\115\045\107\356\057\210\310\265\341\005\105\300\276\024\161\336
-\172\375\216\173\175\115\010\226\245\022\163\360\055\312\067\047
-\164\022\047\114\313\266\227\351\331\256\010\155\132\071\100\335
-\005\107\165\152\132\041\263\243\030\317\116\367\056\127\267\230
-\160\136\310\304\170\260\142
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Comodo Trusted Services root"
-# Issuer: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Serial Number: 1 (0x1)
-# Subject: CN=Trusted Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
-# Not Valid Before: Thu Jan 01 00:00:00 2004
-# Not Valid After : Sun Dec 31 23:59:59 2028
-# Fingerprint (MD5): 91:1B:3F:6E:CD:9E:AB:EE:07:FE:1F:71:D2:B3:61:27
-# Fingerprint (SHA1): E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Comodo Trusted Services root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\237\343\016\213\204\140\236\200\233\027\015\162\250\305\272
-\156\024\011\275
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\221\033\077\156\315\236\253\356\007\376\037\161\322\263\141\047
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\177\061\013\060\011\006\003\125\004\006\023\002\107\102\061
-\033\060\031\006\003\125\004\010\014\022\107\162\145\141\164\145
-\162\040\115\141\156\143\150\145\163\164\145\162\061\020\060\016
-\006\003\125\004\007\014\007\123\141\154\146\157\162\144\061\032
-\060\030\006\003\125\004\012\014\021\103\157\155\157\144\157\040
-\103\101\040\114\151\155\151\164\145\144\061\045\060\043\006\003
-\125\004\003\014\034\124\162\165\163\164\145\144\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\001\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA"
 #
 # Issuer: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
 # Serial Number: 985026699 (0x3ab6508b)
 # Subject: CN=QuoVadis Root Certification Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
@@ -3476,17 +2752,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\072\266\120\213
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 2"
 #
 # Issuer: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
 # Serial Number: 1289 (0x509)
 # Subject: CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
@@ -3641,17 +2917,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157
 \157\164\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\011
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 3"
 #
 # Issuer: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
 # Serial Number: 1478 (0x5c6)
 # Subject: CN=QuoVadis Root CA 3,O=QuoVadis Limited,C=BM
@@ -3821,17 +3097,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \125\004\003\023\022\121\165\157\126\141\144\151\163\040\122\157
 \157\164\040\103\101\040\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\005\306
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Security Communication Root CA"
 #
 # Issuer: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
 # Serial Number: 0 (0x0)
 # Subject: OU=Security Communication RootCA1,O=SECOM Trust.net,C=JP
@@ -3951,17 +3227,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\165\156\151\143\141\164\151\157\156\040\122\157\157\164\103
 \101\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Sonera Class 2 Root CA"
 #
 # Issuer: CN=Sonera Class2 CA,O=Sonera,C=FI
 # Serial Number: 29 (0x1d)
 # Subject: CN=Sonera Class2 CA,O=Sonera,C=FI
@@ -4247,339 +3523,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \311\211
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "UTN USERFirst Hardware Root CA"
-#
-# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:10:42 1999
-# Not Valid After : Tue Jul 09 18:19:22 2019
-# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
-# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\164\060\202\003\134\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\052\376\145\012\375\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\227\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\037\060\035\006\003\125\004\003
-\023\026\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\110\141\162\144\167\141\162\145\060\036\027\015\071\071\060\067
-\060\071\061\070\061\060\064\062\132\027\015\061\071\060\067\060
-\071\061\070\061\071\062\062\132\060\201\227\061\013\060\011\006
-\003\125\004\006\023\002\125\123\061\013\060\011\006\003\125\004
-\010\023\002\125\124\061\027\060\025\006\003\125\004\007\023\016
-\123\141\154\164\040\114\141\153\145\040\103\151\164\171\061\036
-\060\034\006\003\125\004\012\023\025\124\150\145\040\125\123\105
-\122\124\122\125\123\124\040\116\145\164\167\157\162\153\061\041
-\060\037\006\003\125\004\013\023\030\150\164\164\160\072\057\057
-\167\167\167\056\165\163\145\162\164\162\165\163\164\056\143\157
-\155\061\037\060\035\006\003\125\004\003\023\026\125\124\116\055
-\125\123\105\122\106\151\162\163\164\055\110\141\162\144\167\141
-\162\145\060\202\001\042\060\015\006\011\052\206\110\206\367\015
-\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002\202
-\001\001\000\261\367\303\070\077\264\250\177\317\071\202\121\147
-\320\155\237\322\377\130\363\347\237\053\354\015\211\124\231\271
-\070\231\026\367\340\041\171\110\302\273\141\164\022\226\035\074
-\152\162\325\074\020\147\072\071\355\053\023\315\146\353\225\011
-\063\244\154\227\261\350\306\354\301\165\171\234\106\136\215\253
-\320\152\375\271\052\125\027\020\124\263\031\360\232\366\361\261
-\135\266\247\155\373\340\161\027\153\242\210\373\000\337\376\032
-\061\167\014\232\001\172\261\062\343\053\001\007\070\156\303\245
-\136\043\274\105\233\173\120\301\311\060\217\333\345\053\172\323
-\133\373\063\100\036\240\325\230\027\274\213\207\303\211\323\135
-\240\216\262\252\252\366\216\151\210\006\305\372\211\041\363\010
-\235\151\056\011\063\233\051\015\106\017\214\314\111\064\260\151
-\121\275\371\006\315\150\255\146\114\274\076\254\141\275\012\210
-\016\310\337\075\356\174\004\114\235\012\136\153\221\326\356\307
-\355\050\215\253\115\207\211\163\320\156\244\320\036\026\213\024
-\341\166\104\003\177\143\254\344\315\111\234\305\222\364\253\062
-\241\110\133\002\003\001\000\001\243\201\271\060\201\266\060\013
-\006\003\125\035\017\004\004\003\002\001\306\060\017\006\003\125
-\035\023\001\001\377\004\005\060\003\001\001\377\060\035\006\003
-\125\035\016\004\026\004\024\241\162\137\046\033\050\230\103\225
-\135\007\067\325\205\226\235\113\322\303\105\060\104\006\003\125
-\035\037\004\075\060\073\060\071\240\067\240\065\206\063\150\164
-\164\160\072\057\057\143\162\154\056\165\163\145\162\164\162\165
-\163\164\056\143\157\155\057\125\124\116\055\125\123\105\122\106
-\151\162\163\164\055\110\141\162\144\167\141\162\145\056\143\162
-\154\060\061\006\003\125\035\045\004\052\060\050\006\010\053\006
-\001\005\005\007\003\001\006\010\053\006\001\005\005\007\003\005
-\006\010\053\006\001\005\005\007\003\006\006\010\053\006\001\005
-\005\007\003\007\060\015\006\011\052\206\110\206\367\015\001\001
-\005\005\000\003\202\001\001\000\107\031\017\336\164\306\231\227
-\257\374\255\050\136\165\216\353\055\147\356\116\173\053\327\014
-\377\366\336\313\125\242\012\341\114\124\145\223\140\153\237\022
-\234\255\136\203\054\353\132\256\300\344\055\364\000\143\035\270
-\300\154\362\317\111\273\115\223\157\006\246\012\042\262\111\142
-\010\116\377\310\310\024\262\210\026\135\347\001\344\022\225\345
-\105\064\263\213\151\275\317\264\205\217\165\121\236\175\072\070
-\072\024\110\022\306\373\247\073\032\215\015\202\100\007\350\004
-\010\220\241\211\313\031\120\337\312\034\001\274\035\004\031\173
-\020\166\227\073\356\220\220\312\304\016\037\026\156\165\357\063
-\370\323\157\133\036\226\343\340\164\167\164\173\212\242\156\055
-\335\166\326\071\060\202\360\253\234\122\362\052\307\257\111\136
-\176\307\150\345\202\201\310\152\047\371\047\210\052\325\130\120
-\225\037\360\073\034\127\273\175\024\071\142\053\232\311\224\222
-\052\243\042\014\377\211\046\175\137\043\053\107\327\025\035\251
-\152\236\121\015\052\121\236\201\371\324\073\136\160\022\177\020
-\062\234\036\273\235\370\146\250
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "UTN USERFirst Hardware Root CA"
-# Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-# Subject: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:10:42 1999
-# Not Valid After : Tue Jul 09 18:19:22 2019
-# Fingerprint (MD5): 4C:56:41:E5:0D:BB:2B:E8:CA:A3:ED:18:08:AD:43:39
-# Fingerprint (SHA1): 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\004\203\355\063\231\254\066\010\005\207\042\355\274\136\106\000
-\343\276\371\327
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\114\126\101\345\015\273\053\350\312\243\355\030\010\255\103\071
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\227\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\037\060\035\006\003\125
-\004\003\023\026\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\110\141\162\144\167\141\162\145
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\052\376\145
-\012\375
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "UTN USERFirst Object Root CA"
-#
-# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
-# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:31:20 1999
-# Not Valid After : Tue Jul 09 18:40:36 2019
-# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
-# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\004\146\060\202\003\116\240\003\002\001\002\002\020\104
-\276\014\213\120\000\044\264\021\323\066\055\340\263\137\033\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\201
-\225\061\013\060\011\006\003\125\004\006\023\002\125\123\061\013
-\060\011\006\003\125\004\010\023\002\125\124\061\027\060\025\006
-\003\125\004\007\023\016\123\141\154\164\040\114\141\153\145\040
-\103\151\164\171\061\036\060\034\006\003\125\004\012\023\025\124
-\150\145\040\125\123\105\122\124\122\125\123\124\040\116\145\164
-\167\157\162\153\061\041\060\037\006\003\125\004\013\023\030\150
-\164\164\160\072\057\057\167\167\167\056\165\163\145\162\164\162
-\165\163\164\056\143\157\155\061\035\060\033\006\003\125\004\003
-\023\024\125\124\116\055\125\123\105\122\106\151\162\163\164\055
-\117\142\152\145\143\164\060\036\027\015\071\071\060\067\060\071
-\061\070\063\061\062\060\132\027\015\061\071\060\067\060\071\061
-\070\064\060\063\066\132\060\201\225\061\013\060\011\006\003\125
-\004\006\023\002\125\123\061\013\060\011\006\003\125\004\010\023
-\002\125\124\061\027\060\025\006\003\125\004\007\023\016\123\141
-\154\164\040\114\141\153\145\040\103\151\164\171\061\036\060\034
-\006\003\125\004\012\023\025\124\150\145\040\125\123\105\122\124
-\122\125\123\124\040\116\145\164\167\157\162\153\061\041\060\037
-\006\003\125\004\013\023\030\150\164\164\160\072\057\057\167\167
-\167\056\165\163\145\162\164\162\165\163\164\056\143\157\155\061
-\035\060\033\006\003\125\004\003\023\024\125\124\116\055\125\123
-\105\122\106\151\162\163\164\055\117\142\152\145\143\164\060\202
-\001\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005
-\000\003\202\001\017\000\060\202\001\012\002\202\001\001\000\316
-\252\201\077\243\243\141\170\252\061\000\125\225\021\236\047\017
-\037\034\337\072\233\202\150\060\300\112\141\035\361\057\016\372
-\276\171\367\245\043\357\125\121\226\204\315\333\343\271\156\076
-\061\330\012\040\147\307\364\331\277\224\353\107\004\076\002\316
-\052\242\135\207\004\011\366\060\235\030\212\227\262\252\034\374
-\101\322\241\066\313\373\075\221\272\347\331\160\065\372\344\347
-\220\303\233\243\233\323\074\365\022\231\167\261\267\011\340\150
-\346\034\270\363\224\143\210\152\152\376\013\166\311\276\364\042
-\344\147\271\253\032\136\167\301\205\007\335\015\154\277\356\006
-\307\167\152\101\236\247\017\327\373\356\224\027\267\374\205\276
-\244\253\304\034\061\335\327\266\321\344\360\357\337\026\217\262
-\122\223\327\241\324\211\241\007\056\277\341\001\022\102\036\032
-\341\330\225\064\333\144\171\050\377\272\056\021\302\345\350\133
-\222\110\373\107\013\302\154\332\255\062\203\101\363\245\345\101
-\160\375\145\220\155\372\372\121\304\371\275\226\053\031\004\054
-\323\155\247\334\360\177\157\203\145\342\152\253\207\206\165\002
-\003\001\000\001\243\201\257\060\201\254\060\013\006\003\125\035
-\017\004\004\003\002\001\306\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004
-\026\004\024\332\355\144\164\024\234\024\074\253\335\231\251\275
-\133\050\115\213\074\311\330\060\102\006\003\125\035\037\004\073
-\060\071\060\067\240\065\240\063\206\061\150\164\164\160\072\057
-\057\143\162\154\056\165\163\145\162\164\162\165\163\164\056\143
-\157\155\057\125\124\116\055\125\123\105\122\106\151\162\163\164
-\055\117\142\152\145\143\164\056\143\162\154\060\051\006\003\125
-\035\045\004\042\060\040\006\010\053\006\001\005\005\007\003\003
-\006\010\053\006\001\005\005\007\003\010\006\012\053\006\001\004
-\001\202\067\012\003\004\060\015\006\011\052\206\110\206\367\015
-\001\001\005\005\000\003\202\001\001\000\010\037\122\261\067\104
-\170\333\375\316\271\332\225\226\230\252\125\144\200\265\132\100
-\335\041\245\305\301\363\137\054\114\310\107\132\151\352\350\360
-\065\065\364\320\045\363\310\246\244\207\112\275\033\261\163\010
-\275\324\303\312\266\065\273\131\206\167\061\315\247\200\024\256
-\023\357\374\261\110\371\153\045\045\055\121\266\054\155\105\301
-\230\310\212\126\135\076\356\103\116\076\153\047\216\320\072\113
-\205\013\137\323\355\152\247\165\313\321\132\207\057\071\165\023
-\132\162\260\002\201\237\276\360\017\204\124\040\142\154\151\324
-\341\115\306\015\231\103\001\015\022\226\214\170\235\277\120\242
-\261\104\252\152\317\027\172\317\157\017\324\370\044\125\137\360
-\064\026\111\146\076\120\106\311\143\161\070\061\142\270\142\271
-\363\123\255\154\265\053\242\022\252\031\117\011\332\136\347\223
-\306\216\024\010\376\360\060\200\030\240\206\205\115\310\175\327
-\213\003\376\156\325\367\235\026\254\222\054\240\043\345\234\221
-\122\037\224\337\027\224\163\303\263\301\301\161\005\040\000\170
-\275\023\122\035\250\076\315\000\037\310
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "UTN USERFirst Object Root CA"
-# Issuer: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Serial Number:44:be:0c:8b:50:00:24:b4:11:d3:36:2d:e0:b3:5f:1b
-# Subject: CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
-# Not Valid Before: Fri Jul 09 18:31:20 1999
-# Not Valid After : Tue Jul 09 18:40:36 2019
-# Fingerprint (MD5): A7:F2:E4:16:06:41:11:50:30:6B:9C:E3:B4:9C:B0:C9
-# Fingerprint (SHA1): E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "UTN USERFirst Object Root CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\341\055\373\113\101\327\331\303\053\060\121\113\254\035\201\330
-\070\136\055\106
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\247\362\344\026\006\101\021\120\060\153\234\343\264\234\260\311
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\225\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\013\060\011\006\003\125\004\010\023\002\125\124\061\027\060
-\025\006\003\125\004\007\023\016\123\141\154\164\040\114\141\153
-\145\040\103\151\164\171\061\036\060\034\006\003\125\004\012\023
-\025\124\150\145\040\125\123\105\122\124\122\125\123\124\040\116
-\145\164\167\157\162\153\061\041\060\037\006\003\125\004\013\023
-\030\150\164\164\160\072\057\057\167\167\167\056\165\163\145\162
-\164\162\165\163\164\056\143\157\155\061\035\060\033\006\003\125
-\004\003\023\024\125\124\116\055\125\123\105\122\106\151\162\163
-\164\055\117\142\152\145\143\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\104\276\014\213\120\000\044\264\021\323\066\055\340\263
-\137\033
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Camerfirma Chambers of Commerce Root"
 #
 # Issuer: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Chambers of Commerce Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Not Valid Before: Tue Sep 30 16:13:43 2003
 # Not Valid After : Wed Sep 30 16:13:44 2037
 # Fingerprint (MD5): B0:01:EE:14:D9:AF:29:18:94:76:8E:F1:69:33:2A:84
@@ -4728,17 +3681,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\157\146\040\103\157\155\155\145\162\143\145\040\122\157\157
 \164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Camerfirma Global Chambersign Root"
 #
 # Issuer: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 # Serial Number: 0 (0x0)
 # Subject: CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
@@ -4887,17 +3840,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\006\003\125\004\003\023\027\107\154\157\142\141\154\040\103
 \150\141\155\142\145\162\163\151\147\156\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "XRamp Global CA Root"
 #
 # Issuer: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
 # Serial Number:50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
 # Subject: CN=XRamp Global Certification Authority,O=XRamp Security Services Inc,OU=www.xrampsecurity.com,C=US
@@ -5042,17 +3995,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
 \240\255
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Go Daddy Class 2 CA"
 #
 # Issuer: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US
@@ -5186,17 +4139,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Class 2 CA"
 #
 # Issuer: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
 # Serial Number: 0 (0x0)
 # Subject: OU=Starfield Class 2 Certification Authority,O="Starfield Technologies, Inc.",C=US
@@ -5331,17 +4284,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\062\040\103\145\162\164\151\146\151\143\141\164\151\157\156
 \040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "StartCom Certification Authority"
 #
 # Issuer: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
 # Serial Number: 1 (0x1)
 # Subject: CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
@@ -5538,17 +4491,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
 \141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Taiwan GRCA"
 #
 # Issuer: O=Government Root Certification Authority,C=TW
 # Serial Number:1f:9d:59:5a:d7:2f:c2:06:44:a5:80:08:69:e3:5e:f6
 # Subject: O=Government Root Certification Authority,C=TW
@@ -5701,192 +4654,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\235\131\132\327\057\302\006\104\245\200\010\151\343
 \136\366
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Swisscom Root CA 1"
-#
-# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
-# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Thu Aug 18 12:06:20 2005
-# Not Valid After : Mon Aug 18 22:06:20 2025
-# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
-# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root CA 1"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235
-\250\066
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\331\060\202\003\301\240\003\002\001\002\002\020\134
-\013\205\134\013\347\131\101\337\127\314\077\177\235\250\066\060
-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\144
-\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021\060
-\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157\155
-\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151\164
-\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040\123
-\145\162\166\151\143\145\163\061\033\060\031\006\003\125\004\003
-\023\022\123\167\151\163\163\143\157\155\040\122\157\157\164\040
-\103\101\040\061\060\036\027\015\060\065\060\070\061\070\061\062
-\060\066\062\060\132\027\015\062\065\060\070\061\070\062\062\060
-\066\062\060\132\060\144\061\013\060\011\006\003\125\004\006\023
-\002\143\150\061\021\060\017\006\003\125\004\012\023\010\123\167
-\151\163\163\143\157\155\061\045\060\043\006\003\125\004\013\023
-\034\104\151\147\151\164\141\154\040\103\145\162\164\151\146\151
-\143\141\164\145\040\123\145\162\166\151\143\145\163\061\033\060
-\031\006\003\125\004\003\023\022\123\167\151\163\163\143\157\155
-\040\122\157\157\164\040\103\101\040\061\060\202\002\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
-\017\000\060\202\002\012\002\202\002\001\000\320\271\260\250\014
-\331\273\077\041\370\033\325\063\223\200\026\145\040\165\262\075
-\233\140\155\106\310\214\061\157\027\303\372\232\154\126\355\074
-\305\221\127\303\315\253\226\111\220\052\031\113\036\243\155\127
-\335\361\053\142\050\165\105\136\252\326\133\372\013\045\330\241
-\026\371\034\304\056\346\225\052\147\314\320\051\156\074\205\064
-\070\141\111\261\000\237\326\072\161\137\115\155\316\137\271\251
-\344\211\177\152\122\372\312\233\362\334\251\371\235\231\107\077
-\116\051\137\264\246\215\135\173\013\231\021\003\003\376\347\333
-\333\243\377\035\245\315\220\036\001\037\065\260\177\000\333\220
-\157\306\176\173\321\356\172\172\247\252\014\127\157\244\155\305
-\023\073\260\245\331\355\062\034\264\136\147\213\124\334\163\207
-\345\323\027\174\146\120\162\135\324\032\130\301\331\317\330\211
-\002\157\247\111\264\066\135\320\244\336\007\054\266\165\267\050
-\221\326\227\276\050\365\230\036\352\133\046\311\275\260\227\163
-\332\256\221\046\353\150\301\371\071\025\326\147\113\012\155\117
-\313\317\260\344\102\161\214\123\171\347\356\341\333\035\240\156
-\035\214\032\167\065\134\026\036\053\123\037\064\213\321\154\374
-\362\147\007\172\365\255\355\326\232\253\241\261\113\341\314\067
-\137\375\177\315\115\256\270\037\234\103\371\052\130\125\103\105
-\274\226\315\160\016\374\311\343\146\272\116\215\073\201\313\025
-\144\173\271\224\350\135\063\122\205\161\056\117\216\242\006\021
-\121\311\343\313\241\156\061\010\144\014\302\322\074\365\066\350
-\327\320\016\170\043\040\221\311\044\052\145\051\133\042\367\041
-\316\203\136\244\363\336\113\323\150\217\106\165\134\203\011\156
-\051\153\304\160\214\365\235\327\040\057\377\106\322\053\070\302
-\057\165\034\075\176\332\245\357\036\140\205\151\102\323\314\370
-\143\376\036\103\071\205\246\266\143\101\020\263\163\036\274\323
-\372\312\175\026\107\342\247\325\320\243\212\012\010\226\142\126
-\156\064\333\331\002\271\060\165\343\004\322\347\217\302\260\021
-\100\012\254\325\161\002\142\213\061\276\335\306\043\130\061\102
-\103\055\164\371\306\236\246\212\017\351\376\277\203\346\103\127
-\044\272\357\106\064\252\327\022\001\070\355\002\003\001\000\001
-\243\201\206\060\201\203\060\016\006\003\125\035\017\001\001\377
-\004\004\003\002\001\206\060\035\006\003\125\035\041\004\026\060
-\024\060\022\006\007\140\205\164\001\123\000\001\006\007\140\205
-\164\001\123\000\001\060\022\006\003\125\035\023\001\001\377\004
-\010\060\006\001\001\377\002\001\007\060\037\006\003\125\035\043
-\004\030\060\026\200\024\003\045\057\336\157\202\001\072\134\054
-\334\053\241\151\265\147\324\214\323\375\060\035\006\003\125\035
-\016\004\026\004\024\003\045\057\336\157\202\001\072\134\054\334
-\053\241\151\265\147\324\214\323\375\060\015\006\011\052\206\110
-\206\367\015\001\001\005\005\000\003\202\002\001\000\065\020\313
-\354\246\004\015\015\017\315\300\333\253\250\362\210\227\014\337
-\223\057\115\174\100\126\061\172\353\244\017\140\315\172\363\276
-\303\047\216\003\076\244\335\022\357\176\036\164\006\074\077\061
-\362\034\173\221\061\041\264\360\320\154\227\324\351\227\262\044
-\126\036\126\303\065\275\210\005\017\133\020\032\144\341\307\202
-\060\371\062\255\236\120\054\347\170\005\320\061\261\132\230\212
-\165\116\220\134\152\024\052\340\122\107\202\140\346\036\332\201
-\261\373\024\013\132\361\237\322\225\272\076\320\033\326\025\035
-\243\276\206\325\333\017\300\111\144\273\056\120\031\113\322\044
-\370\335\036\007\126\320\070\240\225\160\040\166\214\327\335\036
-\336\237\161\304\043\357\203\023\134\243\044\025\115\051\100\074
-\152\304\251\330\267\246\104\245\015\364\340\235\167\036\100\160
-\046\374\332\331\066\344\171\344\265\077\274\233\145\276\273\021
-\226\317\333\306\050\071\072\010\316\107\133\123\132\305\231\376
-\135\251\335\357\114\324\306\245\255\002\346\214\007\022\036\157
-\003\321\157\240\243\363\051\275\022\307\120\242\260\177\210\251
-\231\167\232\261\300\245\071\056\134\174\151\342\054\260\352\067
-\152\244\341\132\341\365\120\345\203\357\245\273\052\210\347\214
-\333\375\155\136\227\031\250\176\146\165\153\161\352\277\261\307
-\157\240\364\216\244\354\064\121\133\214\046\003\160\241\167\325
-\001\022\127\000\065\333\043\336\016\212\050\231\375\261\020\157
-\113\377\070\055\140\116\054\234\353\147\265\255\111\356\113\037
-\254\257\373\015\220\132\146\140\160\135\252\315\170\324\044\356
-\310\101\240\223\001\222\234\152\236\374\271\044\305\263\025\202
-\176\276\256\225\053\353\261\300\332\343\001\140\013\136\151\254
-\204\126\141\276\161\027\376\035\023\017\376\306\207\105\351\376
-\062\240\032\015\023\244\224\125\161\245\026\213\272\312\211\260
-\262\307\374\217\330\124\265\223\142\235\316\317\131\373\075\030
-\316\052\313\065\025\202\135\377\124\042\133\161\122\373\267\311
-\376\140\233\000\101\144\360\252\052\354\266\102\103\316\211\146
-\201\310\213\237\071\124\003\045\323\026\065\216\204\320\137\372
-\060\032\365\232\154\364\016\123\371\072\133\321\034
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "Swisscom Root CA 1"
-# Issuer: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:5c:0b:85:5c:0b:e7:59:41:df:57:cc:3f:7f:9d:a8:36
-# Subject: CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Thu Aug 18 12:06:20 2005
-# Not Valid After : Mon Aug 18 22:06:20 2025
-# Fingerprint (MD5): F8:38:7C:77:88:DF:2C:16:68:2E:C2:E2:52:4B:B8:F9
-# Fingerprint (SHA1): 5F:3A:FC:0A:8B:64:F6:86:67:34:74:DF:7E:A9:A2:FE:F9:FA:7A:51
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root CA 1"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\137\072\374\012\213\144\366\206\147\064\164\337\176\251\242\376
-\371\372\172\121
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\370\070\174\167\210\337\054\026\150\056\302\342\122\113\270\371
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\144\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
-\004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\103\101\040\061
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\020\134\013\205\134\013\347\131\101\337\127\314\077\177\235
-\250\066
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root CA"
 #
 # Issuer: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0c:e7:e0:e5:17:d8:46:fe:8f:e5:60:fc:1b:f0:30:39
 # Subject: CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6017,17 +4795,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\347\340\345\027\330\106\376\217\345\140\374\033\360
 \060\071
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root CA"
 #
 # Issuer: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:08:3b:e0:56:90:42:46:b1:a1:75:6a:c9:59:91:c7:4a
 # Subject: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6158,17 +4936,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\010\073\340\126\220\102\106\261\241\165\152\311\131\221
 \307\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert High Assurance EV Root CA"
 #
 # Issuer: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
 # Subject: CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -6300,17 +5078,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\143\145\040\105\126\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\002\254\134\046\152\013\100\233\217\013\171\362\256\106
 \045\167
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certplus Class 2 Primary CA"
 #
 # Issuer: CN=Class 2 Primary CA,O=Certplus,C=FR
 # Serial Number:00:85:bd:4b:f3:d8:da:e3:69:f6:94:d7:5f:c3:a5:44:23
 # Subject: CN=Class 2 Primary CA,O=Certplus,C=FR
@@ -6867,17 +5645,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \032\123\167\151\163\163\123\151\147\156\040\120\154\141\164\151
 \156\165\155\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\116\262\000\147\014\003\135\117
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SwissSign Gold CA - G2"
 #
 # Issuer: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
 # Serial Number:00:bb:40:1c:43:f5:5e:4f:b0
 # Subject: CN=SwissSign Gold CA - G2,O=SwissSign AG,C=CH
@@ -7032,17 +5810,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \026\123\167\151\163\163\123\151\147\156\040\107\157\154\144\040
 \103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\273\100\034\103\365\136\117\260
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SwissSign Silver CA - G2"
 #
 # Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
 # Serial Number:4f:1b:d4:2f:54:bb:2f:4b
 # Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
@@ -7198,17 +5976,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \030\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145
 \162\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\117\033\324\057\124\273\057\113
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
