diff --git a/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js b/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js
index fd7c531fc0bb..ab232f99f8ff 100644
--- a/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js
+++ b/devtools/client/debugger/new/src/actions/breakpoints/addBreakpoint.js
@@ -5,7 +5,6 @@
 // @flow
 import { setBreakpointPositions } from "./breakpointPositions";
 import {
-  breakpointExists,
   assertBreakpoint,
   createBreakpoint,
   getASTLocation,
@@ -36,12 +35,6 @@ async function addBreakpointPromise(getState, client, sourceMaps, breakpoint) {
   const source = getSourceFromId(state, location.sourceId);
   const generatedSource = getSourceFromId(state, generatedLocation.sourceId);
 
-  if (breakpointExists(state, location)) {
-    const newBreakpoint = { ...breakpoint, location, generatedLocation };
-    assertBreakpoint(newBreakpoint);
-    return newBreakpoint;
-  }
-
   const breakpointLocation = makeBreakpointLocation(
     getState(),
     generatedLocation
@@ -57,7 +50,6 @@ async function addBreakpointPromise(getState, client, sourceMaps, breakpoint) {
   const newBreakpoint = {
     id: makeBreakpointId(generatedLocation),
     disabled: false,
-    loading: false,
     options: breakpoint.options,
     location,
     astLocation,
@@ -79,10 +71,6 @@ export function addHiddenBreakpoint(location: SourceLocation) {
 
 export function enableBreakpoint(breakpoint: Breakpoint) {
   return async ({ dispatch, getState, client, sourceMaps }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     // To instantly reflect in the UI, we optimistically enable the breakpoint
     const enabledBreakpoint = { ...breakpoint, disabled: false };
 
diff --git a/devtools/client/debugger/new/src/actions/breakpoints/index.js b/devtools/client/debugger/new/src/actions/breakpoints/index.js
index 61f7c578fd9e..1278dd731830 100644
--- a/devtools/client/debugger/new/src/actions/breakpoints/index.js
+++ b/devtools/client/debugger/new/src/actions/breakpoints/index.js
@@ -66,10 +66,6 @@ async function removeBreakpointsPromise(client, state, breakpoint) {
  */
 export function removeBreakpoint(breakpoint: Breakpoint) {
   return ({ dispatch, getState, client }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     recordEvent("remove_breakpoint");
 
     // If the breakpoint is already disabled, we don't need to communicate
@@ -98,10 +94,6 @@ export function removeBreakpoint(breakpoint: Breakpoint) {
  */
 export function disableBreakpoint(breakpoint: Breakpoint) {
   return async ({ dispatch, getState, client }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     await removeBreakpointsPromise(client, getState(), breakpoint);
 
     const newBreakpoint: Breakpoint = { ...breakpoint, disabled: true };
@@ -300,10 +292,6 @@ export function setBreakpointOptions(
       return dispatch(addBreakpoint(location, options));
     }
 
-    if (bp.loading) {
-      return;
-    }
-
     if (bp.disabled) {
       await dispatch(enableBreakpoint(bp));
     }
@@ -339,7 +327,7 @@ export function toggleBreakpointAtLine(line: number) {
     const bp = getBreakpointAtLocation(state, { line, column: undefined });
     const isEmptyLine = isEmptyLineInSource(state, line, selectedSource.id);
 
-    if ((!bp && isEmptyLine) || (bp && bp.loading)) {
+    if (!bp && isEmptyLine) {
       return;
     }
 
@@ -415,10 +403,6 @@ export function enableBreakpointsAtLine(sourceId: string, line: number) {
 