 # Serial Number:18:ac:b5:6a:fd:69:b6:15:3a:63:6c:af:da:fa:c4:a1
 # Subject: CN=GeoTrust Primary Certification Authority,O=GeoTrust Inc.,C=US
@@ -7492,17 +6270,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\141\162\171\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\064\116\325\127\040\325\355\354\111\364\057\316\067\333
 \053\155
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -7669,17 +6447,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\065
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\030\332\321\236\046\175\350\273\112\041\130\315\314\153
 \073\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SecureTrust CA"
 #
 # Issuer: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
 # Serial Number:0c:f0:8e:5c:08:16:a5:ad:42:7f:f0:eb:27:18:59:d0
 # Subject: CN=SecureTrust CA,O=SecureTrust Corporation,C=US
@@ -7804,17 +6582,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\145\124\162\165\163\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\014\360\216\134\010\026\245\255\102\177\360\353\047\030
 \131\320
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Secure Global CA"
 #
 # Issuer: CN=Secure Global CA,O=SecureTrust Corporation,C=US
 # Serial Number:07:56:22:a4:e8:d4:8a:89:4d:f4:13:c8:f0:f8:ea:a5
 # Subject: CN=Secure Global CA,O=SecureTrust Corporation,C=US
@@ -7939,17 +6717,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\145\040\107\154\157\142\141\154\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\007\126\042\244\350\324\212\211\115\364\023\310\360\370
 \352\245
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "COMODO Certification Authority"
 #
 # Issuer: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4e:81:2d:8a:82:65:e0:0b:02:ee:3e:35:02:46:e5:3d
 # Subject: CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -8093,17 +6871,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\116\201\055\212\202\145\340\013\002\356\076\065\002\106
 \345\075
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Network Solutions Certificate Authority"
 #
 # Issuer: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
 # Serial Number:57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0
 # Subject: CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
@@ -8365,17 +7143,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\037\107\257\252\142\000\160\120\124\114\001\236\233\143
 \231\052
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "MD5 Collisions Forged Rogue CA 25c3"
 #
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 66 (0x42)
 # Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
@@ -9137,17 +7915,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\303\241\155\141\162\141\040\123\056\101\056
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\017\007\176\122\223\173\340\025\343\127\360\151\214\313\354
 \014
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TC TrustCenter Class 3 CA II"
 #
 # Issuer: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
 # Serial Number:4a:47:00:01:00:02:e5:a0:5d:d6:3f:00:51:bf
 # Subject: CN=TC TrustCenter Class 3 CA II,OU=TC TrustCenter Class 3 CA,O=TC TrustCenter GmbH,C=DE
@@ -9435,17 +8213,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \145\040\124\145\154\145\153\157\155\040\122\157\157\164\040\103
 \101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\046
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "ComSign CA"
 #
 # Issuer: C=IL,O=ComSign,CN=ComSign CA
 # Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44
 # Subject: C=IL,O=ComSign,CN=ComSign CA
@@ -9569,147 +8347,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \167\104
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
-# Certificate "ComSign Secured CA"
-#
-# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
-# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
-# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
-# Not Valid Before: Wed Mar 24 11:37:20 2004
-# Not Valid After : Fri Mar 16 15:04:56 2029
-# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
-# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign Secured CA"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365
-\066\116\351
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\253\060\202\002\223\240\003\002\001\002\002\021\000
-\307\050\107\011\263\270\154\105\214\035\372\044\365\066\116\351
-\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
-\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155\123
-\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061\020
-\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147\156
-\061\013\060\011\006\003\125\004\006\023\002\111\114\060\036\027
-\015\060\064\060\063\062\064\061\061\063\067\062\060\132\027\015
-\062\071\060\063\061\066\061\065\060\064\065\066\132\060\074\061
-\033\060\031\006\003\125\004\003\023\022\103\157\155\123\151\147
-\156\040\123\145\143\165\162\145\144\040\103\101\061\020\060\016
-\006\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013
-\060\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060
-\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202
-\001\017\000\060\202\001\012\002\202\001\001\000\306\265\150\137
-\035\224\025\303\244\010\125\055\343\240\127\172\357\351\164\052
-\273\271\174\127\111\032\021\136\117\051\207\014\110\326\152\347
-\217\324\176\127\044\271\006\211\344\034\074\352\254\343\332\041
-\200\163\041\012\357\171\230\154\037\010\377\241\120\175\362\230
-\033\311\124\157\076\245\050\354\041\004\017\105\273\007\075\241
-\300\372\052\230\035\116\006\223\373\365\210\073\253\137\313\026
-\277\346\363\236\112\207\355\031\352\302\237\103\344\361\201\245
-\177\020\117\076\321\112\142\255\123\033\313\203\377\007\145\245
-\222\055\146\251\133\270\132\364\035\264\041\221\112\027\173\236
-\062\376\126\044\071\262\124\204\103\365\204\302\330\274\101\220
-\314\235\326\150\332\351\202\120\251\073\150\317\265\135\002\224
-\140\026\261\103\331\103\135\335\135\207\156\352\273\263\311\153
-\366\003\224\011\160\336\026\021\172\053\350\166\217\111\020\230
-\167\271\143\134\213\063\227\165\366\013\214\262\253\133\336\164
-\040\045\077\343\363\021\371\207\150\206\065\161\303\035\214\055
-\353\345\032\254\017\163\325\202\131\100\200\323\002\003\001\000
-\001\243\201\247\060\201\244\060\014\006\003\125\035\023\004\005
-\060\003\001\001\377\060\104\006\003\125\035\037\004\075\060\073
-\060\071\240\067\240\065\206\063\150\164\164\160\072\057\057\146
-\145\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056
-\151\154\057\143\162\154\057\103\157\155\123\151\147\156\123\145
-\143\165\162\145\144\103\101\056\143\162\154\060\016\006\003\125
-\035\017\001\001\377\004\004\003\002\001\206\060\037\006\003\125
-\035\043\004\030\060\026\200\024\301\113\355\160\266\367\076\174
-\000\073\000\217\307\076\016\105\237\036\135\354\060\035\006\003
-\125\035\016\004\026\004\024\301\113\355\160\266\367\076\174\000
-\073\000\217\307\076\016\105\237\036\135\354\060\015\006\011\052
-\206\110\206\367\015\001\001\005\005\000\003\202\001\001\000\026
-\317\356\222\023\120\253\173\024\236\063\266\102\040\152\324\025
-\275\011\253\374\162\350\357\107\172\220\254\121\301\144\116\351
-\210\275\103\105\201\343\146\043\077\022\206\115\031\344\005\260
-\346\067\302\215\332\006\050\311\017\211\244\123\251\165\077\260
-\226\373\253\114\063\125\371\170\046\106\157\033\066\230\373\102
-\166\301\202\271\216\336\373\105\371\143\033\142\073\071\006\312
-\167\172\250\074\011\317\154\066\075\017\012\105\113\151\026\032
-\105\175\063\003\145\371\122\161\220\046\225\254\114\014\365\213
-\223\077\314\165\164\205\230\272\377\142\172\115\037\211\376\256
-\275\224\000\231\277\021\245\334\340\171\305\026\013\175\002\141
-\035\352\205\371\002\025\117\347\132\211\116\024\157\343\067\113
-\205\365\301\074\141\340\375\005\101\262\222\177\303\035\240\320
-\256\122\144\140\153\030\306\046\234\330\365\144\344\066\032\142
-\237\212\017\076\377\155\116\031\126\116\040\221\154\237\064\063
-\072\064\127\120\072\157\201\136\006\306\365\076\174\116\216\053
-\316\145\006\056\135\322\052\123\164\136\323\156\047\236\217
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "ComSign Secured CA"
-# Issuer: C=IL,O=ComSign,CN=ComSign Secured CA
-# Serial Number:00:c7:28:47:09:b3:b8:6c:45:8c:1d:fa:24:f5:36:4e:e9
-# Subject: C=IL,O=ComSign,CN=ComSign Secured CA
-# Not Valid Before: Wed Mar 24 11:37:20 2004
-# Not Valid After : Fri Mar 16 15:04:56 2029
-# Fingerprint (MD5): 40:01:25:06:8D:21:43:6A:0E:43:00:9C:E7:43:F3:D5
-# Fingerprint (SHA1): F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "ComSign Secured CA"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\371\315\016\054\332\166\044\301\217\275\360\360\253\266\105\270
-\367\376\325\172
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\100\001\045\006\215\041\103\152\016\103\000\234\347\103\363\325
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\074\061\033\060\031\006\003\125\004\003\023\022\103\157\155
-\123\151\147\156\040\123\145\143\165\162\145\144\040\103\101\061
-\020\060\016\006\003\125\004\012\023\007\103\157\155\123\151\147
-\156\061\013\060\011\006\003\125\004\006\023\002\111\114
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\307\050\107\011\263\270\154\105\214\035\372\044\365
-\066\116\351
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
 # Certificate "Cybertrust Global Root"
 #
 # Issuer: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Serial Number:04:00:00:00:00:01:0f:85:aa:2d:48
 # Subject: CN=Cybertrust Global Root,O="Cybertrust, Inc"
 # Not Valid Before: Fri Dec 15 08:00:00 2006
 # Not Valid After : Wed Dec 15 08:00:00 2021
 # Fingerprint (MD5): 72:E4:4A:87:E3:69:40:80:77:EA:BC:E3:F4:FF:F0:E1
@@ -9995,17 +8642,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\310\275\145\107\134\257\270\227\000\136\344\006\322
 \274\235
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
 #
 # Issuer: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
 # Serial Number: 17 (0x11)
 # Subject: CN=T..B..TAK UEKAE K..k Sertifika Hizmet Sa..lay..c..s.. - S..r..m ...,OU=Kamu Sertifikasyon Merkezi,OU=Ulusal Elektronik ve Kriptoloji Ara..t..rma Enstit..s.. - UEKAE,O=T..rkiye Bilimsel ve Teknolojik Ara..t..rma Kurumu - T..B..TAK,L=Gebze - Kocaeli,C=TR
@@ -10314,140 +8961,16 @@ CKA_ISSUER MULTILINE_OCTAL
 \107\116\061\031\060\027\006\003\125\004\013\023\020\143\145\162
 \164\123\111\107\116\040\122\117\117\124\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\040\006\005\026\160\002
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "CNNIC ROOT"
-#
-# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Serial Number: 1228079105 (0x49330001)
-# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Not Valid Before: Mon Apr 16 07:09:14 2007
-# Not Valid After : Fri Apr 16 07:09:14 2027
-# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
-# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CNNIC ROOT"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\111\063\000\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\125\060\202\002\075\240\003\002\001\002\002\004\111
-\063\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103
-\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111
-\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111
-\103\040\122\117\117\124\060\036\027\015\060\067\060\064\061\066
-\060\067\060\071\061\064\132\027\015\062\067\060\064\061\066\060
-\067\060\071\061\064\132\060\062\061\013\060\011\006\003\125\004
-\006\023\002\103\116\061\016\060\014\006\003\125\004\012\023\005
-\103\116\116\111\103\061\023\060\021\006\003\125\004\003\023\012
-\103\116\116\111\103\040\122\117\117\124\060\202\001\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001
-\017\000\060\202\001\012\002\202\001\001\000\323\065\367\077\163
-\167\255\350\133\163\027\302\321\157\355\125\274\156\352\350\244
-\171\262\154\303\243\357\341\237\261\073\110\205\365\232\134\041
-\042\020\054\305\202\316\332\343\232\156\067\341\207\054\334\271
-\014\132\272\210\125\337\375\252\333\037\061\352\001\361\337\071
-\001\301\023\375\110\122\041\304\125\337\332\330\263\124\166\272
-\164\261\267\175\327\300\350\366\131\305\115\310\275\255\037\024
-\332\337\130\104\045\062\031\052\307\176\176\216\256\070\260\060
-\173\107\162\011\061\360\060\333\303\033\166\051\273\151\166\116
-\127\371\033\144\242\223\126\267\157\231\156\333\012\004\234\021
-\343\200\037\313\143\224\020\012\251\341\144\202\061\371\214\047
-\355\246\231\000\366\160\223\030\370\241\064\206\243\335\172\302
-\030\171\366\172\145\065\317\220\353\275\063\223\237\123\253\163
-\073\346\233\064\040\057\035\357\251\035\143\032\240\200\333\003
-\057\371\046\032\206\322\215\273\251\276\122\072\207\147\110\015
-\277\264\240\330\046\276\043\137\163\067\177\046\346\222\004\243
-\177\317\040\247\267\363\072\312\313\231\313\002\003\001\000\001
-\243\163\060\161\060\021\006\011\140\206\110\001\206\370\102\001
-\001\004\004\003\002\000\007\060\037\006\003\125\035\043\004\030
-\060\026\200\024\145\362\061\255\052\367\367\335\122\226\012\307
-\002\301\016\357\246\325\073\021\060\017\006\003\125\035\023\001
-\001\377\004\005\060\003\001\001\377\060\013\006\003\125\035\017
-\004\004\003\002\001\376\060\035\006\003\125\035\016\004\026\004
-\024\145\362\061\255\052\367\367\335\122\226\012\307\002\301\016
-\357\246\325\073\021\060\015\006\011\052\206\110\206\367\015\001
-\001\005\005\000\003\202\001\001\000\113\065\356\314\344\256\277
-\303\156\255\237\225\073\113\077\133\036\337\127\051\242\131\312
-\070\342\271\032\377\236\346\156\062\335\036\256\352\065\267\365
-\223\221\116\332\102\341\303\027\140\120\362\321\134\046\271\202
-\267\352\155\344\234\204\347\003\171\027\257\230\075\224\333\307
-\272\000\347\270\277\001\127\301\167\105\062\014\073\361\264\034
-\010\260\375\121\240\241\335\232\035\023\066\232\155\267\307\074
-\271\341\305\331\027\372\203\325\075\025\240\074\273\036\013\342
-\310\220\077\250\206\014\374\371\213\136\205\313\117\133\113\142
-\021\107\305\105\174\005\057\101\261\236\020\151\033\231\226\340
-\125\171\373\116\206\231\270\224\332\206\070\152\223\243\347\313
-\156\345\337\352\041\125\211\234\175\175\177\230\365\000\211\356
-\343\204\300\134\226\265\305\106\352\106\340\205\125\266\033\311
-\022\326\301\315\315\200\363\002\001\074\310\151\313\105\110\143
-\330\224\320\354\205\016\073\116\021\145\364\202\214\246\075\256
-\056\042\224\011\310\134\352\074\201\135\026\052\003\227\026\125
-\011\333\212\101\202\236\146\233\021
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for Certificate "CNNIC ROOT"
-# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Serial Number: 1228079105 (0x49330001)
-# Subject: CN=CNNIC ROOT,O=CNNIC,C=CN
-# Not Valid Before: Mon Apr 16 07:09:14 2007
-# Not Valid After : Fri Apr 16 07:09:14 2027
-# Fingerprint (MD5): 21:BC:82:AB:49:C4:13:3B:4B:B2:2B:5C:6B:90:9C:19
-# Fingerprint (SHA1): 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "CNNIC ROOT"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\213\257\114\233\035\360\052\222\367\332\022\216\271\033\254\364
-\230\140\113\157
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\041\274\202\253\111\304\023\073\113\262\053\134\153\220\234\031
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
-\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
-\122\117\117\124
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\111\063\000\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority - G3"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:15:ac:6e:94:19:b2:79:4b:41:f6:27:a9:c3:18:0f:1f
@@ -10593,17 +9116,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \150\157\162\151\164\171\040\055\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\025\254\156\224\031\262\171\113\101\366\047\251\303\030
 \017\037
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "thawte Primary Root CA - G2"
 #
 # Issuer: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
 # Serial Number:35:fc:26:5c:d9:84:4f:c9:3d:26:3d:57:9b:ae:d7:56
 # Subject: CN=thawte Primary Root CA - G2,OU="(c) 2007 thawte, Inc. - For authorized use only",O="thawte, Inc.",C=US
@@ -10721,17 +9244,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\065\374\046\134\331\204\117\311\075\046\075\127\233\256
 \327\126
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "thawte Primary Root CA - G3"
 #
 # Issuer: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
 # Serial Number:60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
 # Subject: CN=thawte Primary Root CA - G3,OU="(c) 2008 thawte, Inc. - For authorized use only",OU=Certification Services Division,O="thawte, Inc.",C=US
@@ -10884,17 +9407,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\140\001\227\267\106\247\352\264\264\232\326\113\057\367
 \220\373
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GeoTrust Primary Certification Authority - G2"
 #
 # Issuer: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
 # Serial Number:3c:b2:f4:48:0a:00:e2:fe:eb:24:3b:5e:60:3e:c3:6b
 # Subject: CN=GeoTrust Primary Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US
@@ -11018,17 +9541,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \150\157\162\151\164\171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\074\262\364\110\012\000\342\376\353\044\073\136\140\076
 \303\153
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Universal Root Certification Authority"
 #
 # Issuer: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
 # Subject: CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -11190,17 +9713,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\100\032\304\144\041\263\023\041\003\016\273\344\022\032
 \305\035
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:80:fe:23:8c:0e:22:0f:48:67:12:28:91:87:ac:b3
 # Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4,OU="(c) 2007 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -11346,17 +9869,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171\040\055\040\107\064
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\057\200\376\043\214\016\042\017\110\147\022\050\221\207
 \254\263
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "NetLock Arany (Class Gold) Főtanúsítvány"
 #
 # Issuer: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
 # Serial Number:49:41:2c:e4:00:10
 # Subject: CN=NetLock Arany (Class Gold) F..tan..s..tv..ny,OU=Tan..s..tv..nykiad..k (Certification Services),O=NetLock Kft.,L=Budapest,C=HU
@@ -11503,17 +10026,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \163\163\040\107\157\154\144\051\040\106\305\221\164\141\156\303
 \272\163\303\255\164\166\303\241\156\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\006\111\101\054\344\000\020
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Staat der Nederlanden Root CA - G2"
 #
 # Issuer: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
 # Serial Number: 10000012 (0x98968c)
 # Subject: CN=Staat der Nederlanden Root CA - G2,O=Staat der Nederlanden,C=NL
@@ -11672,17 +10195,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \144\145\162\040\116\145\144\145\162\154\141\156\144\145\156\040
 \122\157\157\164\040\103\101\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\000\230\226\214
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Hongkong Post Root CA 1"
 #
 # Issuer: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
 # Serial Number: 1000 (0x3e8)
 # Subject: CN=Hongkong Post Root CA 1,O=Hongkong Post,C=HK
@@ -12094,17 +10617,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \012\014\006\105\104\111\103\117\115\061\013\060\011\006\003\125
 \004\006\023\002\105\123
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\141\215\307\206\073\001\202\005
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 
 #
 # Certificate "Microsec e-Szigno Root CA 2009"
 #
 # Issuer: E=info@e-szigno.hu,CN=Microsec e-Szigno Root CA 2009,O=Microsec Ltd.,L=Budapest,C=HU
 # Serial Number:00:c2:7e:43:04:4e:47:3f:19
@@ -12245,17 +10768,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \001\011\001\026\020\151\156\146\157\100\145\055\163\172\151\147
 \156\157\056\150\165
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\302\176\103\004\116\107\077\031
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign Root CA - R3"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
 # Serial Number:04:00:00:00:00:01:21:58:53:08:a2
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
@@ -12373,17 +10896,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
 \004\003\023\012\107\154\157\142\141\154\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\013\004\000\000\000\000\001\041\130\123\010\242
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 #
 # Issuer: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
 # Serial Number:53:ec:3b:ee:fb:b2:48:5f
 # Subject: CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,C=ES
@@ -12547,17 +11070,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\157\156\141\154\040\103\111\106\040\101\066\062\066\063\064
 \060\066\070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\123\354\073\356\373\262\110\137
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Izenpe.com"
 #
 # Issuer: CN=Izenpe.com,O=IZENPE S.A.,C=ES
 # Serial Number:00:b0:b7:5a:16:48:5f:bf:e1:cb:f5:8b:d7:19:e6:7d
 # Subject: CN=Izenpe.com,O=IZENPE S.A.,C=ES
@@ -12715,17 +11238,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \111\172\145\156\160\145\056\143\157\155
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\000\260\267\132\026\110\137\277\341\313\365\213\327\031
 \346\175
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Chambers of Commerce Root - 2008"
 #
 # Issuer: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:a3:da:42:7e:a4:b1:ae:da
 # Subject: CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
@@ -12927,17 +11450,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \155\145\162\143\145\040\122\157\157\164\040\055\040\062\060\060
 \070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\243\332\102\176\244\261\256\332
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Global Chambersign Root - 2008"
 #
 # Issuer: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
 # Serial Number:00:c9:cd:d3:e9:d5:7d:23:ce
 # Subject: CN=Global Chambersign Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU
@@ -13135,17 +11658,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\107\154\157\142\141\154\040\103\150\141\155\142\145\162\163
 \151\147\156\040\122\157\157\164\040\055\040\062\060\060\070
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\311\315\323\351\325\175\043\316
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Bogus Mozilla Addons"
 #
 # Issuer: CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
 # Serial Number:00:92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43
 # Subject: CN=addons.mozilla.org,OU=PlatinumSSL,OU=Hosted by GTI Group Corporation,OU=Tech Dept.,O=Google Ltd.,STREET=Sea Village 10,L=English,ST=Florida,postalCode=38477,C=US
@@ -15000,17 +13523,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\146\151\143\141\164\145\040\101\165\164\150\157\162\151\164
 \171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Root Certificate Authority - G2"
 #
 # Issuer: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
@@ -15151,17 +13674,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \141\164\145\040\101\165\164\150\157\162\151\164\171\040\055\040
 \107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Starfield Services Root Certificate Authority - G2"
 #
 # Issuer: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
 # Serial Number: 0 (0x0)
 # Subject: CN=Starfield Services Root Certificate Authority - G2,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US
@@ -15303,17 +13826,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\103\145\162\164\151\146\151\143\141\164\145\040\101\165\164
 \150\157\162\151\164\171\040\055\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "AffirmTrust Commercial"
 #
 # Issuer: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
 # Serial Number:77:77:06:27:26:a9:b1:7c
 # Subject: CN=AffirmTrust Commercial,O=AffirmTrust,C=US
@@ -15961,17 +14484,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \006\003\125\004\003\023\031\103\145\162\164\165\155\040\124\162
 \165\163\164\145\144\040\116\145\164\167\157\162\153\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\003\004\104\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certinomis - Autorité Racine"
 #
 # Issuer: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Autorit.. Racine,OU=0002 433998903,O=Certinomis,C=FR
@@ -16265,17 +14788,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\143\141\164\151\157\156\040\101\165\164\150\157\162\151\164
 \171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Explicitly Distrust DigiNotar Root CA"
 #
 # Issuer: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
 # Serial Number:0f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff
 # Subject: E=info@diginotar.nl,CN=DigiNotar Root CA,O=DigiNotar,C=NL
@@ -17655,17 +16178,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
 \151\143\141\164\151\157\156\040\122\157\157\164\103\101\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "EC-ACC"
 #
 # Issuer: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
 # Serial Number:ee:2b:3d:eb:d4:21:de:14:a8:62:ac:04:f3:dd:c4:01
 # Subject: CN=EC-ACC,OU=Jerarquia Entitats de Certificacio Catalanes,OU=Vegeu https://www.catcert.net/verarrel (c)03,OU=Serveis Publics de Certificacio,O=Agencia Catalana de Certificacio (NIF Q-0801176-I),C=ES
@@ -18005,17 +16528,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \111\156\163\164\151\164\165\164\151\157\156\163\040\122\157\157
 \164\103\101\040\062\060\061\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\000
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
 # Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 # Serial Number: 1800000005 (0x6b49d205)
 # Not Before: Apr  7 15:37:15 2011 GMT
 # Not After : Apr  4 15:37:15 2021 GMT
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
@@ -18238,17 +16761,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \143\164\141\154\151\163\040\101\165\164\150\145\156\164\151\143
 \141\164\151\157\156\040\122\157\157\164\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\127\012\021\227\102\304\343\314
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Trustis FPS Root CA"
 #
 # Issuer: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
 # Serial Number:1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59
 # Subject: OU=Trustis FPS Root CA,O=Trustis Limited,C=GB
@@ -18571,17 +17094,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\141\162\164\103\157\155\040\103\145\162\164\151\146\151\143
 \141\164\151\157\156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\055
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "StartCom Certification Authority G2"
 #
 # Issuer: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
 # Serial Number: 59 (0x3b)
 # Subject: CN=StartCom Certification Authority G2,O=StartCom Ltd.,C=IL
@@ -18734,17 +17257,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151
 \164\171\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\073
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Buypass Class 2 Root CA"
 #
 # Issuer: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
 # Serial Number: 2 (0x2)
 # Subject: CN=Buypass Class 2 Root CA,O=Buypass AS-983163327,C=NO
@@ -19347,17 +17870,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\100\163\153\056\145\145
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\124\200\371\240\163\355\077\000\114\312\211\330\343\161
 \346\112
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 # Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
 # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 # Serial Number: 2087 (0x827)
 # Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
 # Not Valid Before: Mon Aug 08 07:07:51 2011
 # Not Valid After : Tue Jul 06 07:07:51 2021
@@ -19581,17 +18104,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \056\040\050\143\051\040\101\162\141\154\304\261\153\040\062\060
 \060\067
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\001
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "D-TRUST Root Class 3 CA 2 2009"
 #
 # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
 # Serial Number: 623603 (0x983f3)
 # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
@@ -20130,165 +18653,16 @@ CKA_ISSUER MULTILINE_OCTAL
 \151\172\100\163\165\163\143\145\162\164\145\056\147\157\142\056
 \166\145
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\001\013
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "China Internet Network Information Center EV Certificates Root"
-#
-# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Serial Number: 1218379777 (0x489f0001)
-# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Not Valid Before: Tue Aug 31 07:11:25 2010
-# Not Valid After : Sat Aug 31 07:11:25 2030
-# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
-# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\110\237\000\001
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\367\060\202\002\337\240\003\002\001\002\002\004\110
-\237\000\001\060\015\006\011\052\206\110\206\367\015\001\001\005
-\005\000\060\201\212\061\013\060\011\006\003\125\004\006\023\002
-\103\116\061\062\060\060\006\003\125\004\012\014\051\103\150\151
-\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164\167
-\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156\040
-\103\145\156\164\145\162\061\107\060\105\006\003\125\004\003\014
-\076\103\150\151\156\141\040\111\156\164\145\162\156\145\164\040
-\116\145\164\167\157\162\153\040\111\156\146\157\162\155\141\164
-\151\157\156\040\103\145\156\164\145\162\040\105\126\040\103\145
-\162\164\151\146\151\143\141\164\145\163\040\122\157\157\164\060
-\036\027\015\061\060\060\070\063\061\060\067\061\061\062\065\132
-\027\015\063\060\060\070\063\061\060\067\061\061\062\065\132\060
-\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116\061
-\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141\040
-\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162\153
-\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145\156
-\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103\150
-\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145\164
-\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157\156
-\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164\151
-\146\151\143\141\164\145\163\040\122\157\157\164\060\202\001\042
-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
-\202\001\017\000\060\202\001\012\002\202\001\001\000\233\176\163
-\356\275\073\170\252\144\103\101\365\120\337\224\362\056\262\215
-\112\216\106\124\322\041\022\310\071\062\102\006\351\203\325\237
-\122\355\345\147\003\073\124\301\214\231\231\314\351\300\017\377
-\015\331\204\021\262\270\321\313\133\334\036\371\150\061\144\341
-\233\372\164\353\150\271\040\225\367\306\017\215\107\254\132\006
-\335\141\253\342\354\330\237\027\055\234\312\074\065\227\125\161
-\315\103\205\261\107\026\365\054\123\200\166\317\323\000\144\275
-\100\231\335\314\330\333\304\237\326\023\137\101\203\213\371\015
-\207\222\126\064\154\032\020\013\027\325\132\034\227\130\204\074
-\204\032\056\134\221\064\156\031\137\177\027\151\305\145\357\153
-\041\306\325\120\072\277\141\271\005\215\357\157\064\072\262\157
-\024\143\277\026\073\233\251\052\375\267\053\070\146\006\305\054
-\342\252\147\036\105\247\215\004\146\102\366\217\053\357\210\040
-\151\217\062\214\024\163\332\053\206\221\143\042\232\362\247\333
-\316\211\213\253\135\307\024\301\133\060\152\037\261\267\236\056
-\201\001\002\355\317\226\136\143\333\250\346\070\267\002\003\001
-\000\001\243\143\060\141\060\037\006\003\125\035\043\004\030\060
-\026\200\024\174\162\113\071\307\300\333\142\245\117\233\252\030
-\064\222\242\312\203\202\131\060\017\006\003\125\035\023\001\001
-\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
-\001\377\004\004\003\002\001\006\060\035\006\003\125\035\016\004
-\026\004\024\174\162\113\071\307\300\333\142\245\117\233\252\030
-\064\222\242\312\203\202\131\060\015\006\011\052\206\110\206\367
-\015\001\001\005\005\000\003\202\001\001\000\052\303\307\103\067
-\217\335\255\244\262\014\356\334\024\155\217\050\244\230\111\313
-\014\200\352\363\355\043\146\165\175\305\323\041\147\171\321\163
-\305\265\003\267\130\254\014\124\057\306\126\023\017\061\332\006
-\347\145\073\035\157\066\333\310\035\371\375\200\006\312\243\075
-\146\026\250\235\114\026\175\300\225\106\265\121\344\342\037\327
-\352\006\115\143\215\226\214\357\347\063\127\102\072\353\214\301
-\171\310\115\166\175\336\366\261\267\201\340\240\371\241\170\106
-\027\032\126\230\360\116\075\253\034\355\354\071\334\007\110\367
-\143\376\006\256\302\244\134\152\133\062\210\305\307\063\205\254
-\146\102\107\302\130\044\231\341\345\076\345\165\054\216\103\326
-\135\074\170\036\250\225\202\051\120\321\321\026\272\357\301\276
-\172\331\264\330\314\036\114\106\341\167\261\061\253\275\052\310
-\316\217\156\241\135\177\003\165\064\344\255\211\105\124\136\276
-\256\050\245\273\077\170\171\353\163\263\012\015\375\276\311\367
-\126\254\366\267\355\057\233\041\051\307\070\266\225\304\004\362
-\303\055\375\024\052\220\231\271\007\314\237
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "China Internet Network Information Center EV Certificates Root"
-# Issuer: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Serial Number: 1218379777 (0x489f0001)
-# Subject: CN=China Internet Network Information Center EV Certificates Root,O=China Internet Network Information Center,C=CN
-# Not Valid Before: Tue Aug 31 07:11:25 2010
-# Not Valid After : Sat Aug 31 07:11:25 2030
-# Fingerprint (MD5): 55:5D:63:00:97:BD:6A:97:F5:67:AB:4B:FB:6E:63:15
-# Fingerprint (SHA1): 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "China Internet Network Information Center EV Certificates Root"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\117\231\252\223\373\053\321\067\046\241\231\112\316\177\360\005
-\362\223\135\036
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\125\135\143\000\227\275\152\227\365\147\253\113\373\156\143\025
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\212\061\013\060\011\006\003\125\004\006\023\002\103\116
-\061\062\060\060\006\003\125\004\012\014\051\103\150\151\156\141
-\040\111\156\164\145\162\156\145\164\040\116\145\164\167\157\162
-\153\040\111\156\146\157\162\155\141\164\151\157\156\040\103\145
-\156\164\145\162\061\107\060\105\006\003\125\004\003\014\076\103
-\150\151\156\141\040\111\156\164\145\162\156\145\164\040\116\145
-\164\167\157\162\153\040\111\156\146\157\162\155\141\164\151\157
-\156\040\103\145\156\164\145\162\040\105\126\040\103\145\162\164
-\151\146\151\143\141\164\145\163\040\122\157\157\164
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\110\237\000\001
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Swisscom Root CA 2"
 #
 # Issuer: CN=Swisscom Root CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
 # Serial Number:1e:9e:28:e8:48:f2:e5:ef:c3:7c:4a:1e:5a:18:67:b6
@@ -20452,195 +18826,19 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\123\145\162\166\151\143\145\163\061\033\060\031\006\003\125
 \004\003\023\022\123\167\151\163\163\143\157\155\040\122\157\157
 \164\040\103\101\040\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\036\236\050\350\110\362\345\357\303\174\112\036\132\030
 \147\266
 END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "Swisscom Root EV CA 2"
-#
-# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
-# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Fri Jun 24 09:45:08 2011
-# Not Valid After : Wed Jun 25 08:45:08 2031
-# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
-# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root EV CA 2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
-\166\312\130
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\005\340\060\202\003\310\240\003\002\001\002\002\021\000
-\362\372\144\342\164\143\323\215\375\020\035\004\037\166\312\130
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\060
-\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061\021
-\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143\157
-\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147\151
-\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145\040
-\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125\004
-\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157\164
-\040\105\126\040\103\101\040\062\060\036\027\015\061\061\060\066
-\062\064\060\071\064\065\060\070\132\027\015\063\061\060\066\062
-\065\060\070\064\065\060\070\132\060\147\061\013\060\011\006\003
-\125\004\006\023\002\143\150\061\021\060\017\006\003\125\004\012
-\023\010\123\167\151\163\163\143\157\155\061\045\060\043\006\003
-\125\004\013\023\034\104\151\147\151\164\141\154\040\103\145\162
-\164\151\146\151\143\141\164\145\040\123\145\162\166\151\143\145
-\163\061\036\060\034\006\003\125\004\003\023\025\123\167\151\163
-\163\143\157\155\040\122\157\157\164\040\105\126\040\103\101\040
-\062\060\202\002\042\060\015\006\011\052\206\110\206\367\015\001
-\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202\002
-\001\000\304\367\035\057\127\352\127\154\367\160\135\143\260\161
-\122\011\140\104\050\063\243\172\116\012\372\330\352\154\213\121
-\026\032\125\256\124\046\304\314\105\007\101\117\020\171\177\161
-\322\172\116\077\070\116\263\000\306\225\312\133\315\301\052\203
-\327\047\037\061\016\043\026\267\045\313\034\264\271\200\062\136
-\032\235\223\361\350\074\140\054\247\136\127\031\130\121\136\274
-\054\126\013\270\330\357\213\202\264\074\270\302\044\250\023\307
-\240\041\066\033\172\127\051\050\247\056\277\161\045\220\363\104
-\203\151\120\244\344\341\033\142\031\224\011\243\363\303\274\357
-\364\275\354\333\023\235\317\235\110\011\122\147\300\067\051\021
-\036\373\322\021\247\205\030\164\171\344\117\205\024\353\122\067
-\342\261\105\330\314\015\103\177\256\023\322\153\053\077\247\302
-\342\250\155\166\133\103\237\276\264\235\263\046\206\073\037\177
-\345\362\350\146\050\026\045\320\113\227\070\247\344\317\011\321
-\066\303\013\276\332\073\104\130\215\276\361\236\011\153\076\363
-\062\307\053\207\306\354\136\234\366\207\145\255\063\051\304\057
-\211\331\271\313\311\003\235\373\154\224\121\227\020\033\206\013
-\032\033\077\366\002\176\173\324\305\121\144\050\235\365\323\254
-\203\201\210\323\164\264\131\235\301\353\141\063\132\105\321\313
-\071\320\006\152\123\140\035\257\366\373\151\274\152\334\001\317
-\275\371\217\331\275\133\301\072\137\216\332\017\113\251\233\235
-\052\050\153\032\012\174\074\253\042\013\345\167\055\161\366\202
-\065\201\256\370\173\201\346\352\376\254\364\032\233\164\134\350
-\217\044\366\135\235\106\304\054\322\036\053\041\152\203\047\147
-\125\112\244\343\310\062\227\146\220\162\332\343\324\144\056\137
-\343\241\152\366\140\324\347\065\315\312\304\150\215\327\161\310
-\323\044\063\163\261\154\371\152\341\050\333\137\306\075\350\276
-\125\346\067\033\355\044\331\017\031\217\137\143\030\130\120\201
-\121\145\157\362\237\176\152\004\347\064\044\161\272\166\113\130
-\036\031\275\025\140\105\252\014\022\100\001\235\020\342\307\070
-\007\162\012\145\300\266\273\045\051\332\026\236\213\065\213\141
-\355\345\161\127\203\265\074\161\237\343\117\277\176\036\201\237
-\101\227\002\003\001\000\001\243\201\206\060\201\203\060\016\006
-\003\125\035\017\001\001\377\004\004\003\002\001\206\060\035\006
-\003\125\035\041\004\026\060\024\060\022\006\007\140\205\164\001
-\123\002\002\006\007\140\205\164\001\123\002\002\060\022\006\003
-\125\035\023\001\001\377\004\010\060\006\001\001\377\002\001\003
-\060\035\006\003\125\035\016\004\026\004\024\105\331\245\201\156
-\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235\060
-\037\006\003\125\035\043\004\030\060\026\200\024\105\331\245\201
-\156\075\210\115\215\161\322\106\301\156\105\036\363\304\200\235
-\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000\003
-\202\002\001\000\224\072\163\006\237\122\113\060\134\324\376\261
-\134\045\371\327\216\157\365\207\144\237\355\024\216\270\004\216
-\050\113\217\252\173\216\071\264\331\130\366\173\241\065\012\241
-\235\212\367\143\345\353\275\071\202\324\343\172\055\157\337\023
-\074\272\376\176\126\230\013\363\124\237\315\104\116\156\074\341
-\076\025\277\006\046\235\344\360\220\266\324\302\236\060\056\037
-\357\307\172\304\120\307\352\173\332\120\313\172\046\313\000\264
-\132\253\265\223\037\200\211\204\004\225\215\215\177\011\223\277
-\324\250\250\344\143\155\331\144\344\270\051\132\010\277\120\341
-\204\017\125\173\137\010\042\033\365\275\231\036\024\366\316\364
-\130\020\202\263\012\075\031\301\277\133\253\252\231\330\362\061
-\275\345\070\146\334\130\005\307\355\143\032\056\012\227\174\207
-\223\053\262\212\343\361\354\030\345\165\266\051\207\347\334\213
-\032\176\264\330\311\323\212\027\154\175\051\104\276\212\252\365
-\176\072\056\150\061\223\271\152\332\232\340\333\351\056\245\204
-\315\034\012\270\112\010\371\234\361\141\046\230\223\267\173\146
-\354\221\136\335\121\077\333\163\017\255\004\130\011\335\004\002
-\225\012\076\323\166\337\246\020\036\200\075\350\315\244\144\321
-\063\307\222\307\342\116\104\343\011\311\116\302\135\207\016\022
-\236\277\017\311\005\020\336\172\243\261\074\362\077\245\252\047
-\171\255\061\175\037\375\374\031\151\305\335\271\077\174\315\306
-\264\302\060\036\176\156\222\327\177\141\166\132\217\353\225\115
-\274\021\156\041\174\131\067\231\320\006\274\371\006\155\062\026
-\245\331\151\250\341\334\074\200\036\140\121\334\327\124\041\036
-\312\142\167\117\372\330\217\263\053\072\015\170\162\311\150\101
-\132\107\112\302\243\353\032\327\012\253\074\062\125\310\012\021
-\234\337\164\326\360\100\025\035\310\271\217\265\066\305\257\370
-\042\270\312\035\363\326\266\031\017\237\141\145\152\352\164\310
-\174\217\303\117\135\145\202\037\331\015\211\332\165\162\373\357
-\361\107\147\023\263\310\321\031\210\047\046\232\231\171\177\036
-\344\054\077\173\356\361\336\115\213\226\227\303\325\077\174\033
-\043\355\244\263\035\026\162\103\113\040\341\131\176\302\350\255
-\046\277\242\367
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-
-# Trust for "Swisscom Root EV CA 2"
-# Issuer: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Serial Number:00:f2:fa:64:e2:74:63:d3:8d:fd:10:1d:04:1f:76:ca:58
-# Subject: CN=Swisscom Root EV CA 2,OU=Digital Certificate Services,O=Swisscom,C=ch
-# Not Valid Before: Fri Jun 24 09:45:08 2011
-# Not Valid After : Wed Jun 25 08:45:08 2031
-# Fingerprint (MD5): 7B:30:34:9F:DD:0A:4B:6B:35:CA:31:51:28:5D:AE:EC
-# Fingerprint (SHA1): E7:A1:90:29:D3:D5:52:DC:0D:0F:C6:92:D3:EA:88:0D:15:2E:1A:6B
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Swisscom Root EV CA 2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\347\241\220\051\323\325\122\334\015\017\306\222\323\352\210\015
-\025\056\032\153
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\173\060\064\237\335\012\113\153\065\312\061\121\050\135\256\354
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\147\061\013\060\011\006\003\125\004\006\023\002\143\150\061
-\021\060\017\006\003\125\004\012\023\010\123\167\151\163\163\143
-\157\155\061\045\060\043\006\003\125\004\013\023\034\104\151\147
-\151\164\141\154\040\103\145\162\164\151\146\151\143\141\164\145
-\040\123\145\162\166\151\143\145\163\061\036\060\034\006\003\125
-\004\003\023\025\123\167\151\163\163\143\157\155\040\122\157\157
-\164\040\105\126\040\103\101\040\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\021\000\362\372\144\342\164\143\323\215\375\020\035\004\037
-\166\312\130
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA Disig Root R1"
 #
 # Issuer: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:c3:03:9a:ee:50:90:6e:28
 # Subject: CN=CA Disig Root R1,O=Disig a.s.,L=Bratislava,C=SK
@@ -20793,17 +18991,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
 \164\040\122\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\303\003\232\356\120\220\156\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA Disig Root R2"
 #
 # Issuer: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
 # Serial Number:00:92:b8:88:db:b0:8a:c1:63
 # Subject: CN=CA Disig Root R2,O=Disig a.s.,L=Bratislava,C=SK
@@ -20956,17 +19154,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \004\003\023\020\103\101\040\104\151\163\151\147\040\122\157\157
 \164\040\122\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\011\000\222\270\210\333\260\212\301\143
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "ACCVRAIZ1"
 #
 # Issuer: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
 # Serial Number:5e:c3:b7:a6:43:7f:a4:e0
 # Subject: C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1
@@ -21155,17 +19353,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \012\014\004\101\103\103\126\061\013\060\011\006\003\125\004\006
 \023\002\105\123
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\136\303\267\246\103\177\244\340
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TWCA Global Root CA"
 #
 # Issuer: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
 # Serial Number: 3262 (0xcbe)
 # Subject: CN=TWCA Global Root CA,OU=Root CA,O=TAIWAN-CA,C=TW
@@ -21316,17 +19514,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \124\127\103\101\040\107\154\157\142\141\154\040\122\157\157\164
 \040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\002\014\276
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "TeliaSonera Root CA v1"
 #
 # Issuer: CN=TeliaSonera Root CA v1,O=TeliaSonera
 # Serial Number:00:95:be:16:a0:f7:2e:46:f1:7b:39:82:72:fa:8b:cd:96
 # Subject: CN=TeliaSonera Root CA v1,O=TeliaSonera
@@ -21667,17 +19865,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \162\164\151\146\151\143\141\164\151\157\156\040\101\165\164\150
 \157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\152\150\076\234\121\233\313\123
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "T-TeleSec GlobalRoot Class 2"
 #
 # Issuer: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
 # Serial Number: 1 (0x1)
 # Subject: CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE
@@ -21939,17 +20137,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \061\061\061\015\060\013\006\003\125\004\012\014\004\101\164\157
 \163\061\013\060\011\006\003\125\004\006\023\002\104\105
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\010\134\063\313\142\054\137\263\062
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 1 G3"
 #
 # Issuer: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
 # Serial Number:78:58:5f:2e:ad:2c:19:4b:e3:37:07:35:34:13:28:b5:96:d4:65:93
 # Subject: CN=QuoVadis Root CA 1 G3,O=QuoVadis Limited,C=BM
@@ -22101,17 +20299,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\061\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\170\130\137\056\255\054\031\113\343\067\007\065\064\023
 \050\265\226\324\145\223
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 2 G3"
 #
 # Issuer: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
 # Serial Number:44:57:34:24:5b:81:89:9b:35:f2:ce:b8:2b:3b:5b:a7:26:f0:75:28
 # Subject: CN=QuoVadis Root CA 2 G3,O=QuoVadis Limited,C=BM
@@ -22263,17 +20461,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\062\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\104\127\064\044\133\201\211\233\065\362\316\270\053\073
 \133\247\046\360\165\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "QuoVadis Root CA 3 G3"
 #
 # Issuer: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
 # Serial Number:2e:f5:9b:02:28:a7:db:7a:ff:d5:a3:a9:ee:bd:03:a0:cf:12:6a:1d
 # Subject: CN=QuoVadis Root CA 3 G3,O=QuoVadis Limited,C=BM
@@ -22425,17 +20623,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\164\040\103\101\040\063\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\024\056\365\233\002\050\247\333\172\377\325\243\251\356\275
 \003\240\317\022\152\035
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root G2"
 #
 # Issuer: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:93:1c:3a:d6:39:67:ea:67:23:bf:c3:af:9a:f4:4b
 # Subject: CN=DigiCert Assured ID Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22564,17 +20762,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\013\223\034\072\326\071\147\352\147\043\277\303\257\232
 \364\113
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Assured ID Root G3"
 #
 # Issuer: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:0b:a1:5a:fa:1d:df:a0:b5:49:44:af:cd:24:a0:6c:ec
 # Subject: CN=DigiCert Assured ID Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22682,17 +20880,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \122\157\157\164\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\013\241\132\372\035\337\240\265\111\104\257\315\044\240
 \154\354
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root G2"
 #
 # Issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5
 # Subject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22821,17 +21019,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\003\072\361\346\247\021\251\240\273\050\144\261\035\011
 \372\345
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Global Root G3"
 #
 # Issuer: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:55:56:bc:f2:5e:a4:35:35:c3:a4:0f:d5:ab:45:72
 # Subject: CN=DigiCert Global Root G3,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -22939,17 +21137,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\005\125\126\274\362\136\244\065\065\303\244\017\325\253
 \105\162
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "DigiCert Trusted Root G4"
 #
 # Issuer: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
 # Serial Number:05:9b:1b:57:9e:8e:21:32:e2:39:07:bd:a7:77:75:5c
 # Subject: CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US
@@ -23110,17 +21308,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\040\107\064
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\005\233\033\127\236\216\041\062\342\071\007\275\247\167
 \165\134
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "WoSign"
 #
 # Issuer: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
 # Serial Number:5e:68:d6:11:71:94:63:50:56:00:68:f3:3e:c9:c5:91
 # Subject: CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN
@@ -23276,17 +21474,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\127\157\123\151\147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\136\150\326\021\161\224\143\120\126\000\150\363\076\311
 \305\221
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "WoSign China"
 #
 # Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
 # Serial Number:50:70:6b:cd:d8:13:fc:1b:4e:3b:33:72:d2:11:48:8d
 # Subject: CN=CA ...............,O=WoSign CA Limited,C=CN
@@ -23437,17 +21635,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \240\271\350\257\201\344\271\246
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\120\160\153\315\330\023\374\033\116\073\063\162\322\021
 \110\215
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "COMODO RSA Certification Authority"
 #
 # Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
 # Serial Number:4c:aa:f9:ca:db:63:6f:e0:1f:f7:4e:d8:5b:03:86:9d
 # Subject: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
@@ -23618,17 +21816,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\114\252\371\312\333\143\157\340\037\367\116\330\133\003
 \206\235
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "USERTrust RSA Certification Authority"
 #
 # Issuer: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
 # Subject: CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
@@ -23800,17 +21998,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\001\375\155\060\374\243\312\121\250\033\274\144\016\065
 \003\055
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "USERTrust ECC Certification Authority"
 #
 # Issuer: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
 # Serial Number:5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
 # Subject: CN=USERTrust ECC Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
@@ -23929,17 +22127,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \156\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\134\213\231\305\132\224\305\322\161\126\336\315\211\200
 \314\046
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign ECC Root CA - R4"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
 # Serial Number:2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R4
@@ -24038,17 +22236,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\052\070\244\034\226\012\004\336\102\262\050\245\013\350
 \064\230\002
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "GlobalSign ECC Root CA - R5"
 #
 # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
 # Serial Number:60:59:49:e0:26:2e:bb:55:f9:0a:77:8a:71:f9:4a:d8:6c
 # Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign ECC Root CA - R5
@@ -24151,17 +22349,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \147\156
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\021\140\131\111\340\046\056\273\125\371\012\167\212\161\371
 \112\330\154
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal"
 #
 # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
 # Serial Number:2f:00:6e:cd:17:70:66:e7:5f:a3:82:0a:79:1f:05:ae
 # Subject: CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
@@ -25300,17 +23498,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\107
 \062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\112\123\214\050
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Entrust Root Certification Authority - EC1"
 #
 # Issuer: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
 # Serial Number:00:a6:8b:79:29:00:00:00:00:50:d0:91:f9
 # Subject: CN=Entrust Root Certification Authority - EC1,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
@@ -25445,17 +23643,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\156\040\101\165\164\150\157\162\151\164\171\040\055\040\105
 \103\061
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\015\000\246\213\171\051\000\000\000\000\120\320\221\371
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CFCA EV ROOT"
 #
 # Issuer: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
 # Serial Number: 407555286 (0x184accd6)
 # Subject: CN=CFCA EV ROOT,O=China Financial Certification Authority,C=CN
@@ -25915,17 +24113,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \164\040\123\141\304\237\154\141\171\304\261\143\304\261\163\304
 \261\040\110\065
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\007\000\216\027\376\044\040\201
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certinomis - Root CA"
 #
 # Issuer: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
 # Serial Number: 1 (0x1)
 # Subject: CN=Certinomis - Root CA,OU=0002 433998903,O=Certinomis,C=FR
@@ -26222,17 +24420,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \157\142\141\154\040\122\157\157\164\040\107\102\040\103\101
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\166\261\040\122\164\360\205\207\106\263\370\043\032\366
 \302\300
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "Certification Authority of WoSign G2"
 #
 # Issuer: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
 # Serial Number:6b:25:da:8a:88:9d:7c:bc:0f:05:b3:b1:7a:61:45:44
 # Subject: CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
@@ -26356,17 +24554,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \040\127\157\123\151\147\156\040\107\062
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\153\045\332\212\210\235\174\274\017\005\263\261\172\141
 \105\104
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "CA WoSign ECC Root"
 #
 # Issuer: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
 # Serial Number:68:4a:58:70:80:6b:f0:8f:02:fa:f6:de:e8:b0:90:90
 # Subject: CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
@@ -26464,17 +24662,17 @@ CKA_ISSUER MULTILINE_OCTAL
 \105\103\103\040\122\157\157\164
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\020\150\112\130\160\200\153\360\217\002\372\366\336\350\260
 \220\220
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
 # Certificate "SZAFIR ROOT CA2"
 #
 # Issuer: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
 # Serial Number:3e:8a:5d:07:ec:55:d2:32:d5:b7:e3:b6:5f:01:eb:2d:dc:e4:d6:e4
 # Subject: CN=SZAFIR ROOT CA2,O=Krajowa Izba Rozliczeniowa S.A.,C=PL
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@@ -41,18 +41,18 @@
  *   made on that branch.
  *
  * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
-#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 16
+#define NSS_BUILTINS_LIBRARY_VERSION "2.16"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 
 /* These version numbers detail the semantic changes to ckbi itself
  * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
--- a/security/nss/lib/dev/devslot.c
+++ b/security/nss/lib/dev/devslot.c
@@ -221,25 +221,26 @@ nssSlot_GetCryptokiEPV(
     return slot->epv;
 }
 