 export function toggleDisabledBreakpoint(breakpoint: Breakpoint) {
   return ({ dispatch, getState, client, sourceMaps }: ThunkArgs) => {
-    if (breakpoint.loading) {
-      return;
-    }
-
     if (!breakpoint.disabled) {
       return dispatch(disableBreakpoint(breakpoint));
     }
diff --git a/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap b/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap
index 5278883bbabf..1d26bc30390b 100644
--- a/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap
+++ b/devtools/client/debugger/new/src/actions/breakpoints/tests/__snapshots__/breakpoints.spec.js.snap
@@ -23,7 +23,6 @@ Array [
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "id": "a:2:1",
-        "loading": false,
         "location": Object {
           "column": 1,
           "line": 2,
@@ -81,7 +80,6 @@ Object {
     "sourceUrl": "http://localhost:8000/examples/a.js",
   },
   "id": "a.js:1:",
-  "loading": false,
   "location": Object {
     "column": 0,
     "line": 1,
@@ -121,7 +119,6 @@ Array [
           "sourceUrl": "http://localhost:8000/examples/a",
         },
         "id": "a:5:1",
-        "loading": false,
         "location": Object {
           "column": 1,
           "line": 5,
diff --git a/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js b/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js
index a10a9dcbf5a6..036135f0cf5d 100644
--- a/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js
+++ b/devtools/client/debugger/new/src/actions/tests/helpers/breakpoints.js
@@ -40,7 +40,6 @@ export function generateBreakpoint(
 ) {
   return {
     id: "breakpoint",
-    loading: false,
     originalText: "",
     text: "",
     location: {
diff --git a/devtools/client/debugger/new/src/components/Editor/Breakpoint.js b/devtools/client/debugger/new/src/components/Editor/Breakpoint.js
index e2387604a437..0a65a44bf435 100644
--- a/devtools/client/debugger/new/src/components/Editor/Breakpoint.js
+++ b/devtools/client/debugger/new/src/components/Editor/Breakpoint.js
@@ -40,8 +40,8 @@ class Breakpoint extends PureComponent<Props> {
   }
 
   componentWillUnmount() {
-    const { breakpoint, selectedSource } = this.props;
-    if (!selectedSource || breakpoint.loading) {
+    const { selectedSource } = this.props;
+    if (!selectedSource) {
       return;
     }
 
@@ -128,9 +128,7 @@ class Breakpoint extends PureComponent<Props> {
       return;
     }
 
-    // NOTE: we need to wait for the breakpoint to be loaded
-    // to get the generated location
-    if (!selectedSource || breakpoint.loading) {
+    if (!selectedSource) {
       return;
     }
 
diff --git a/devtools/client/debugger/new/src/components/SecondaryPanes/index.js b/devtools/client/debugger/new/src/components/SecondaryPanes/index.js
index 772e77796b75..fd979b081952 100644
--- a/devtools/client/debugger/new/src/components/SecondaryPanes/index.js
+++ b/devtools/client/debugger/new/src/components/SecondaryPanes/index.js
@@ -14,7 +14,6 @@ import {
   getTopFrame,
   getBreakpointsList,
   getBreakpointsDisabled,
-  getBreakpointsLoading,
   getExpressions,
   getIsWaitingOnBreak,
   getMapScopes,
@@ -79,7 +78,6 @@ type Props = {
   breakpoints: Object,
   selectedFrame: ?Frame,
   breakpointsDisabled: boolean,
-  breakpointsLoading: boolean,
   isWaitingOnBreak: boolean,
   shouldMapScopes: boolean,
   shouldPauseOnExceptions: boolean,
@@ -118,8 +116,7 @@ class SecondaryPanes extends Component<Props, State> {
     const {
       toggleAllBreakpoints,
       breakpoints,
-      breakpointsDisabled,
-      breakpointsLoading
+      breakpointsDisabled
     } = this.props;
     const isIndeterminate =
       !breakpointsDisabled && breakpoints.some(x => x.disabled);
@@ -134,7 +131,7 @@ class SecondaryPanes extends Component<Props, State> {
         ? L10N.getStr("breakpoints.enable")
         : L10N.getStr("breakpoints.disable"),
       className: "breakpoints-toggle",
-      disabled: breakpointsLoading,
+      disabled: false,
       key: "breakpoints-toggle",
       onChange: e => {
         e.stopPropagation();
@@ -469,7 +466,6 @@ const mapStateToProps = state => {
     hasFrames: !!getTopFrame(state, thread),
     breakpoints: getBreakpointsList(state),
     breakpointsDisabled: getBreakpointsDisabled(state),
-    breakpointsLoading: getBreakpointsLoading(state),
     isWaitingOnBreak: getIsWaitingOnBreak(state, thread),
     selectedFrame: getSelectedFrame(state, thread),
     shouldMapScopes: getMapScopes(state),
diff --git a/devtools/client/debugger/new/src/reducers/breakpoints.js b/devtools/client/debugger/new/src/reducers/breakpoints.js
index be87939ed19c..66a34fc7e2c3 100644
--- a/devtools/client/debugger/new/src/reducers/breakpoints.js
+++ b/devtools/client/debugger/new/src/reducers/breakpoints.js
@@ -370,12 +370,6 @@ export function getBreakpointsDisabled(state: OuterState): boolean {
   return breakpoints.every(breakpoint => breakpoint.disabled);
 }
 