 NSS_IMPLEMENT NSSToken *
 nssSlot_GetToken(
     NSSSlot *slot)
 {
     NSSToken *rvToken = NULL;
-    nssSlot_EnterMonitor(slot);
 
-    /* Even if a token should be present, check `slot->token` too as it
-     * might be gone already. This would happen mostly on shutdown. */
-    if (nssSlot_IsTokenPresent(slot) && slot->token) {
-        rvToken = nssToken_AddRef(slot->token);
+    if (nssSlot_IsTokenPresent(slot)) {
+        /* Even if a token should be present, check `slot->token` too as it
+	 * might be gone already. This would happen mostly on shutdown. */
+        nssSlot_EnterMonitor(slot);
+        if (slot->token)
+            rvToken = nssToken_AddRef(slot->token);
+        nssSlot_ExitMonitor(slot);
     }
 
-    nssSlot_ExitMonitor(slot);
     return rvToken;
 }
 
 NSS_IMPLEMENT PRStatus
 nssSession_EnterMonitor(
     nssSession *s)
 {
     if (s->lock)
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -2634,43 +2634,63 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
             context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
             context->maxLen = MAX_ECKEY_LEN * 2;
 
             break;
 #endif /* NSS_DISABLE_ECC */
 
 #define INIT_HMAC_MECH(mmm)                                               \
     case CKM_##mmm##_HMAC_GENERAL:                                        \
+        PORT_Assert(pMechanism->pParameter);                              \
+        if (!pMechanism->pParameter) {                                    \
+            crv = CKR_MECHANISM_PARAM_INVALID;                            \
+            break;                                                        \
+        }                                                                 \
         crv = sftk_doHMACInit(context, HASH_Alg##mmm, key,                \
                               *(CK_ULONG *)pMechanism->pParameter);       \
         break;                                                            \
     case CKM_##mmm##_HMAC:                                                \
         crv = sftk_doHMACInit(context, HASH_Alg##mmm, key, mmm##_LENGTH); \
         break;
 
             INIT_HMAC_MECH(MD2)
             INIT_HMAC_MECH(MD5)
             INIT_HMAC_MECH(SHA224)
             INIT_HMAC_MECH(SHA256)
             INIT_HMAC_MECH(SHA384)
             INIT_HMAC_MECH(SHA512)
 
         case CKM_SHA_1_HMAC_GENERAL:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doHMACInit(context, HASH_AlgSHA1, key,
                                   *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_SHA_1_HMAC:
             crv = sftk_doHMACInit(context, HASH_AlgSHA1, key, SHA1_LENGTH);
             break;
 
         case CKM_SSL3_MD5_MAC:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key,
                                     *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_SSL3_SHA1_MAC:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key,
                                     *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_TLS_PRF_GENERAL:
             crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
             break;
         case CKM_TLS_MAC: {
             CK_TLS_MAC_PARAMS *tls12_mac_params;
@@ -3309,28 +3329,43 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
             INIT_HMAC_MECH(MD2)
             INIT_HMAC_MECH(MD5)
             INIT_HMAC_MECH(SHA224)
             INIT_HMAC_MECH(SHA256)
             INIT_HMAC_MECH(SHA384)
             INIT_HMAC_MECH(SHA512)
 
         case CKM_SHA_1_HMAC_GENERAL:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doHMACInit(context, HASH_AlgSHA1, key,
                                   *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_SHA_1_HMAC:
             crv = sftk_doHMACInit(context, HASH_AlgSHA1, key, SHA1_LENGTH);
             break;
 
         case CKM_SSL3_MD5_MAC:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key,
                                     *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_SSL3_SHA1_MAC:
+            PORT_Assert(pMechanism->pParameter);
+            if (!pMechanism->pParameter) {
+                crv = CKR_MECHANISM_PARAM_INVALID;
+                break;
+            }
             crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key,
                                     *(CK_ULONG *)pMechanism->pParameter);
             break;
         case CKM_TLS_PRF_GENERAL:
             crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
             break;
         case CKM_NSS_TLS_PRF_GENERAL_SHA256:
             crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0);
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -61,17 +61,17 @@ class cfAction(argparse.Action):
         subprocess.call(command + values)
 
     def filesChanged(self, path):
         hash = sha256()
         for dirname, dirnames, files in os.walk(path):
             for file in files:
                 with open(os.path.join(dirname, file), "rb") as f:
                     hash.update(f.read())
-        chk_file = cwd + "/out/.chk"
+        chk_file = cwd + "/.chk"
         old_chk = ""
         new_chk = hash.hexdigest()
         if os.path.exists(chk_file):
             with open(chk_file) as f:
                 old_chk = f.readline()
         if old_chk != new_chk:
             with open(chk_file, "w+") as f:
                 f.write(new_chk)
--- a/security/nss/tests/interop/interop.sh
+++ b/security/nss/tests/interop/interop.sh
@@ -21,23 +21,25 @@ interop_init()
   fi
 
   mkdir -p "${HOSTDIR}/interop"
   cd "${HOSTDIR}/interop"
   INTEROP=${INTEROP:=tls_interop}
   if [ ! -d "$INTEROP" ]; then
     git clone -q https://github.com/mozilla/tls-interop "$INTEROP"
   fi
+  INTEROP=$(cd "$INTEROP";pwd -P)
 
   # We use the BoringSSL keyfiles
   BORING=${BORING:=boringssl}
   if [ ! -d "$BORING" ]; then
     git clone -q https://boringssl.googlesource.com/boringssl "$BORING"
     git -C "$BORING" checkout -q ea80f9d5df4c302de391e999395e1c87f9c786b3
   fi
+  BORING=$(cd "$BORING";pwd -P)
 
   SCRIPTNAME="interop.sh"
   html_head "interop test"
 }
 
 interop_cleanup()
 {
   html "</TABLE><BR>"
@@ -48,21 +50,21 @@ interop_cleanup()
 # Function so we can easily add other stacks
 interop_run()
 {
   test_name=$1
   client=$2
   server=$3
 
   (cd "$INTEROP";
-   cargo run -- --client ${client} --server ${server} --rootdir ../${BORING}/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
+   cargo run -- --client "$client" --server "$server" --rootdir "$BORING"/ssl/test/runner/ --test-cases cases.json) 2>interop-${test_name}.errors | tee interop-${test_name}.log
   html_msg "${PIPESTATUS[0]}" 0 "Interop" "Run successfully"
   grep -i 'FAILED\|Assertion failure' interop-${test_name}.errors
   html_msg $? 1 "Interop" "No failures"
 }
 
 cd "$(dirname "$0")"
 SOURCE_DIR="$PWD"/../..
 interop_init
-NSS_SHIM="${BINDIR}"/nss_bogo_shim
-BORING_SHIM="../${BORING}"/build/ssl/test/bssl_shim
+NSS_SHIM="$BINDIR"/nss_bogo_shim
+BORING_SHIM="$BORING"/build/ssl/test/bssl_shim
 interop_run "nss_nss" ${NSS_SHIM} ${NSS_SHIM}
 interop_cleanup
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -409996,17 +409996,17 @@
    "a8192dcd62d73279885fb062926e4fac3b02999d",
    "testharness"
   ],
   "XMLHttpRequest/event-timeout.htm": [
    "5035e847bc8fcf16164cefeee293d149fe5f5fce",
    "testharness"
   ],
   "XMLHttpRequest/event-upload-progress-crossorigin.htm": [
-   "329b648fb3dc0169c5bf185ad9bb88245e7f889d",
+   "7a18f690ea1c7679d52ff0fd39ea931650d6b9c5",
    "testharness"
   ],
   "XMLHttpRequest/event-upload-progress.htm": [
    "4970811cfd2c1bdd1a08af6dd16eda8ffbff8ffd",
    "testharness"
   ],
   "XMLHttpRequest/folder.txt": [
    "4dca56d05a21f0d018cd311f43e134e4501cf6d9",
--- a/testing/web-platform/meta/html/dom/interfaces.html.ini
+++ b/testing/web-platform/meta/html/dom/interfaces.html.ini
@@ -3011,19 +3011,16 @@
     expected: FAIL
 
   [HTMLLinkElement interface: document.createElement("link") must inherit property "nonce" with the proper type (5)]
     expected: FAIL
 
   [HTMLIFrameElement interface: attribute allowUserMedia]
     expected: FAIL
 
-  [HTMLIFrameElement interface: attribute allowPaymentRequest]
-    expected: FAIL
-
   [Window interface: window must inherit property "oncancel" with the proper type (41)]
     expected: FAIL
 
   [Window interface: window must inherit property "oncuechange" with the proper type (48)]
     expected: FAIL
 
   [Window interface: window must inherit property "onmousewheel" with the proper type (79)]
     expected: FAIL
--- a/testing/web-platform/meta/html/dom/reflection-embedded.html.ini
+++ b/testing/web-platform/meta/html/dom/reflection-embedded.html.ini
@@ -966,105 +966,8 @@
   [iframe.allowUserMedia: IDL set to "\\0"]
     expected: FAIL
 
   [iframe.allowUserMedia: IDL set to object "test-toString"]
     expected: FAIL
 
   [iframe.allowUserMedia: IDL set to object "test-valueOf"]
     expected: FAIL
-
-  [iframe.allowPaymentRequest: typeof IDL attribute]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL get with DOM attribute unset]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to ""]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to " foo "]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to undefined]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to null]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to 7]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to 1.5]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to true]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to false]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to object "[object Object\]"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to NaN]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to Infinity]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to -Infinity]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to "\\0"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to object "test-toString"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to object "test-valueOf"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: setAttribute() to "allowPaymentRequest"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to ""]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to " foo "]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to undefined]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to null]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to 7]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to 1.5]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to false]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to object "[object Object\]"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to NaN]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to Infinity]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to -Infinity]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to "\\0"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to object "test-toString"]
-    expected: FAIL
-
-  [iframe.allowPaymentRequest: IDL set to object "test-valueOf"]
-    expected: FAIL
-
--- a/testing/web-platform/tests/XMLHttpRequest/event-upload-progress-crossorigin.htm
+++ b/testing/web-platform/tests/XMLHttpRequest/event-upload-progress-crossorigin.htm
@@ -1,26 +1,33 @@
 <!doctype html>
 <html lang=en>
 <meta charset=utf-8>
 <title>XMLHttpRequest: upload progress event for cross-origin requests</title>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
-    <link rel="help" href="https://xhr.spec.whatwg.org/#handler-xhr-onprogress" data-tested-assertations="../.." />
-    <link rel="help" href="https://xhr.spec.whatwg.org/#the-send()-method" data-tested-assertations="following::*//a[contains(@href,'#make-upload-progress-notifications')] following::ol[1]/li[8]" />
-    <link rel="help" href="https://xhr.spec.whatwg.org/#dom-xmlhttprequest-upload" data-tested-assertations=".." />
-
+<script src="/common/get-host-info.sub.js"></script>
 <div id="log"></div>
-<script src="/common/get-host-info.sub.js"></script>
 <script>
-  var test = async_test();
-  test.step(function() {
-    var client = new XMLHttpRequest();
-    client.upload.onprogress = test.step_func(function() {
-      test.done();
-    });
-    client.onload = test.step_func(function() {
-      assert_unreached("onprogress not called.");
-    });
-    client.open("POST", get_host_info().HTTP_REMOTE_ORIGIN + "/XMLHttpRequest/resources/corsenabled.py");
-    client.send("This is a test string.");
-  });
+const remote = get_host_info().HTTP_REMOTE_ORIGIN + "/XMLHttpRequest/resources/corsenabled.py",
+      redirect = "resources/redirect.py?code=307&location=" + remote;
+
+[remote, redirect].forEach(url => {
+  async_test(test => {
+    const client = new XMLHttpRequest();
+    client.upload.onprogress = test.step_func_done()
+    client.onload = test.unreached_func()
+    client.open("POST", url)
+    client.send("On time: " + url)
+  }, "Upload events registered on time (" + url + ")");
+});
+
+[remote, redirect].forEach(url => {
+  async_test(test => {
+    const client = new XMLHttpRequest();
+    client.onload = test.step_func_done();
+    client.open("POST", url);
+    client.send("Too late: " + url);
+    client.upload.onloadstart = test.unreached_func(); // registered too late
+    client.upload.onprogress = test.unreached_func(); // registered too late
+  }, "Upload events registered too late (" + url + ")");
+});
 </script>
--- a/toolkit/components/osfile/tests/xpcshell/test_telemetry.js
+++ b/toolkit/components/osfile/tests/xpcshell/test_telemetry.js
@@ -22,42 +22,42 @@ function getCount(histogram) {
 }
 
 // Ensure that launching the OS.File worker adds data to the relevant
 // histograms
 add_task(async function test_startup() {
   let LAUNCH = "OSFILE_WORKER_LAUNCH_MS";
   let READY = "OSFILE_WORKER_READY_MS";
 
-  let before = Services.telemetry.histogramSnapshots;
+  let before = Services.telemetry.histogramSnapshots.parent;
 
   // Launch the OS.File worker
   await File.getCurrentDirectory();
 
-  let after = Services.telemetry.histogramSnapshots;
+  let after = Services.telemetry.histogramSnapshots.parent;
 
 
   do_print("Ensuring that we have recorded measures for histograms");
   do_check_eq(getCount(after[LAUNCH]), getCount(before[LAUNCH]) + 1);
   do_check_eq(getCount(after[READY]), getCount(before[READY]) + 1);
 
   do_print("Ensuring that launh <= ready");
   do_check_true(after[LAUNCH].sum <= after[READY].sum);
 });
 
 // Ensure that calling writeAtomic adds data to the relevant histograms
 add_task(async function test_writeAtomic() {
   let LABEL = "OSFILE_WRITEATOMIC_JANK_MS";
 
-  let before = Services.telemetry.histogramSnapshots;
+  let before = Services.telemetry.histogramSnapshots.parent;
 
   // Perform a write.
   let path = Path.join(Constants.Path.profileDir, "test_osfile_telemetry.tmp");
   await File.writeAtomic(path, LABEL, { tmpPath: path + ".tmp" } );
 
-  let after = Services.telemetry.histogramSnapshots;
+  let after = Services.telemetry.histogramSnapshots.parent;
 
   do_check_eq(getCount(after[LABEL]), getCount(before[LABEL]) + 1);
 });
 
 function run_test() {
   run_next_test();
 }
--- a/toolkit/components/telemetry/Telemetry.cpp
+++ b/toolkit/components/telemetry/Telemetry.cpp
@@ -853,17 +853,30 @@ TelemetryImpl::SnapshotSubsessionHistogr
 #else
   return NS_OK;
 #endif
 }
 
 NS_IMETHODIMP
 TelemetryImpl::GetKeyedHistogramSnapshots(JSContext *cx, JS::MutableHandle<JS::Value> ret)
 {
-  return TelemetryHistogram::GetKeyedHistogramSnapshots(cx, ret);
+  return TelemetryHistogram::GetKeyedHistogramSnapshots(cx, ret, false, false);
+}
+
+NS_IMETHODIMP
+TelemetryImpl::SnapshotSubsessionKeyedHistograms(bool clearSubsession,
+                                                 JSContext *cx,
+                                                 JS::MutableHandle<JS::Value> ret)
+{
+#if !defined(MOZ_WIDGET_ANDROID)
+  return TelemetryHistogram::GetKeyedHistogramSnapshots(cx, ret, true,
+                                                        clearSubsession);
+#else
+  return NS_OK;
+#endif
 }
 
 bool
 TelemetryImpl::GetSQLStats(JSContext *cx, JS::MutableHandle<JS::Value> ret, bool includePrivateSql)
 {
   JS::Rooted<JSObject*> root_obj(cx, JS_NewPlainObject(cx));
   if (!root_obj)
     return false;
@@ -2411,26 +2424,16 @@ SetProfileDir(nsIFile* aProfD)
   nsAutoString profDirPath;
   nsresult rv = aProfD->GetPath(profDirPath);
   if (NS_FAILED(rv)) {
     return;
   }
   sTelemetryIOObserver->AddPath(profDirPath, NS_LITERAL_STRING("{profile}"));
 }
 
-void CreateStatisticsRecorder()
-{
-  TelemetryHistogram::CreateStatisticsRecorder();
-}
-
-void DestroyStatisticsRecorder()
-{
-  TelemetryHistogram::DestroyStatisticsRecorder();
-}
-
 // Scalar API C++ Endpoints
 
 void
 ScalarAdd(mozilla::Telemetry::ScalarID aId, uint32_t aVal)
 {
   TelemetryScalar::Add(aId, aVal);
 }
 
--- a/toolkit/components/telemetry/Telemetry.h
+++ b/toolkit/components/telemetry/Telemetry.h
@@ -41,23 +41,16 @@ struct KeyedScalarAction;
 struct ChildEventData;
 
 enum TimerResolution {
   Millisecond,
   Microsecond
 };
 
 /**
- * Create and destroy the underlying base::StatisticsRecorder singleton.
- * Creation has to be done very early in the startup sequence.
- */
-void CreateStatisticsRecorder();
-void DestroyStatisticsRecorder();
-
-/**
  * Initialize the Telemetry service on the main thread at startup.
  */
 void Init();
 
 /**
  * Adds sample to a histogram defined in TelemetryHistogramEnums.h
  *
  * @param id - histogram id
@@ -145,17 +138,17 @@ void AccumulateCategorical(HistogramID i
  *
  * @param id - histogram id
  * @param start - start time
  * @param end - end time
  */
 void AccumulateTimeDelta(HistogramID id, TimeStamp start, TimeStamp end = TimeStamp::Now());
 
 /**
- * Enable/disable recording for this histogram at runtime.
+ * Enable/disable recording for this histogram in this process at runtime.
  * Recording is enabled by default, unless listed at kRecordingInitiallyDisabledIDs[].
  * id must be a valid telemetry enum, otherwise an assertion is triggered.
  *
  * @param id - histogram id
  * @param enabled - whether or not to enable recording from now on.
  */
 void SetHistogramRecordingEnabled(HistogramID id, bool enabled);
 
--- a/toolkit/components/telemetry/TelemetryHistogram.cpp
+++ b/toolkit/components/telemetry/TelemetryHistogram.cpp
@@ -23,28 +23,34 @@
 
 #include "TelemetryCommon.h"
 #include "TelemetryHistogram.h"
 #include "ipc/TelemetryIPCAccumulator.h"
 
 #include "base/histogram.h"
 
 using base::Histogram;
-using base::StatisticsRecorder;
 using base::BooleanHistogram;
 using base::CountHistogram;
 using base::FlagHistogram;
 using base::LinearHistogram;
 using mozilla::StaticMutex;
 using mozilla::StaticMutexAutoLock;
 using mozilla::Telemetry::Accumulation;
 using mozilla::Telemetry::KeyedAccumulation;
+using mozilla::Telemetry::HistogramID;
 using mozilla::Telemetry::ProcessID;
+using mozilla::Telemetry::HistogramCount;
 using mozilla::Telemetry::Common::LogToBrowserConsole;
 using mozilla::Telemetry::Common::RecordedProcessType;
+using mozilla::Telemetry::Common::AutoHashtable;
+using mozilla::Telemetry::Common::GetNameForProcessID;
+using mozilla::Telemetry::Common::IsExpiredVersion;
+using mozilla::Telemetry::Common::CanRecordDataset;
+using mozilla::Telemetry::Common::IsInDataset;
 
 namespace TelemetryIPCAccumulator = mozilla::TelemetryIPCAccumulator;
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // Naming: there are two kinds of functions in this file:
 //
@@ -94,116 +100,224 @@ namespace TelemetryIPCAccumulator = mozi
 // means that this file is not guaranteed race-free.
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE TYPES
 
-#define EXPIRED_ID "__expired__"
-#define SUBSESSION_HISTOGRAM_PREFIX "sub#"
-#define KEYED_HISTOGRAM_NAME_SEPARATOR "#"
-#define CONTENT_HISTOGRAM_SUFFIX "#content"
-#define GPU_HISTOGRAM_SUFFIX "#gpu"
-#define EXTENSION_HISTOGRAM_SUFFIX "#extension"
-
 namespace {
 
-using mozilla::Telemetry::Common::AutoHashtable;
-using mozilla::Telemetry::Common::IsExpiredVersion;
-using mozilla::Telemetry::Common::CanRecordDataset;
-using mozilla::Telemetry::Common::IsInDataset;
-
-class KeyedHistogram;
-
-typedef nsBaseHashtableET<nsDepCharHashKey, mozilla::Telemetry::HistogramID>
-          CharPtrEntryType;
-
-typedef AutoHashtable<CharPtrEntryType> HistogramMapType;
-
-typedef nsClassHashtable<nsCStringHashKey, KeyedHistogram>
-          KeyedHistogramMapType;
+typedef nsDataHashtable<nsCStringHashKey, HistogramID> StringToHistogramIdMap;
 
 // Hardcoded probes
 struct HistogramInfo {
   uint32_t min;
   uint32_t max;
   uint32_t bucketCount;
   uint32_t histogramType;
-  uint32_t id_offset;
+  uint32_t name_offset;
   uint32_t expiration_offset;
   uint32_t dataset;
   uint32_t label_index;
   uint32_t label_count;
   RecordedProcessType record_in_processes;
   bool keyed;
 
-  const char *id() const;
+  const char *name() const;
   const char *expiration() const;
   nsresult label_id(const char* label, uint32_t* labelId) const;
 };
 
 enum reflectStatus {
   REFLECT_OK,
-  REFLECT_CORRUPT,
   REFLECT_FAILURE
 };
 
-typedef StatisticsRecorder::Histograms::iterator HistogramIterator;
+enum class SessionType {
+  Session = 0,
+  Subsession = 1,
+  Count,
+};
+
+class KeyedHistogram {
+public:
+  KeyedHistogram(HistogramID id, const HistogramInfo& info);
+  ~KeyedHistogram();
+  nsresult GetHistogram(const nsCString& name, Histogram** histogram, bool subsession);
+  Histogram* GetHistogram(const nsCString& name, bool subsession);
+  uint32_t GetHistogramType() const { return mHistogramInfo.histogramType; }
+  nsresult GetJSKeys(JSContext* cx, JS::CallArgs& args);
+  nsresult GetJSSnapshot(JSContext* cx, JS::Handle<JSObject*> obj,
+                         bool subsession, bool clearSubsession);
+
+  nsresult Add(const nsCString& key, uint32_t aSample, ProcessID aProcessType);
+  void Clear(bool subsession);
+
+  HistogramID GetHistogramID() const { return mId; }
+
+private:
+  typedef nsBaseHashtableET<nsCStringHashKey, Histogram*> KeyedHistogramEntry;
+  typedef AutoHashtable<KeyedHistogramEntry> KeyedHistogramMapType;
+  KeyedHistogramMapType mHistogramMap;
+#if !defined(MOZ_WIDGET_ANDROID)
+  KeyedHistogramMapType mSubsessionMap;
+#endif
+
+  static bool ReflectKeyedHistogram(KeyedHistogramEntry* entry,
+                                    JSContext* cx,
+                                    JS::Handle<JSObject*> obj);
+
+  const HistogramID mId;
+  const HistogramInfo& mHistogramInfo;
+};
 
 } // namespace
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE STATE, SHARED BY ALL THREADS
 
 namespace {
 
 // Set to true once this global state has been initialized
 bool gInitDone = false;
 
+// Whether we are collecting the base, opt-out, Histogram data.
 bool gCanRecordBase = false;
+// Whether we are collecting the extended, opt-in, Histogram data.
 bool gCanRecordExtended = false;
 
-HistogramMapType gHistogramMap(mozilla::Telemetry::HistogramCount);
+// The storage for actual Histogram instances.
+// We use separate ones for plain and keyed histograms.
+Histogram* gHistogramStorage[HistogramCount][uint32_t(ProcessID::Count)][uint32_t(SessionType::Count)] = {};
+// Keyed histograms internally map string keys to individual Histogram instances.
+// KeyedHistogram keeps track of session & subsession histograms internally.
+KeyedHistogram* gKeyedHistogramStorage[HistogramCount][uint32_t(ProcessID::Count)] = {};
 
-KeyedHistogramMapType gKeyedHistograms;
-
-bool gCorruptHistograms[mozilla::Telemetry::HistogramCount];
+// Cache of histogram name to a histogram id.
+StringToHistogramIdMap gNameToHistogramIDMap(HistogramCount);
 
-// This is for gHistograms, gHistogramStringTable
-#include "TelemetryHistogramData.inc"
+// To simplify logic below we use a single histogram instance for all expired histograms.
+Histogram* gExpiredHistogram = nullptr;
 
-// The singleton StatisticsRecorder object for this process.
-base::StatisticsRecorder* gStatisticsRecorder = nullptr;
+// This tracks whether recording is enabled for specific histograms.
+// To utilize C++ initialization rules, we invert the meaning to "disabled".
+bool gHistogramRecordingDisabled[HistogramCount] = {};
+
+// This is for gHistogramInfos, gHistogramStringTable
+#include "TelemetryHistogramData.inc"
 
 } // namespace
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE CONSTANTS
 
 namespace {
 
 // List of histogram IDs which should have recording disabled initially.
-const mozilla::Telemetry::HistogramID kRecordingInitiallyDisabledIDs[] = {
+const HistogramID kRecordingInitiallyDisabledIDs[] = {
   mozilla::Telemetry::FX_REFRESH_DRIVER_SYNC_SCROLL_FRAME_DELAY_MS,
 
   // The array must not be empty. Leave these item here.
   mozilla::Telemetry::TELEMETRY_TEST_COUNT_INIT_NO_RECORD,
   mozilla::Telemetry::TELEMETRY_TEST_KEYED_COUNT_INIT_NO_RECORD
 };
 
 } // namespace
 
+////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////
+//
+// The core storage access functions.
+// They wrap access to the histogram storage and lookup caches.
+
+namespace {
+
+// Factory function for histogram instances.
+Histogram*
+internal_CreateHistogramInstance(const HistogramInfo& info);
+
+bool
+internal_IsHistogramEnumId(HistogramID aID)
+{
+  static_assert(((HistogramID)-1 > 0), "ID should be unsigned.");
+  return aID < HistogramCount;
+}
+
+// Look up a plain histogram by id.
+Histogram*
+internal_GetHistogramById(HistogramID histogramId, ProcessID processId, SessionType sessionType,
+                          bool instantiate = true)
+{
+  MOZ_ASSERT(internal_IsHistogramEnumId(histogramId));
+  MOZ_ASSERT(!gHistogramInfos[histogramId].keyed);
+  MOZ_ASSERT(processId < ProcessID::Count);
+  MOZ_ASSERT(sessionType < SessionType::Count);
+
+  Histogram* h = gHistogramStorage[histogramId][uint32_t(processId)][uint32_t(sessionType)];
+  if (h || !instantiate) {
+    return h;
+  }
+
+  const HistogramInfo& info = gHistogramInfos[histogramId];
+  h = internal_CreateHistogramInstance(info);
+  MOZ_ASSERT(h);
+  gHistogramStorage[histogramId][uint32_t(processId)][uint32_t(sessionType)] = h;
+  return h;
+}
+
+// Look up a keyed histogram by id.
+KeyedHistogram*
+internal_GetKeyedHistogramById(HistogramID histogramId, ProcessID processId,
+                               bool instantiate = true)
+{
+  MOZ_ASSERT(internal_IsHistogramEnumId(histogramId));
+  MOZ_ASSERT(gHistogramInfos[histogramId].keyed);
+  MOZ_ASSERT(processId < ProcessID::Count);
+
+  KeyedHistogram* kh = gKeyedHistogramStorage[histogramId][uint32_t(processId)];
+  if (kh || !instantiate) {
+    return kh;
+  }
+
+  const HistogramInfo& info = gHistogramInfos[histogramId];
+  kh = new KeyedHistogram(histogramId, info);
+  gKeyedHistogramStorage[histogramId][uint32_t(processId)] = kh;
+
+  return kh;
+}
+
+// Look up a histogram id from a histogram name.
+nsresult
+internal_GetHistogramIdByName(const nsACString& name, HistogramID* id)
+{
+  const bool found = gNameToHistogramIDMap.Get(name, id);
+  if (!found) {
+    return NS_ERROR_ILLEGAL_VALUE;
+  }
+
+  return NS_OK;
+}
+
+// Clear a histogram from storage.
+void
+internal_ClearHistogramById(HistogramID histogramId, ProcessID processId, SessionType sessionType)
+{
+  delete gHistogramStorage[histogramId][uint32_t(processId)][uint32_t(sessionType)];
+  gHistogramStorage[histogramId][uint32_t(processId)][uint32_t(sessionType)] = nullptr;
+}
+
+}
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: Misc small helpers
 
 namespace {
 
@@ -212,69 +326,76 @@ internal_CanRecordBase() {
   return gCanRecordBase;
 }
 
 bool
 internal_CanRecordExtended() {
   return gCanRecordExtended;
 }
 
-bool
-internal_IsHistogramEnumId(mozilla::Telemetry::HistogramID aID)
-{
-  static_assert(((mozilla::Telemetry::HistogramID)-1 > 0), "ID should be unsigned.");
-  return aID < mozilla::Telemetry::HistogramCount;
-}
-
 // Note: this is completely unrelated to mozilla::IsEmpty.
 bool
 internal_IsEmpty(const Histogram *h)
 {
   Histogram::SampleSet ss;
   h->SnapshotSample(&ss);
   return ss.counts(0) == 0 && ss.sum() == 0;
 }
 
 bool
-internal_IsExpired(const Histogram *histogram)
+internal_IsExpired(Histogram* h)
+{
+  return h == gExpiredHistogram;
+}
+
+void
+internal_SetHistogramRecordingEnabled(HistogramID id, bool aEnabled)
 {
-  return histogram->histogram_name() == EXPIRED_ID;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+  gHistogramRecordingDisabled[id] = !aEnabled;
+}
+
+bool
+internal_IsRecordingEnabled(HistogramID id)
+{
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+  return !gHistogramRecordingDisabled[id];
 }
 
 nsresult
 internal_GetRegisteredHistogramIds(bool keyed, uint32_t dataset,
                                    uint32_t *aCount, char*** aHistograms)
 {
   nsTArray<char*> collection;
 
-  for (const auto & h : gHistograms) {
+  for (const auto & h : gHistogramInfos) {
     if (IsExpiredVersion(h.expiration()) ||
         h.keyed != keyed ||
         !IsInDataset(h.dataset, dataset)) {
       continue;
     }
 
-    const char* id = h.id();
+    const char* id = h.name();
     const size_t len = strlen(id);
     collection.AppendElement(static_cast<char*>(nsMemory::Clone(id, len+1)));
   }
 
   const size_t bytes = collection.Length() * sizeof(char*);
   char** histograms = static_cast<char**>(moz_xmalloc(bytes));
   memcpy(histograms, collection.Elements(), bytes);
   *aHistograms = histograms;
   *aCount = collection.Length();
 
   return NS_OK;
 }
 
 const char *
-HistogramInfo::id() const
+HistogramInfo::name() const
 {
-  return &gHistogramStringTable[this->id_offset];
+  return &gHistogramStringTable[this->name_offset];
 }
 
 const char *
 HistogramInfo::expiration() const
 {
   return &gHistogramStringTable[this->expiration_offset];
 }
 
@@ -309,457 +430,119 @@ HistogramInfo::label_id(const char* labe
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: Histogram Get, Add, Clone, Clear functions
 
 namespace {
 
 nsresult
-internal_CheckHistogramArguments(uint32_t histogramType,
-                                 uint32_t min, uint32_t max,
-                                 uint32_t bucketCount, bool haveOptArgs)
+internal_CheckHistogramArguments(const HistogramInfo& info)
 {
-  if (histogramType != nsITelemetry::HISTOGRAM_BOOLEAN
-      && histogramType != nsITelemetry::HISTOGRAM_FLAG
-      && histogramType != nsITelemetry::HISTOGRAM_COUNT) {
-    // The min, max & bucketCount arguments are not optional for this type.
-    if (!haveOptArgs)
+  if (info.histogramType != nsITelemetry::HISTOGRAM_BOOLEAN
+      && info.histogramType != nsITelemetry::HISTOGRAM_FLAG
+      && info.histogramType != nsITelemetry::HISTOGRAM_COUNT) {
+    // Sanity checks for histogram parameters.
+    if (info.min >= info.max) {
       return NS_ERROR_ILLEGAL_VALUE;
-
-    // Sanity checks for histogram parameters.
-    if (min >= max)
-      return NS_ERROR_ILLEGAL_VALUE;
+    }
 
-    if (bucketCount <= 2)
+    if (info.bucketCount <= 2) {
       return NS_ERROR_ILLEGAL_VALUE;
+    }
 
-    if (min < 1)
+    if (info.min < 1) {
       return NS_ERROR_ILLEGAL_VALUE;
+    }
   }
 
   return NS_OK;
 }
 
-/*
- * min, max & bucketCount are optional for boolean, flag & count histograms.
- * haveOptArgs has to be set if the caller provides them.
- */
-nsresult
-internal_HistogramGet(const char *name, const char *expiration,
-                      uint32_t histogramType, uint32_t min, uint32_t max,
-                      uint32_t bucketCount, bool haveOptArgs,
-                      Histogram **result)
+Histogram*
+internal_CreateHistogramInstance(const HistogramInfo& passedInfo)
 {
-  nsresult rv = internal_CheckHistogramArguments(histogramType, min, max,
-                                                 bucketCount, haveOptArgs);
-  if (NS_FAILED(rv)) {
-    return rv;
+  if (NS_FAILED(internal_CheckHistogramArguments(passedInfo))) {
+    MOZ_ASSERT(false, "Failed histogram argument checks.");
+    return nullptr;
   }
 
-  if (IsExpiredVersion(expiration)) {
-    name = EXPIRED_ID;
-    min = 1;
-    max = 2;
-    bucketCount = 3;
-    histogramType = nsITelemetry::HISTOGRAM_LINEAR;
+  // To keep the code simple we map all the calls to expired histograms to the same histogram instance.
+  // We create that instance lazily when needed.
+  const bool isExpired = IsExpiredVersion(passedInfo.expiration());
+  HistogramInfo info = passedInfo;
+
+  if (isExpired) {
+    if (gExpiredHistogram) {
+      return gExpiredHistogram;
+    }
+
+    info.min = 1;
+    info.max = 2;
+    info.bucketCount = 3;
+    info.histogramType = nsITelemetry::HISTOGRAM_LINEAR;
   }
 
-  switch (histogramType) {
+  Histogram::Flags flags = Histogram::kNoFlags;
+  Histogram* h = nullptr;
+  switch (info.histogramType) {
   case nsITelemetry::HISTOGRAM_EXPONENTIAL:
-    *result = Histogram::FactoryGet(name, min, max, bucketCount, Histogram::kUmaTargetedHistogramFlag);
+    h = Histogram::FactoryGet(info.min, info.max, info.bucketCount, flags);
     break;
   case nsITelemetry::HISTOGRAM_LINEAR:
   case nsITelemetry::HISTOGRAM_CATEGORICAL:
-    *result = LinearHistogram::FactoryGet(name, min, max, bucketCount, Histogram::kUmaTargetedHistogramFlag);
+    h = LinearHistogram::FactoryGet(info.min, info.max, info.bucketCount, flags);
     break;
   case nsITelemetry::HISTOGRAM_BOOLEAN:
-    *result = BooleanHistogram::FactoryGet(name, Histogram::kUmaTargetedHistogramFlag);
+    h = BooleanHistogram::FactoryGet(flags);
     break;
   case nsITelemetry::HISTOGRAM_FLAG:
-    *result = FlagHistogram::FactoryGet(name, Histogram::kUmaTargetedHistogramFlag);
+    h = FlagHistogram::FactoryGet(flags);
     break;
   case nsITelemetry::HISTOGRAM_COUNT:
-    *result = CountHistogram::FactoryGet(name, Histogram::kUmaTargetedHistogramFlag);
+    h = CountHistogram::FactoryGet(flags);
     break;
   default:
-    NS_ASSERTION(false, "Invalid histogram type");
-    return NS_ERROR_INVALID_ARG;
-  }
-  return NS_OK;
-}
-
-// Read the process type from the given histogram name. The process type, if
-// one exists, is embedded in a suffix.
-mozilla::Telemetry::ProcessID
-GetProcessFromName(const nsACString& aString)
-{
-  if (StringEndsWith(aString, NS_LITERAL_CSTRING(CONTENT_HISTOGRAM_SUFFIX))) {
-    return ProcessID::Content;
-  }
-  if (StringEndsWith(aString, NS_LITERAL_CSTRING(GPU_HISTOGRAM_SUFFIX))) {
-    return ProcessID::Gpu;
-  }
-  if (StringEndsWith(aString, NS_LITERAL_CSTRING(EXTENSION_HISTOGRAM_SUFFIX))) {
-    return ProcessID::Extension;
-  }
-  return ProcessID::Parent;
-}
-
-const char*
-SuffixForProcessType(mozilla::Telemetry::ProcessID aProcessType)
-{
-  switch (aProcessType) {
-    case ProcessID::Parent:
-      return nullptr;
-    case ProcessID::Content:
-      return CONTENT_HISTOGRAM_SUFFIX;
-    case ProcessID::Gpu:
-      return GPU_HISTOGRAM_SUFFIX;
-    case ProcessID::Extension:
-      return EXTENSION_HISTOGRAM_SUFFIX;
-    default:
-      MOZ_ASSERT_UNREACHABLE("unknown process type");
-      return nullptr;
-  }
-}
-
-CharPtrEntryType*
-internal_GetHistogramMapEntry(const char* aName)
-{
-  nsDependentCString name(aName);
-  ProcessID process = GetProcessFromName(name);
-  const char* suffix = SuffixForProcessType(process);
-  if (!suffix) {
-    return gHistogramMap.GetEntry(aName);
+    MOZ_ASSERT(false, "Invalid histogram type");
+    return nullptr;
   }
 
-  auto root = Substring(name, 0, name.Length() - strlen(suffix));
-  return gHistogramMap.GetEntry(PromiseFlatCString(root).get());
+  if (isExpired) {
+    gExpiredHistogram = h;
+  }
+
+  return h;
 }
 
 nsresult
-internal_GetHistogramEnumId(const char *name, mozilla::Telemetry::HistogramID *id)
-{
-  if (!gInitDone) {
-    return NS_ERROR_FAILURE;
-  }
-
-  CharPtrEntryType *entry = internal_GetHistogramMapEntry(name);
-  if (!entry) {
-    return NS_ERROR_INVALID_ARG;
-  }
-  *id = entry->mData;
-  return NS_OK;
-}
-
-// O(1) histogram lookup by numeric id
-nsresult
-internal_GetHistogramByEnumId(mozilla::Telemetry::HistogramID id, Histogram **ret,
-                              ProcessID aProcessType)
+internal_HistogramAdd(Histogram& histogram,
+                      const HistogramID id,
+                      int32_t value,
+                      ProcessID aProcessType)
 {
-  static Histogram* knownHistograms[mozilla::Telemetry::HistogramCount] = {0};
-  static Histogram* knownContentHistograms[mozilla::Telemetry::HistogramCount] = {0};
-  static Histogram* knownGPUHistograms[mozilla::Telemetry::HistogramCount] = {0};
-  static Histogram* knownExtensionHistograms[mozilla::Telemetry::HistogramCount] = {0};
-
-  Histogram** knownList = nullptr;
-
-  switch (aProcessType) {
-  case ProcessID::Parent:
-    knownList = knownHistograms;
-    break;
-  case ProcessID::Content:
-    knownList = knownContentHistograms;
-    break;
-  case ProcessID::Gpu:
-    knownList = knownGPUHistograms;
-    break;
-  case ProcessID::Extension:
-    knownList = knownExtensionHistograms;
-    break;
-  default:
-    MOZ_ASSERT_UNREACHABLE("unknown process type");
-    return NS_ERROR_FAILURE;
-  }
-
-  Histogram* h = knownList[id];
-  if (h) {
-    *ret = h;
+  // Check if we are allowed to record the data.
+  bool canRecordDataset = CanRecordDataset(gHistogramInfos[id].dataset,
+                                           internal_CanRecordBase(),
+                                           internal_CanRecordExtended());
+  // If `histogram` is a non-parent-process histogram, then recording-enabled
+  // has been checked in its owner process.
+  if (!canRecordDataset ||
+    (aProcessType == ProcessID::Parent && !internal_IsRecordingEnabled(id))) {
     return NS_OK;
   }
 
-  const HistogramInfo &p = gHistograms[id];
-  if (p.keyed) {
-    return NS_ERROR_FAILURE;
-  }
-
-  nsAutoCString histogramName;
-  histogramName.Append(p.id());
-  if (const char* suffix = SuffixForProcessType(aProcessType)) {
-    histogramName.AppendASCII(suffix);
-  }
-
-  nsresult rv = internal_HistogramGet(histogramName.get(), p.expiration(),
-                                      p.histogramType, p.min, p.max,
-                                      p.bucketCount, true, &h);
-  if (NS_FAILED(rv))
-    return rv;
-
-#ifdef DEBUG
-  // Check that the C++ Histogram code computes the same ranges as the
-  // Python histogram code.
-  if (!IsExpiredVersion(p.expiration())) {
-    const struct bounds &b = gBucketLowerBoundIndex[id];
-    if (b.length != 0) {
-      MOZ_ASSERT(size_t(b.length) == h->bucket_count(),
-                 "C++/Python bucket # mismatch");
-      for (int i = 0; i < b.length; ++i) {
-        MOZ_ASSERT(gBucketLowerBounds[b.offset + i] == h->ranges(i),
-                   "C++/Python bucket mismatch");
-      }
-    }
-  }
-#endif
-
-  knownList[id] = h;
-  *ret = h;
-  return NS_OK;
-}
-
-nsresult
-internal_GetHistogramByName(const nsACString &name, Histogram **ret)
-{
-  mozilla::Telemetry::HistogramID id;
-  nsresult rv
-    = internal_GetHistogramEnumId(PromiseFlatCString(name).get(), &id);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-
-  ProcessID process = GetProcessFromName(name);
-  rv = internal_GetHistogramByEnumId(id, ret, process);
-  if (NS_FAILED(rv))
-    return rv;
-
-  return NS_OK;
-}
-
-
-#if !defined(MOZ_WIDGET_ANDROID)
-
-/**
- * This clones a histogram |existing| with the id |existingId| to a
- * new histogram with the name |newName|.
- * For simplicity this is limited to registered histograms.
- */
-Histogram*
-internal_CloneHistogram(const nsACString& newName,
-                        mozilla::Telemetry::HistogramID existingId,
-                        Histogram& existing)
-{
-  const HistogramInfo &info = gHistograms[existingId];
-  Histogram *clone = nullptr;
-  nsresult rv;
-
-  rv = internal_HistogramGet(PromiseFlatCString(newName).get(),
-                             info.expiration(),
-                             info.histogramType, existing.declared_min(),
-                             existing.declared_max(), existing.bucket_count(),
-                             true, &clone);
-  if (NS_FAILED(rv)) {
-    return nullptr;
-  }
-
-  Histogram::SampleSet ss;
-  existing.SnapshotSample(&ss);
-  clone->AddSampleSet(ss);
-
-  return clone;
-}
-
-ProcessID
-GetProcessFromName(const std::string& aString)
-{
-  nsDependentCString string(aString.c_str(), aString.length());
-  return GetProcessFromName(string);
-}
-
-Histogram*
-internal_GetSubsessionHistogram(Histogram& existing)
-{
-  mozilla::Telemetry::HistogramID id;
-  nsresult rv
-    = internal_GetHistogramEnumId(existing.histogram_name().c_str(), &id);
-  if (NS_FAILED(rv) || gHistograms[id].keyed) {
-    return nullptr;
-  }
-
-  static Histogram* subsession[mozilla::Telemetry::HistogramCount] = {};
-  static Histogram* subsessionContent[mozilla::Telemetry::HistogramCount] = {};
-  static Histogram* subsessionGPU[mozilla::Telemetry::HistogramCount] = {};
-  static Histogram* subsessionExtension[mozilla::Telemetry::HistogramCount] = {};
-
-  Histogram** cache = nullptr;
-
-  ProcessID process = GetProcessFromName(existing.histogram_name());
-  switch (process) {
-  case ProcessID::Parent:
-    cache = subsession;
-    break;
-  case ProcessID::Content:
-    cache = subsessionContent;
-    break;
-  case ProcessID::Gpu:
-    cache = subsessionGPU;
-    break;
-  case ProcessID::Extension:
-    cache = subsessionExtension;
-    break;
-  default:
-    MOZ_ASSERT_UNREACHABLE("unknown process type");
-    return nullptr;
-  }
-
-  if (Histogram* cached = cache[id]) {
-    return cached;
-  }
-
-  NS_NAMED_LITERAL_CSTRING(prefix, SUBSESSION_HISTOGRAM_PREFIX);
-  nsDependentCString existingName(gHistograms[id].id());
-  if (StringBeginsWith(existingName, prefix)) {
-    return nullptr;
-  }
-
-  nsCString subsessionName(prefix);
-  subsessionName.Append(existing.histogram_name().c_str());
-
-  Histogram* clone = internal_CloneHistogram(subsessionName, id, existing);
-  cache[id] = clone;
-  return clone;
-}
-#endif
-
-nsresult
-internal_HistogramAdd(Histogram& histogram, int32_t value, uint32_t dataset)
-{
-  // Check if we are allowed to record the data.
-  bool canRecordDataset = CanRecordDataset(dataset,
-                                           internal_CanRecordBase(),
-                                           internal_CanRecordExtended());
-  if (!canRecordDataset || !histogram.IsRecordingEnabled()) {
-    return NS_OK;
-  }
-
-#if !defined(MOZ_WIDGET_ANDROID)
-  if (Histogram* subsession = internal_GetSubsessionHistogram(histogram)) {
-    subsession->Add(value);
-  }
-#endif
-
   // It is safe to add to the histogram now: the subsession histogram was already
   // cloned from this so we won't add the sample twice.
   histogram.Add(value);
 
   return NS_OK;
 }
 
-nsresult
-internal_HistogramAdd(Histogram& histogram, int32_t value)
-{
-  uint32_t dataset = nsITelemetry::DATASET_RELEASE_CHANNEL_OPTIN;
-  // We only really care about the dataset of the histogram if we are not recording
-  // extended telemetry. Otherwise, we always record histogram data.
-  if (!internal_CanRecordExtended()) {
-    mozilla::Telemetry::HistogramID id;
-    nsresult rv
-      = internal_GetHistogramEnumId(histogram.histogram_name().c_str(), &id);
-    if (NS_FAILED(rv)) {
-      // If we can't look up the dataset, it might be because the histogram was added
-      // at runtime. Since we're not recording extended telemetry, bail out.
-      return NS_OK;
-    }
-    dataset = gHistograms[id].dataset;
-  }
-
-  return internal_HistogramAdd(histogram, value, dataset);
-}
-
-void
-internal_HistogramClear(Histogram& aHistogram, bool onlySubsession)
-{
-  MOZ_ASSERT(XRE_IsParentProcess());
-  if (!XRE_IsParentProcess()) {
-    return;
-  }
-  if (!onlySubsession) {
-    aHistogram.Clear();
-  }
-
-#if !defined(MOZ_WIDGET_ANDROID)
-  if (Histogram* subsession = internal_GetSubsessionHistogram(aHistogram)) {
-    subsession->Clear();
-  }
-#endif
-}
-
 } // namespace
 
-
-////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////
-//
-// PRIVATE: Histogram corruption helpers
-
-namespace {
-
-void internal_Accumulate(mozilla::Telemetry::HistogramID aHistogram, uint32_t aSample);
-
-void
-internal_IdentifyCorruptHistograms(StatisticsRecorder::Histograms &hs)
-{
-  for (auto h : hs) {
-    mozilla::Telemetry::HistogramID id;
-    nsresult rv = internal_GetHistogramEnumId(h->histogram_name().c_str(), &id);
-    // This histogram isn't a static histogram, just ignore it.
-    if (NS_FAILED(rv)) {
-      continue;
-    }
-
-    if (gCorruptHistograms[id]) {
-      continue;
-    }
-
-    Histogram::SampleSet ss;
-    h->SnapshotSample(&ss);
-
-    Histogram::Inconsistencies check = h->FindCorruption(ss);
-    bool corrupt = (check != Histogram::NO_INCONSISTENCIES);
-
-    if (corrupt) {
-      mozilla::Telemetry::HistogramID corruptID = mozilla::Telemetry::HistogramCount;
-      if (check & Histogram::RANGE_CHECKSUM_ERROR) {
-        corruptID = mozilla::Telemetry::RANGE_CHECKSUM_ERRORS;
-      } else if (check & Histogram::BUCKET_ORDER_ERROR) {
-        corruptID = mozilla::Telemetry::BUCKET_ORDER_ERRORS;
-      } else if (check & Histogram::COUNT_HIGH_ERROR) {
-        corruptID = mozilla::Telemetry::TOTAL_COUNT_HIGH_ERRORS;
-      } else if (check & Histogram::COUNT_LOW_ERROR) {
-        corruptID = mozilla::Telemetry::TOTAL_COUNT_LOW_ERRORS;
-      }
-      internal_Accumulate(corruptID, 1);
-    }
-
-    gCorruptHistograms[id] = corrupt;
-  }
-}
-
-} // namespace
-
-
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: Histogram reflection helpers
 
 namespace {
 
 bool
@@ -774,21 +557,16 @@ internal_FillRanges(JSContext *cx, JS::H
   return true;
 }
 
 enum reflectStatus
 internal_ReflectHistogramAndSamples(JSContext *cx,
                                     JS::Handle<JSObject*> obj, Histogram *h,
                                     const Histogram::SampleSet &ss)
 {
-  // We don't want to reflect corrupt histograms.
-  if (h->FindCorruption(ss) != Histogram::NO_INCONSISTENCIES) {
-    return REFLECT_CORRUPT;
-  }
-
   if (!(JS_DefineProperty(cx, obj, "min",
                           h->declared_min(), JSPROP_ENUMERATE)
         && JS_DefineProperty(cx, obj, "max",
                              h->declared_max(), JSPROP_ENUMERATE)
         && JS_DefineProperty(cx, obj, "histogram_type",
                              h->histogram_type(), JSPROP_ENUMERATE)
         && JS_DefineProperty(cx, obj, "sum",
                              double(ss.sum()), JSPROP_ENUMERATE))) {
@@ -827,111 +605,70 @@ internal_ReflectHistogramSnapshot(JSCont
                                   JS::Handle<JSObject*> obj, Histogram *h)
 {
   Histogram::SampleSet ss;
   h->SnapshotSample(&ss);
   return internal_ReflectHistogramAndSamples(cx, obj, h, ss);
 }
 
 bool
-internal_ShouldReflectHistogram(Histogram *h)
+internal_ShouldReflectHistogram(Histogram* h, HistogramID id)
 {
-  const char *name = h->histogram_name().c_str();
-  mozilla::Telemetry::HistogramID id;
-  nsresult rv = internal_GetHistogramEnumId(name, &id);
-  if (NS_FAILED(rv)) {
-    // GetHistogramEnumId generally should not fail.  But a lookup
-    // failure shouldn't prevent us from reflecting histograms into JS.
-    //
-    // However, these two histograms are created by Histogram itself for
-    // tracking corruption.  We have our own histograms for that, so
-    // ignore these two.
-    if (strcmp(name, "Histogram.InconsistentCountHigh") == 0
-        || strcmp(name, "Histogram.InconsistentCountLow") == 0) {
-      return false;
-    }
-    return true;
+  // Only flag histograms are serialized when they are empty.
+  // This has historical reasons, changing this will require downstream changes.
+  // The cheaper path here is to just deprecate flag histograms in favor
+  // of scalars.
+  uint32_t type = gHistogramInfos[id].histogramType;
+  if (internal_IsEmpty(h) && type != nsITelemetry::HISTOGRAM_FLAG) {
+    return false;
   }
-  return !gCorruptHistograms[id];
+
+  return true;
 }
 
 } // namespace
 
-
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: class KeyedHistogram
 
 namespace {
 
-class KeyedHistogram {
-public:
-  KeyedHistogram(ProcessID processType, const nsACString &name,
-                 const nsACString &expiration,
-                 uint32_t histogramType, uint32_t min, uint32_t max,
-                 uint32_t bucketCount, uint32_t dataset);
-  nsresult GetHistogram(const nsCString& name, Histogram** histogram, bool subsession);
-  Histogram* GetHistogram(const nsCString& name, bool subsession);
-  uint32_t GetHistogramType() const { return mHistogramType; }
-  nsresult GetJSKeys(JSContext* cx, JS::CallArgs& args);
-  nsresult GetJSSnapshot(JSContext* cx, JS::Handle<JSObject*> obj,
-                         bool subsession, bool clearSubsession);
-
-  void SetRecordingEnabled(bool aEnabled) { mRecordingEnabled = aEnabled; };
-  bool IsRecordingEnabled() const { return mRecordingEnabled; };
-
-  nsresult Add(const nsCString& key, uint32_t aSample);
-  void Clear(bool subsession);
-
-  nsresult GetEnumId(mozilla::Telemetry::HistogramID& id);
-
-private:
-  typedef nsBaseHashtableET<nsCStringHashKey, Histogram*> KeyedHistogramEntry;
-  typedef AutoHashtable<KeyedHistogramEntry> KeyedHistogramMapType;
-  KeyedHistogramMapType mHistogramMap;
-#if !defined(MOZ_WIDGET_ANDROID)
-  KeyedHistogramMapType mSubsessionMap;
-#endif
-
-  static bool ReflectKeyedHistogram(KeyedHistogramEntry* entry,
-                                    JSContext* cx,
-                                    JS::Handle<JSObject*> obj);
-
-  const ProcessID mProcessType;
-  const nsCString mName;
-  const nsCString mExpiration;
-  const uint32_t mHistogramType;
-  const uint32_t mMin;
-  const uint32_t mMax;
-  const uint32_t mBucketCount;
-  const uint32_t mDataset;
-  mozilla::Atomic<bool, mozilla::Relaxed> mRecordingEnabled;
-};
-
-KeyedHistogram::KeyedHistogram(ProcessID processType,
-                               const nsACString &name,
-                               const nsACString &expiration,
-                               uint32_t histogramType,
-                               uint32_t min, uint32_t max,
-                               uint32_t bucketCount, uint32_t dataset)
+KeyedHistogram::KeyedHistogram(HistogramID id, const HistogramInfo& info)
   : mHistogramMap()
 #if !defined(MOZ_WIDGET_ANDROID)
   , mSubsessionMap()
 #endif
-  , mProcessType(processType)
-  , mName(name)
-  , mExpiration(expiration)
-  , mHistogramType(histogramType)
-  , mMin(min)
-  , mMax(max)
-  , mBucketCount(bucketCount)
-  , mDataset(dataset)
-  , mRecordingEnabled(true)
+  , mId(id)
+  , mHistogramInfo(info)
+{
+}
+
+KeyedHistogram::~KeyedHistogram()
 {
+  for (auto iter = mHistogramMap.Iter(); !iter.Done(); iter.Next()) {
+    Histogram* h = iter.Get()->mData;
+    if (h == gExpiredHistogram) {
+      continue;
+    }
+    delete h;
+  }
+  mHistogramMap.Clear();
+
+#if !defined(MOZ_WIDGET_ANDROID)
+  for (auto iter = mSubsessionMap.Iter(); !iter.Done(); iter.Next()) {
+    Histogram* h = iter.Get()->mData;
+    if (h == gExpiredHistogram) {
+      continue;
+    }
+    delete h;
+  }
+  mSubsessionMap.Clear();
+#endif
 }
 
 nsresult
 KeyedHistogram::GetHistogram(const nsCString& key, Histogram** histogram,
                              bool subsession)
 {
 #if !defined(MOZ_WIDGET_ANDROID)
   KeyedHistogramMapType& map = subsession ? mSubsessionMap : mHistogramMap;
@@ -939,33 +676,19 @@ KeyedHistogram::GetHistogram(const nsCSt
   KeyedHistogramMapType& map = mHistogramMap;
 #endif
   KeyedHistogramEntry* entry = map.GetEntry(key);
   if (entry) {
     *histogram = entry->mData;
     return NS_OK;
   }
 
-  nsCString histogramName;
-#if !defined(MOZ_WIDGET_ANDROID)
-  if (subsession) {
-    histogramName.AppendLiteral(SUBSESSION_HISTOGRAM_PREFIX);
-  }
-#endif
-  histogramName.Append(mName);
-  histogramName.Append(SuffixForProcessType(mProcessType));
-  histogramName.AppendLiteral(KEYED_HISTOGRAM_NAME_SEPARATOR);
-  histogramName.Append(key);
-
-  Histogram* h;
-  nsresult rv = internal_HistogramGet(histogramName.get(), mExpiration.get(),
-                                      mHistogramType, mMin, mMax, mBucketCount,
-                                      true, &h);
-  if (NS_FAILED(rv)) {
-    return rv;
+  Histogram* h = internal_CreateHistogramInstance(mHistogramInfo);
+  if (!h) {
+    return NS_ERROR_FAILURE;
   }
 
   h->ClearFlags(Histogram::kUmaTargetedHistogramFlag);
   *histogram = h;
 
   entry = map.PutEntry(key);
   if (MOZ_UNLIKELY(!entry)) {
     return NS_ERROR_OUT_OF_MEMORY;
@@ -981,22 +704,26 @@ KeyedHistogram::GetHistogram(const nsCSt
   Histogram* h = nullptr;
   if (NS_FAILED(GetHistogram(key, &h, subsession))) {
     return nullptr;
   }
   return h;
 }
 
 nsresult
-KeyedHistogram::Add(const nsCString& key, uint32_t sample)
+KeyedHistogram::Add(const nsCString& key, uint32_t sample,
+                    ProcessID aProcessType)
 {
-  bool canRecordDataset = CanRecordDataset(mDataset,
+  bool canRecordDataset = CanRecordDataset(mHistogramInfo.dataset,
                                            internal_CanRecordBase(),
                                            internal_CanRecordExtended());
-  if (!canRecordDataset || !IsRecordingEnabled()) {
+  // If `histogram` is a non-parent-process histogram, then recording-enabled
+  // has been checked in its owner process.
+  if (!canRecordDataset ||
+    (aProcessType == ProcessID::Parent && !internal_IsRecordingEnabled(mId))) {
     return NS_OK;
   }
 
   Histogram* histogram = GetHistogram(key, false);
   MOZ_ASSERT(histogram);
   if (!histogram) {
     return NS_ERROR_FAILURE;
   }
@@ -1019,26 +746,34 @@ void
 KeyedHistogram::Clear(bool onlySubsession)
 {
   MOZ_ASSERT(XRE_IsParentProcess());
   if (!XRE_IsParentProcess()) {
     return;
   }
 #if !defined(MOZ_WIDGET_ANDROID)
   for (auto iter = mSubsessionMap.Iter(); !iter.Done(); iter.Next()) {
-    iter.Get()->mData->Clear();
+    Histogram* h = iter.Get()->mData;
+    if (h == gExpiredHistogram) {
+      continue;
+    }
+    delete h;
   }
   mSubsessionMap.Clear();
   if (onlySubsession) {
     return;
   }
 #endif
 
   for (auto iter = mHistogramMap.Iter(); !iter.Done(); iter.Next()) {
-    iter.Get()->mData->Clear();
+    Histogram* h = iter.Get()->mData;
+    if (h == gExpiredHistogram) {
+      continue;
+    }
+    delete h;
   }
   mHistogramMap.Clear();
 }
 
 nsresult
 KeyedHistogram::GetJSKeys(JSContext* cx, JS::CallArgs& args)
 {
   JS::AutoValueVector keys(cx);
@@ -1104,213 +839,167 @@ KeyedHistogram::GetJSSnapshot(JSContext*
   if (subsession && clearSubsession) {
     Clear(true);
   }
 #endif
 
   return NS_OK;
 }
 
-nsresult
-KeyedHistogram::GetEnumId(mozilla::Telemetry::HistogramID& id)
-{
-  return internal_GetHistogramEnumId(mName.get(), &id);
-}
-
 } // namespace
 
-
-////////////////////////////////////////////////////////////////////////
-////////////////////////////////////////////////////////////////////////
-//
-// PRIVATE: KeyedHistogram helpers
-
-namespace {
-
-KeyedHistogram*
-internal_GetKeyedHistogramById(const nsACString &name)
-{
-  if (!gInitDone) {
-    return nullptr;
-  }
-
-  KeyedHistogram* keyed = nullptr;
-  gKeyedHistograms.Get(name, &keyed);
-  return keyed;
-}
-
-} // namespace
-
-
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: thread-unsafe helpers for the external interface
 
 // This is a StaticMutex rather than a plain Mutex (1) so that
 // it gets initialised in a thread-safe manner the first time
 // it is used, and (2) because it is never de-initialised, and
 // a normal Mutex would show up as a leak in BloatView.  StaticMutex
 // also has the "OffTheBooks" property, so it won't show as a leak
 // in BloatView.
 static StaticMutex gTelemetryHistogramMutex;
 
 namespace {
 
-void
-internal_SetHistogramRecordingEnabled(mozilla::Telemetry::HistogramID aID, bool aEnabled)
-{
-  if (gHistograms[aID].keyed) {
-    const nsDependentCString id(gHistograms[aID].id());
-    KeyedHistogram* keyed = internal_GetKeyedHistogramById(id);
-    if (keyed) {
-      keyed->SetRecordingEnabled(aEnabled);
-      return;
-    }
-  } else {
-    Histogram *h;
-    nsresult rv = internal_GetHistogramByEnumId(aID, &h, ProcessID::Parent);
-    if (NS_SUCCEEDED(rv)) {
-      h->SetRecordingEnabled(aEnabled);
-      return;
-    }
-  }
-
-  MOZ_ASSERT(false, "Telemetry::SetHistogramRecordingEnabled(...) id not found");
-}
-
 bool
-internal_RemoteAccumulate(mozilla::Telemetry::HistogramID aId, uint32_t aSample)
+internal_RemoteAccumulate(HistogramID aId, uint32_t aSample)
 {
   if (XRE_IsParentProcess()) {
     return false;
   }
-  Histogram *h;
-  nsresult rv = internal_GetHistogramByEnumId(aId, &h, ProcessID::Parent);
-  if (NS_SUCCEEDED(rv) && !h->IsRecordingEnabled()) {
+
+  if (!internal_IsRecordingEnabled(aId)) {
     return true;
   }
+
   TelemetryIPCAccumulator::AccumulateChildHistogram(aId, aSample);
   return true;
 }
 
 bool
-internal_RemoteAccumulate(mozilla::Telemetry::HistogramID aId,
-                    const nsCString& aKey, uint32_t aSample)
+internal_RemoteAccumulate(HistogramID aId,
+                          const nsCString& aKey, uint32_t aSample)
 {
   if (XRE_IsParentProcess()) {
     return false;
   }
-  const HistogramInfo& th = gHistograms[aId];
-  KeyedHistogram* keyed
-     = internal_GetKeyedHistogramById(nsDependentCString(th.id()));
-  MOZ_ASSERT(keyed);
-  if (!keyed->IsRecordingEnabled()) {
-    return false;
+
+  if (!internal_IsRecordingEnabled(aId)) {
+    return true;
   }
+
   TelemetryIPCAccumulator::AccumulateChildKeyedHistogram(aId, aKey, aSample);
   return true;
 }
 
-void internal_Accumulate(mozilla::Telemetry::HistogramID aHistogram, uint32_t aSample)
+void internal_Accumulate(HistogramID aId, uint32_t aSample)
 {
   if (!internal_CanRecordBase() ||
-      internal_RemoteAccumulate(aHistogram, aSample)) {
+      internal_RemoteAccumulate(aId, aSample)) {
     return;
   }
-  Histogram *h;
-  nsresult rv = internal_GetHistogramByEnumId(aHistogram, &h, ProcessID::Parent);
-  if (NS_SUCCEEDED(rv)) {
-    internal_HistogramAdd(*h, aSample, gHistograms[aHistogram].dataset);
-  }
-}
+
+  Histogram *h = internal_GetHistogramById(aId, ProcessID::Parent, SessionType::Session);
+  MOZ_ASSERT(h);
+  internal_HistogramAdd(*h, aId, aSample, ProcessID::Parent);
 
-void
-internal_Accumulate(mozilla::Telemetry::HistogramID aID,
-                    const nsCString& aKey, uint32_t aSample)
-{
-  if (!gInitDone || !internal_CanRecordBase() ||
-      internal_RemoteAccumulate(aID, aKey, aSample)) {
-    return;
-  }
-  const HistogramInfo& th = gHistograms[aID];
-  KeyedHistogram* keyed
-     = internal_GetKeyedHistogramById(nsDependentCString(th.id()));
-  MOZ_ASSERT(keyed);
-  keyed->Add(aKey, aSample);
+#if !defined(MOZ_WIDGET_ANDROID)
+  h = internal_GetHistogramById(aId, ProcessID::Parent, SessionType::Subsession);
+  MOZ_ASSERT(h);
+  internal_HistogramAdd(*h, aId, aSample, ProcessID::Parent);
+#endif
 }
 
 void
-internal_Accumulate(Histogram& aHistogram, uint32_t aSample)
+internal_Accumulate(HistogramID aId,
+                    const nsCString& aKey, uint32_t aSample)
 {
-  if (XRE_IsParentProcess()) {
-    internal_HistogramAdd(aHistogram, aSample);
+  if (!gInitDone || !internal_CanRecordBase() ||
+      internal_RemoteAccumulate(aId, aKey, aSample)) {
     return;
   }
 
-  mozilla::Telemetry::HistogramID id;
-  nsresult rv = internal_GetHistogramEnumId(aHistogram.histogram_name().c_str(), &id);
-  if (NS_SUCCEEDED(rv)) {
-    internal_RemoteAccumulate(id, aSample);
-  }
+  KeyedHistogram* keyed = internal_GetKeyedHistogramById(aId, ProcessID::Parent);
+  MOZ_ASSERT(keyed);
+  keyed->Add(aKey, aSample, ProcessID::Parent);
 }
 
 void
-internal_Accumulate(KeyedHistogram& aKeyed,
-                    const nsCString& aKey, uint32_t aSample)
-{
-  if (XRE_IsParentProcess()) {
-    aKeyed.Add(aKey, aSample);
-    return;
-  }
-
-  mozilla::Telemetry::HistogramID id;
-  if (NS_SUCCEEDED(aKeyed.GetEnumId(id))) {
-    internal_RemoteAccumulate(id, aKey, aSample);
-  }
-}
-
-void
-internal_AccumulateChild(ProcessID aProcessType, mozilla::Telemetry::HistogramID aId, uint32_t aSample)
+internal_AccumulateChild(ProcessID aProcessType, HistogramID aId, uint32_t aSample)
 {
   if (!internal_CanRecordBase()) {
     return;
   }
-  Histogram* h;
-  nsresult rv = internal_GetHistogramByEnumId(aId, &h, aProcessType);
-  if (NS_SUCCEEDED(rv)) {
-    internal_HistogramAdd(*h, aSample, gHistograms[aId].dataset);
+
+  if (Histogram* h = internal_GetHistogramById(aId, aProcessType, SessionType::Session)) {
+    internal_HistogramAdd(*h, aId, aSample, aProcessType);
   } else {
-    NS_WARNING("NS_FAILED GetHistogramByEnumId for CHILD");
+    NS_WARNING("Failed GetHistogramById for CHILD");
   }
+
+#if !defined(MOZ_WIDGET_ANDROID)
+  if (Histogram* h = internal_GetHistogramById(aId, aProcessType, SessionType::Subsession)) {
+    internal_HistogramAdd(*h, aId, aSample, aProcessType);
+  } else {
+    NS_WARNING("Failed GetHistogramById for CHILD");
+  }
+#endif
 }
 
 void
-internal_AccumulateChildKeyed(ProcessID aProcessType, mozilla::Telemetry::HistogramID aId,
+internal_AccumulateChildKeyed(ProcessID aProcessType, HistogramID aId,
                               const nsCString& aKey, uint32_t aSample)
 {
   if (!gInitDone || !internal_CanRecordBase()) {
     return;
   }
 
-  const char* suffix = SuffixForProcessType(aProcessType);
-  if (!suffix) {
-    MOZ_ASSERT_UNREACHABLE("suffix should not be null");
+  KeyedHistogram* keyed = internal_GetKeyedHistogramById(aId, aProcessType);
+  MOZ_ASSERT(keyed);
+  keyed->Add(aKey, aSample, aProcessType);
+}
+
+void
+internal_ClearHistogram(HistogramID id, bool onlySubsession)
+{
+  MOZ_ASSERT(XRE_IsParentProcess());
+  if (!XRE_IsParentProcess()) {
     return;
   }
 
-  const HistogramInfo& th = gHistograms[aId];
+  // Handle keyed histograms.
+  if (gHistogramInfos[id].keyed) {
+    for (uint32_t process = 0; process < static_cast<uint32_t>(ProcessID::Count); ++process) {
+      KeyedHistogram* kh = internal_GetKeyedHistogramById(id, static_cast<ProcessID>(process), /* instantiate = */ false);
+      if (kh) {
+        kh->Clear(onlySubsession);
+      }
+    }
+  }
 
-  nsAutoCString id;
-  id.Append(th.id());
-  id.AppendASCII(suffix);
+  // Handle plain histograms.
+  // Define the session types we want to clear.
+  nsTArray<SessionType> sessionTypes;
+  if (!onlySubsession) {
+    sessionTypes.AppendElement(SessionType::Session);
+  }
+#if !defined(MOZ_WIDGET_ANDROID)
+  sessionTypes.AppendElement(SessionType::Subsession);
+#endif
 
-  KeyedHistogram* keyed = internal_GetKeyedHistogramById(id);
-  MOZ_ASSERT(keyed);
-  keyed->Add(aKey, aSample);
+  // Now reset the histograms instances for all processes.
+  for (SessionType sessionType : sessionTypes) {
+    for (uint32_t process = 0; process < static_cast<uint32_t>(ProcessID::Count); ++process) {
+      internal_ClearHistogramById(id,
+                                  static_cast<ProcessID>(process),
+                                  sessionType);
+    }
+  }
 }
 
 } // namespace
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
@@ -1328,63 +1017,82 @@ internal_AccumulateChildKeyed(ProcessID 
 // deadlock because the JS_ calls that they make may call back into the
 // TelemetryHistogram interface, hence trying to re-acquire the mutex.
 //
 // This means that these functions potentially race against threads, but
 // that seems preferable to risking deadlock.
 
 namespace {
 
+void internal_JSHistogram_finalize(JSFreeOp*, JSObject*);
+
+static const JSClassOps sJSHistogramClassOps = {
+  nullptr, /* addProperty */
+  nullptr, /* delProperty */
+  nullptr, /* getProperty */
+  nullptr, /* setProperty */
+  nullptr, /* enumerate */
+  nullptr, /* newEnumerate */
+  nullptr, /* resolve */
+  nullptr, /* mayResolve */
+  internal_JSHistogram_finalize
+};
+
 static const JSClass sJSHistogramClass = {
   "JSHistogram",  /* name */
-  JSCLASS_HAS_PRIVATE  /* flags */
+  JSCLASS_HAS_PRIVATE | JSCLASS_FOREGROUND_FINALIZE,  /* flags */
+  &sJSHistogramClassOps
+};
+
+struct JSHistogramData {
+  HistogramID histogramId;
 };
 
 bool
 internal_JSHistogram_Add(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   MOZ_ASSERT(obj);
   if (!obj ||
       JS_GetClass(obj) != &sJSHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSHistogram class");
     return false;
   }
 
-  Histogram *h = static_cast<Histogram*>(JS_GetPrivate(obj));
-  MOZ_ASSERT(h);
-  Histogram::ClassType type = h->histogram_type();
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+  uint32_t type = gHistogramInfos[id].histogramType;
 
   JS::CallArgs args = CallArgsFromVp(argc, vp);
   // This function should always return |undefined| and never fail but
   // rather report failures using the console.
   args.rval().setUndefined();
 
   if (!internal_CanRecordBase()) {
     return true;
   }
 
   uint32_t value = 0;
-  mozilla::Telemetry::HistogramID id;
-  if ((type == base::CountHistogram::COUNT_HISTOGRAM) && (args.length() == 0)) {
+  if ((type == nsITelemetry::HISTOGRAM_COUNT) && (args.length() == 0)) {
     // If we don't have an argument for the count histogram, assume an increment of 1.
     // Otherwise, make sure to run some sanity checks on the argument.
     value = 1;
-  } else if (type == base::LinearHistogram::LINEAR_HISTOGRAM &&
-      (args.length() > 0) && args[0].isString() &&
-      NS_SUCCEEDED(internal_GetHistogramEnumId(h->histogram_name().c_str(), &id)) &&
-      gHistograms[id].histogramType == nsITelemetry::HISTOGRAM_CATEGORICAL) {
+  } else if ((args.length() > 0) && args[0].isString() &&
+             gHistogramInfos[id].histogramType == nsITelemetry::HISTOGRAM_CATEGORICAL) {
     // For categorical histograms we allow passing a string argument that specifies the label.
     nsAutoJSString label;
     if (!label.init(cx, args[0])) {
       LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Invalid string parameter"));
       return true;
     }
 
     // Get label id value.
-    nsresult rv = gHistograms[id].label_id(NS_ConvertUTF16toUTF8(label).get(), &value);
+    nsresult rv = gHistogramInfos[id].label_id(NS_ConvertUTF16toUTF8(label).get(), &value);
     if (NS_FAILED(rv)) {
       LogToBrowserConsole(nsIScriptError::errorFlag,
                           NS_LITERAL_STRING("Unknown label for categorical histogram"));
       return true;
     }
   } else {
     // All other accumulations expect one numerical argument.
     if (!args.length()) {
@@ -1400,108 +1108,140 @@ internal_JSHistogram_Add(JSContext *cx, 
     if (!JS::ToUint32(cx, args[0], &value)) {
       LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Failed to convert argument"));
       return true;
     }
   }
 
   {
     StaticMutexAutoLock locker(gTelemetryHistogramMutex);
-    internal_Accumulate(*h, value);
+    internal_Accumulate(id, value);
   }
+
   return true;
 }
 
 bool
 internal_JSHistogram_Snapshot(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSHistogram class");
     return false;
   }
 
-  Histogram *h = static_cast<Histogram*>(JS_GetPrivate(obj));
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+
+  // This is not good standard behavior given that we have histogram instances
+  // covering multiple processes and two session types.
+  // However, changing this requires some broader changes to callers.
+  Histogram* h = internal_GetHistogramById(id, ProcessID::Parent, SessionType::Session);
+  MOZ_ASSERT(h);
+
   JS::Rooted<JSObject*> snapshot(cx, JS_NewPlainObject(cx));
-  if (!snapshot)
+  if (!snapshot) {
     return false;
+  }
 
   switch (internal_ReflectHistogramSnapshot(cx, snapshot, h)) {
   case REFLECT_FAILURE:
     return false;
-  case REFLECT_CORRUPT:
-    JS_ReportErrorASCII(cx, "Histogram is corrupt");
-    return false;
   case REFLECT_OK:
     args.rval().setObject(*snapshot);
     return true;
   default:
-    MOZ_CRASH("unhandled reflection status");
+    MOZ_ASSERT_UNREACHABLE("Unhandled reflection status.");
   }
+
+  return true;
 }
 
 bool
 internal_JSHistogram_Clear(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSHistogram class");
     return false;
   }
 
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+
   bool onlySubsession = false;
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   // This function should always return |undefined| and never fail but
   // rather report failures using the console.
   args.rval().setUndefined();
 
-
 #if !defined(MOZ_WIDGET_ANDROID)
   if (args.length() >= 1) {
     if (!args[0].isBoolean()) {
       JS_ReportErrorASCII(cx, "Not a boolean");
       return false;
     }
 
     onlySubsession = JS::ToBoolean(args[0]);
   }
 #endif
 
-  Histogram *h = static_cast<Histogram*>(JS_GetPrivate(obj));
-  MOZ_ASSERT(h);
-  if (h) {
-    internal_HistogramClear(*h, onlySubsession);
-  }
+  internal_ClearHistogram(id, onlySubsession);
 
   return true;
 }
 
 // NOTE: Runs without protection from |gTelemetryHistogramMutex|.
 // See comment at the top of this section.
 nsresult
-internal_WrapAndReturnHistogram(Histogram *h, JSContext *cx,
+internal_WrapAndReturnHistogram(HistogramID id, JSContext *cx,
                                 JS::MutableHandle<JS::Value> ret)
 {
   JS::Rooted<JSObject*> obj(cx, JS_NewObject(cx, &sJSHistogramClass));
-  if (!obj)
+  if (!obj) {
     return NS_ERROR_FAILURE;
+  }
+
   // The 3 functions that are wrapped up here are eventually called
   // by the same thread that runs this function.
   if (!(JS_DefineFunction(cx, obj, "add", internal_JSHistogram_Add, 1, 0)
         && JS_DefineFunction(cx, obj, "snapshot",
                              internal_JSHistogram_Snapshot, 0, 0)
         && JS_DefineFunction(cx, obj, "clear", internal_JSHistogram_Clear, 0, 0))) {
     return NS_ERROR_FAILURE;
   }
-  JS_SetPrivate(obj, h);
+
+  JSHistogramData* data = new JSHistogramData{id};
+  JS_SetPrivate(obj, data);
   ret.setObject(*obj);
+
   return NS_OK;
 }
 
+void
+internal_JSHistogram_finalize(JSFreeOp*, JSObject* obj)
+{
+  if (!obj ||
+      JS_GetClass(obj) != &sJSHistogramClass) {
+    MOZ_ASSERT_UNREACHABLE("Should have the right JS class.");
+    return;
+  }
+
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  delete data;
+}
+
 } // namespace
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // PRIVATE: JSKeyedHistogram_* functions
 
@@ -1516,39 +1256,67 @@ internal_WrapAndReturnHistogram(Histogra
 //   internal_JSKeyedHistogram_Clear
 //   internal_WrapAndReturnKeyedHistogram
 //
 // Same comments as above, at the JSHistogram_* section, regarding
 // deadlock avoidance, apply.
 
 namespace {
 
+void internal_JSKeyedHistogram_finalize(JSFreeOp*, JSObject*);
+
+static const JSClassOps sJSKeyedHistogramClassOps = {
+  nullptr, /* addProperty */
+  nullptr, /* delProperty */
+  nullptr, /* getProperty */
+  nullptr, /* setProperty */
+  nullptr, /* enumerate */
+  nullptr, /* newEnumerate */
+  nullptr, /* resolve */
+  nullptr, /* mayResolve */
+  internal_JSKeyedHistogram_finalize
+};
+
 static const JSClass sJSKeyedHistogramClass = {
   "JSKeyedHistogram",  /* name */
-  JSCLASS_HAS_PRIVATE  /* flags */
+  JSCLASS_HAS_PRIVATE | JSCLASS_FOREGROUND_FINALIZE,  /* flags */
+  &sJSKeyedHistogramClassOps
 };
 
 bool
 internal_KeyedHistogram_SnapshotImpl(JSContext *cx, unsigned argc,
                                      JS::Value *vp,
                                      bool subsession, bool clearSubsession)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSKeyedHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSKeyedHistogram class");
     return false;
   }
 
-  KeyedHistogram* keyed = static_cast<KeyedHistogram*>(JS_GetPrivate(obj));
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+
+  JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
+  // This function should always return |undefined| and never fail but
+  // rather report failures using the console.
+  args.rval().setUndefined();
+
+  // This is not good standard behavior given that we have histogram instances
+  // covering multiple processes and two session types.
+  // However, changing this requires some broader changes to callers.
+  KeyedHistogram* keyed = internal_GetKeyedHistogramById(id, ProcessID::Parent, /* instantiate = */ true);
   if (!keyed) {
+    JS_ReportErrorASCII(cx, "Failed to look up keyed histogram");
     return false;
   }
 
-  JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
-
   if (args.length() == 0) {
     JS::RootedObject snapshot(cx, JS_NewPlainObject(cx));
     if (!snapshot) {
       JS_ReportErrorASCII(cx, "Failed to create object");
       return false;
     }
 
     if (!NS_SUCCEEDED(keyed->GetJSSnapshot(cx, snapshot, subsession, clearSubsession))) {
@@ -1575,86 +1343,82 @@ internal_KeyedHistogram_SnapshotImpl(JSC
 
   JS::RootedObject snapshot(cx, JS_NewPlainObject(cx));
   if (!snapshot) {
     return false;
   }
 
   switch (internal_ReflectHistogramSnapshot(cx, snapshot, h)) {
   case REFLECT_FAILURE:
-    return false;
-  case REFLECT_CORRUPT:
-    JS_ReportErrorASCII(cx, "Histogram is corrupt");
+    JS_ReportErrorASCII(cx, "Failed to reflect histogram");
     return false;
   case REFLECT_OK:
     args.rval().setObject(*snapshot);
     return true;
   default:
     MOZ_CRASH("unhandled reflection status");
   }
+
+  return true;
 }
 
 bool
 internal_JSKeyedHistogram_Add(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSKeyedHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSKeyedHistogram class");
     return false;
   }
 
-  KeyedHistogram* keyed = static_cast<KeyedHistogram*>(JS_GetPrivate(obj));
-  if (!keyed) {
-    return false;
-  }
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
 
   JS::CallArgs args = CallArgsFromVp(argc, vp);
   // This function should always return |undefined| and never fail but
   // rather report failures using the console.
   args.rval().setUndefined();
   if (args.length() < 1) {
     LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Expected one argument"));
     return true;
   }
 
   nsAutoJSString key;
   if (!args[0].isString() || !key.init(cx, args[0])) {
     LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Not a string"));
     return true;
   }
 
-  const uint32_t type = keyed->GetHistogramType();
+  const uint32_t type = gHistogramInfos[id].histogramType;
 
   // If we don't have an argument for the count histogram, assume an increment of 1.
   // Otherwise, make sure to run some sanity checks on the argument.
   uint32_t value = 1;
   if ((type != nsITelemetry::HISTOGRAM_COUNT) || (args.length() == 2)) {
     if (args.length() < 2) {
       LogToBrowserConsole(nsIScriptError::errorFlag,
                           NS_LITERAL_STRING("Expected two arguments for this histogram type"));
       return true;
     }
 
     if (type == nsITelemetry::HISTOGRAM_CATEGORICAL && args[1].isString()) {
       // For categorical histograms we allow passing a string argument that specifies the label.
-      mozilla::Telemetry::HistogramID id;
-      if (NS_FAILED(keyed->GetEnumId(id))) {
-        LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Failed to get histogram id."));
-        return true;
-      }
 
       // Get label string.
       nsAutoJSString label;
       if (!label.init(cx, args[1])) {
         LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Invalid string parameter"));
         return true;
       }
 
       // Get label id value.
-      nsresult rv = gHistograms[id].label_id(NS_ConvertUTF16toUTF8(label).get(), &value);
+      nsresult rv = gHistogramInfos[id].label_id(NS_ConvertUTF16toUTF8(label).get(), &value);
       if (NS_FAILED(rv)) {
         LogToBrowserConsole(nsIScriptError::errorFlag,
                             NS_LITERAL_STRING("Unknown label for categorical histogram"));
         return true;
       }
     } else {
       // All other accumulations expect one numerical argument.
       if (!(args[1].isNumber() || args[1].isBoolean())) {
@@ -1664,33 +1428,41 @@ internal_JSKeyedHistogram_Add(JSContext 
 
       if (!JS::ToUint32(cx, args[1], &value)) {
         LogToBrowserConsole(nsIScriptError::errorFlag, NS_LITERAL_STRING("Failed to convert argument"));
         return true;
       }
     }
   }
 
-  {
-    StaticMutexAutoLock locker(gTelemetryHistogramMutex);
-    internal_Accumulate(*keyed, NS_ConvertUTF16toUTF8(key), value);
-  }
+  internal_Accumulate(id, NS_ConvertUTF16toUTF8(key), value);
+
   return true;
 }
 
 bool
 internal_JSKeyedHistogram_Keys(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSKeyedHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSKeyedHistogram class");
     return false;
   }
 
-  KeyedHistogram* keyed = static_cast<KeyedHistogram*>(JS_GetPrivate(obj));
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
+
+  // This is not good standard behavior given that we have histogram instances
+  // covering multiple processes and two session types.
+  // However, changing this requires some broader changes to callers.
+  KeyedHistogram* keyed = internal_GetKeyedHistogramById(id, ProcessID::Parent);
+  MOZ_ASSERT(keyed);
   if (!keyed) {
     return false;
   }
 
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   return NS_SUCCEEDED(keyed->GetJSKeys(cx, args));
 }
 
@@ -1725,52 +1497,62 @@ internal_JSKeyedHistogram_SnapshotSubses
 #endif
 
 bool
 internal_JSKeyedHistogram_Clear(JSContext *cx, unsigned argc, JS::Value *vp)
 {
   JSObject *obj = JS_THIS_OBJECT(cx, vp);
   if (!obj ||
       JS_GetClass(obj) != &sJSKeyedHistogramClass) {
+    JS_ReportErrorASCII(cx, "Wrong JS class, expected JSKeyedHistogram class");
     return false;
   }
 
-  KeyedHistogram* keyed = static_cast<KeyedHistogram*>(JS_GetPrivate(obj));
-  if (!keyed) {
-    return false;
-  }
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  HistogramID id = data->histogramId;
+  MOZ_ASSERT(internal_IsHistogramEnumId(id));
 
   JS::CallArgs args = JS::CallArgsFromVp(argc, vp);
   // This function should always return |undefined| and never fail but
   // rather report failures using the console.
   args.rval().setUndefined();
 
+  // This is not good standard behavior given that we have histogram instances
+  // covering multiple processes and two session types.
+  // However, changing this requires some broader changes to callers.
+  KeyedHistogram* keyed = internal_GetKeyedHistogramById(id, ProcessID::Parent, /* instantiate = */ false);
+  if (!keyed) {
+    return true;
+  }
+
 #if !defined(MOZ_WIDGET_ANDROID)
   bool onlySubsession = false;
 
   if (args.length() >= 1) {
     if (!(args[0].isNumber() || args[0].isBoolean())) {
       JS_ReportErrorASCII(cx, "Not a boolean");
       return false;
     }
 
     onlySubsession = JS::ToBoolean(args[0]);
   }
 
   keyed->Clear(onlySubsession);
 #else
   keyed->Clear(false);
 #endif
+
   return true;
 }
 
 // NOTE: Runs without protection from |gTelemetryHistogramMutex|.
 // See comment at the top of this section.
 nsresult
-internal_WrapAndReturnKeyedHistogram(KeyedHistogram *h, JSContext *cx,
+internal_WrapAndReturnKeyedHistogram(HistogramID id, JSContext *cx,
                                      JS::MutableHandle<JS::Value> ret)
 {
   JS::Rooted<JSObject*> obj(cx, JS_NewObject(cx, &sJSKeyedHistogramClass));
   if (!obj)
     return NS_ERROR_FAILURE;
   // The 6 functions that are wrapped up here are eventually called
   // by the same thread that runs this function.
   if (!(JS_DefineFunction(cx, obj, "add", internal_JSKeyedHistogram_Add, 2, 0)
@@ -1784,148 +1566,125 @@ internal_WrapAndReturnKeyedHistogram(Key
 #endif
         && JS_DefineFunction(cx, obj, "keys",
                              internal_JSKeyedHistogram_Keys, 0, 0)
         && JS_DefineFunction(cx, obj, "clear",
                              internal_JSKeyedHistogram_Clear, 0, 0))) {
     return NS_ERROR_FAILURE;
   }
 
-  JS_SetPrivate(obj, h);
+  JSHistogramData* data = new JSHistogramData{id};
+  JS_SetPrivate(obj, data);
   ret.setObject(*obj);
+
   return NS_OK;
 }
 
+void
+internal_JSKeyedHistogram_finalize(JSFreeOp*, JSObject* obj)
+{
+  if (!obj ||
+      JS_GetClass(obj) != &sJSKeyedHistogramClass) {
+    MOZ_ASSERT_UNREACHABLE("Should have the right JS class.");
+    return;
+  }
+
+  JSHistogramData* data = static_cast<JSHistogramData*>(JS_GetPrivate(obj));
+  MOZ_ASSERT(data);
+  delete data;
+}
+
 } // namespace
 
 
 ////////////////////////////////////////////////////////////////////////
 ////////////////////////////////////////////////////////////////////////
 //
 // EXTERNALLY VISIBLE FUNCTIONS in namespace TelemetryHistogram::
 
 // All of these functions are actually in namespace TelemetryHistogram::,
 // but the ::TelemetryHistogram prefix is given explicitly.  This is
 // because it is critical to see which calls from these functions are
 // to another function in this interface.  Mis-identifying "inwards
 // calls" from "calls to another function in this interface" will lead
 // to deadlocking and/or races.  See comments at the top of the file
 // for further (important!) details.
 
-// Create and destroy the singleton StatisticsRecorder object.
-void TelemetryHistogram::CreateStatisticsRecorder()
-{
-  StaticMutexAutoLock locker(gTelemetryHistogramMutex);
-  MOZ_ASSERT(!gStatisticsRecorder);
-  gStatisticsRecorder = new base::StatisticsRecorder();
-}
-
-void TelemetryHistogram::DestroyStatisticsRecorder()
-{
-  StaticMutexAutoLock locker(gTelemetryHistogramMutex);
-  MOZ_ASSERT(gStatisticsRecorder);
-  if (gStatisticsRecorder) {
-    delete gStatisticsRecorder;
-    gStatisticsRecorder = nullptr;
-  }
-}
-
 void TelemetryHistogram::InitializeGlobalState(bool canRecordBase,
                                                bool canRecordExtended)
 {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   MOZ_ASSERT(!gInitDone, "TelemetryHistogram::InitializeGlobalState "
              "may only be called once");
 
   gCanRecordBase = canRecordBase;
   gCanRecordExtended = canRecordExtended;
 
-  // gHistogramMap should have been pre-sized correctly at the
+  // gNameToHistogramIDMap should have been pre-sized correctly at the
   // declaration point further up in this file.
 
   // Populate the static histogram name->id cache.
   // Note that the histogram names are statically allocated.
-  for (uint32_t i = 0; i < mozilla::Telemetry::HistogramCount; i++) {
-    CharPtrEntryType *entry = gHistogramMap.PutEntry(gHistograms[i].id());
-    entry->mData = (mozilla::Telemetry::HistogramID) i;
+  for (uint32_t i = 0; i < HistogramCount; i++) {
+    gNameToHistogramIDMap.Put(nsDependentCString(gHistogramInfos[i].name()), HistogramID(i));
   }
 
 #ifdef DEBUG
-  gHistogramMap.MarkImmutable();
+  gNameToHistogramIDMap.MarkImmutable();
 #endif
 
-  mozilla::PodArrayZero(gCorruptHistograms);
-
-  // Create registered keyed histograms
-  for (const auto & h : gHistograms) {
-    if (!h.keyed) {
-      continue;
-    }
-
-    const nsDependentCString id(h.id());
-    const nsDependentCString expiration(h.expiration());
-    gKeyedHistograms.Put(id, new KeyedHistogram(ProcessID::Parent, id, expiration, h.histogramType,
-                                                h.min, h.max, h.bucketCount, h.dataset));
-    if (XRE_IsParentProcess()) {
-      // We must create registered child keyed histograms as well or else the
-      // same code in TelemetrySession.jsm that fails without parent keyed
-      // histograms will fail without child keyed histograms.
-      nsCString contentId(id);
-      contentId.AppendLiteral(CONTENT_HISTOGRAM_SUFFIX);
-      gKeyedHistograms.Put(contentId,
-                           new KeyedHistogram(ProcessID::Content, id, expiration, h.histogramType,
-                                              h.min, h.max, h.bucketCount, h.dataset));
-
-      nsCString gpuId(id);
-      gpuId.AppendLiteral(GPU_HISTOGRAM_SUFFIX);
-      gKeyedHistograms.Put(gpuId,
-                           new KeyedHistogram(ProcessID::Gpu, id, expiration, h.histogramType,
-                                              h.min, h.max, h.bucketCount, h.dataset));
-
-      nsCString extensionId(id);
-      extensionId.AppendLiteral(EXTENSION_HISTOGRAM_SUFFIX);
-      gKeyedHistograms.Put(extensionId,
-                           new KeyedHistogram(ProcessID::Extension, id, expiration, h.histogramType,
-                                              h.min, h.max, h.bucketCount, h.dataset));
-    }
-  }
-
     // Some Telemetry histograms depend on the value of C++ constants and hardcode
     // their values in Histograms.json.
     // We add static asserts here for those values to match so that future changes
     // don't go unnoticed.
     static_assert((JS::gcreason::NUM_TELEMETRY_REASONS + 1) ==
-                        gHistograms[mozilla::Telemetry::GC_MINOR_REASON].bucketCount &&
+                        gHistogramInfos[mozilla::Telemetry::GC_MINOR_REASON].bucketCount &&
                   (JS::gcreason::NUM_TELEMETRY_REASONS + 1) ==
-                        gHistograms[mozilla::Telemetry::GC_MINOR_REASON_LONG].bucketCount &&
+                        gHistogramInfos[mozilla::Telemetry::GC_MINOR_REASON_LONG].bucketCount &&
                   (JS::gcreason::NUM_TELEMETRY_REASONS + 1) ==
-                        gHistograms[mozilla::Telemetry::GC_REASON_2].bucketCount,
+                        gHistogramInfos[mozilla::Telemetry::GC_REASON_2].bucketCount,
                   "NUM_TELEMETRY_REASONS is assumed to be a fixed value in Histograms.json."
                   " If this was an intentional change, update the n_values for the "
                   "following in Histograms.json: GC_MINOR_REASON, GC_MINOR_REASON_LONG, "
                   "GC_REASON_2");
 
     static_assert((mozilla::StartupTimeline::MAX_EVENT_ID + 1) ==
-                        gHistograms[mozilla::Telemetry::STARTUP_MEASUREMENT_ERRORS].bucketCount,
+                        gHistogramInfos[mozilla::Telemetry::STARTUP_MEASUREMENT_ERRORS].bucketCount,
                   "MAX_EVENT_ID is assumed to be a fixed value in Histograms.json.  If this"
                   " was an intentional change, update the n_values for the following in "
                   "Histograms.json: STARTUP_MEASUREMENT_ERRORS");
 
-
   gInitDone = true;
 }
 
 void TelemetryHistogram::DeInitializeGlobalState()
 {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   gCanRecordBase = false;
   gCanRecordExtended = false;
-  gHistogramMap.Clear();
-  gKeyedHistograms.Clear();
+  gNameToHistogramIDMap.Clear();
   gInitDone = false;
+
+  // FactoryGet `new`s Histograms for us, but requires us to manually delete.
+  for (size_t i = 0; i < HistogramCount; ++i) {
+    for (uint32_t process = 0; process < static_cast<uint32_t>(ProcessID::Count); ++process) {
+      delete gKeyedHistogramStorage[i][process];
+      gKeyedHistogramStorage[i][process] = nullptr;
+      for (uint32_t session = 0; session <
+        static_cast<uint32_t>(SessionType::Count); ++session) {
+        if (gHistogramStorage[i][process][session] == gExpiredHistogram) {
+          continue;
+        }
+        delete gHistogramStorage[i][process][session];
+        gHistogramStorage[i][process][session] = nullptr;
+      }
+    }
+  }
+  delete gExpiredHistogram;
+  gExpiredHistogram = nullptr;
 }
 
 #ifdef DEBUG
 bool TelemetryHistogram::GlobalStateHasBeenInitialized() {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   return gInitDone;
 }
 #endif
@@ -1955,98 +1714,83 @@ TelemetryHistogram::SetCanRecordExtended
 }
 
 
 void
 TelemetryHistogram::InitHistogramRecordingEnabled()
 {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   auto processType = XRE_GetProcessType();
-  for (size_t i = 0; i < mozilla::ArrayLength(gHistograms); ++i) {
-    const HistogramInfo& h = gHistograms[i];
+  for (size_t i = 0; i < HistogramCount; ++i) {
+    const HistogramInfo& h = gHistogramInfos[i];
     mozilla::Telemetry::HistogramID id = mozilla::Telemetry::HistogramID(i);
     internal_SetHistogramRecordingEnabled(id,
                                           CanRecordInProcess(h.record_in_processes,
                                                              processType));
   }
 
   for (auto recordingInitiallyDisabledID : kRecordingInitiallyDisabledIDs) {
     internal_SetHistogramRecordingEnabled(recordingInitiallyDisabledID,
                                           false);
   }
 }
 
 void
-TelemetryHistogram::SetHistogramRecordingEnabled(mozilla::Telemetry::HistogramID aID,
+TelemetryHistogram::SetHistogramRecordingEnabled(HistogramID aID,
                                                  bool aEnabled)
 {
   if (NS_WARN_IF(!internal_IsHistogramEnumId(aID))) {
     MOZ_ASSERT_UNREACHABLE("Histogram usage requires valid ids.");
     return;
   }
 
-  const HistogramInfo& h = gHistograms[aID];
+  const HistogramInfo& h = gHistogramInfos[aID];
   if (!CanRecordInProcess(h.record_in_processes, XRE_GetProcessType())) {
     // Don't permit record_in_process-disabled recording to be re-enabled.
     return;
   }
 
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   internal_SetHistogramRecordingEnabled(aID, aEnabled);
 }
 
 
 nsresult
-TelemetryHistogram::SetHistogramRecordingEnabled(const nsACString &id,
+TelemetryHistogram::SetHistogramRecordingEnabled(const nsACString& name,
                                                  bool aEnabled)
 {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
-
-  mozilla::Telemetry::HistogramID hId;
-  nsresult rv = internal_GetHistogramEnumId(PromiseFlatCString(id).get(), &hId);
-  if (NS_FAILED(rv)) {
-    return rv;
-  }
-  const HistogramInfo& hi = gHistograms[hId];
-  if (!CanRecordInProcess(hi.record_in_processes, XRE_GetProcessType())) {
-    return NS_OK;
+  HistogramID id;
+  if (NS_FAILED(internal_GetHistogramIdByName(name, &id))) {
+    return NS_ERROR_FAILURE;
   }
 
-  Histogram *h;
-  rv = internal_GetHistogramByName(id, &h);
-  if (NS_SUCCEEDED(rv)) {
-    h->SetRecordingEnabled(aEnabled);
-    return NS_OK;
+  const HistogramInfo& hi = gHistogramInfos[id];
+  if (CanRecordInProcess(hi.record_in_processes, XRE_GetProcessType())) {
+    internal_SetHistogramRecordingEnabled(id, aEnabled);
   }
-
-  KeyedHistogram* keyed = internal_GetKeyedHistogramById(id);
-  if (keyed) {
-    keyed->SetRecordingEnabled(aEnabled);
-    return NS_OK;
-  }
-
-  return NS_ERROR_FAILURE;
+  return NS_OK;
 }
 
 
 void
-TelemetryHistogram::Accumulate(mozilla::Telemetry::HistogramID aID,
+TelemetryHistogram::Accumulate(HistogramID aID,
                                uint32_t aSample)
 {
   if (NS_WARN_IF(!internal_IsHistogramEnumId(aID))) {
     MOZ_ASSERT_UNREACHABLE("Histogram usage requires valid ids.");
     return;
   }
 
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   internal_Accumulate(aID, aSample);
 }
 
 void
-TelemetryHistogram::Accumulate(mozilla::Telemetry::HistogramID aID,
+TelemetryHistogram::Accumulate(HistogramID aID,
                                const nsCString& aKey, uint32_t aSample)
 {
   if (NS_WARN_IF(!internal_IsHistogramEnumId(aID))) {
     MOZ_ASSERT_UNREACHABLE("Histogram usage requires valid ids.");
     return;
   }
 
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
@@ -2055,54 +1799,54 @@ TelemetryHistogram::Accumulate(mozilla::
 
 void
 TelemetryHistogram::Accumulate(const char* name, uint32_t sample)
 {
   StaticMutexAutoLock locker(gTelemetryHistogramMutex);
   if (!internal_CanRecordBase()) {
     return;
   }
-  mozilla::Telemetry::HistogramID i