-export function getBreakpointsLoading(state: OuterState): boolean {
-  const breakpoints = getBreakpointsList(state);
-  const isLoading = breakpoints.some(breakpoint => breakpoint.loading);
-  return breakpoints.length > 0 && isLoading;
-}
-
 export function getBreakpointsForSource(
   state: OuterState,
   sourceId: string,
diff --git a/devtools/client/debugger/new/src/selectors/breakpointSources.js b/devtools/client/debugger/new/src/selectors/breakpointSources.js
index 227ce881eb42..e330847a6c12 100644
--- a/devtools/client/debugger/new/src/selectors/breakpointSources.js
+++ b/devtools/client/debugger/new/src/selectors/breakpointSources.js
@@ -32,7 +32,6 @@ function getBreakpointsForSource(
     .filter(
       bp =>
         !bp.options.hidden &&
-        !bp.loading &&
         (bp.text || bp.originalText || bp.options.condition || bp.disabled)
     )
     .filter(
diff --git a/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap b/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap
index 630b00c062c4..cba1b53a0ed2 100644
--- a/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap
+++ b/devtools/client/debugger/new/src/selectors/test/__snapshots__/visibleColumnBreakpoints.spec.js.snap
@@ -12,7 +12,6 @@ Array [
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
@@ -51,7 +50,6 @@ Array [
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
@@ -90,7 +88,6 @@ Array [
         "sourceId": "foo",
       },
       "id": "breakpoint",
-      "loading": false,
       "location": Object {
         "column": 1,
         "line": 1,
diff --git a/devtools/client/debugger/new/src/types.js b/devtools/client/debugger/new/src/types.js
index bc0f249f61ba..82888604db99 100644
--- a/devtools/client/debugger/new/src/types.js
+++ b/devtools/client/debugger/new/src/types.js
@@ -118,7 +118,6 @@ export type Breakpoint = {|
   +location: SourceLocation,
   +astLocation: ?ASTLocation,
   +generatedLocation: SourceLocation,
-  +loading: boolean,
   +disabled: boolean,
   +text: string,
   +originalText: string,
@@ -174,7 +173,6 @@ export type PendingBreakpoint = {
   +location: PendingLocation,
   +astLocation: ASTLocation,
   +generatedLocation: PendingLocation,
-  +loading: boolean,
   +disabled: boolean,
   +text: string,
   +options: BreakpointOptions
diff --git a/devtools/client/debugger/new/src/utils/breakpoint/index.js b/devtools/client/debugger/new/src/utils/breakpoint/index.js
index 128b7fa1bae4..81f4a0586876 100644
--- a/devtools/client/debugger/new/src/utils/breakpoint/index.js
+++ b/devtools/client/debugger/new/src/utils/breakpoint/index.js
@@ -176,7 +176,6 @@ export function createBreakpoint(
       hidden: options.hidden || false
     },
     disabled: disabled || false,
-    loading: false,
     astLocation: astLocation || defaultASTLocation,
     text,
     originalText
diff --git a/devtools/client/debugger/new/src/utils/test-mockup.js b/devtools/client/debugger/new/src/utils/test-mockup.js
index 6bd5561704e7..cb495249ea2f 100644
--- a/devtools/client/debugger/new/src/utils/test-mockup.js
+++ b/devtools/client/debugger/new/src/utils/test-mockup.js
@@ -102,7 +102,6 @@ function makeMockBreakpoint(
     location,
     astLocation: null,
     generatedLocation: location,
-    loading: false,
     disabled: false,
     text: "text",
     originalText: "text",
diff --git a/devtools/client/inspector/markup/test/browser_markup_events_04.js b/devtools/client/inspector/markup/test/browser_markup_events_04.js
index 78c7ae8592f0..4956424058bb 100644
--- a/devtools/client/inspector/markup/test/browser_markup_events_04.js
+++ b/devtools/client/inspector/markup/test/browser_markup_events_04.js
@@ -125,7 +125,7 @@ const TEST_DATA = [ // eslint-disable-line
           "Bubbling",
           "DOM2",
         ],
-        handler: "function sort(arr, comparefn) {\n" +
+        handler: "function sort(, ) {\n" +
                  "  [native code]\n" +
                  "}",
       },
diff --git a/dom/svg/SVGElement.h b/dom/svg/SVGElement.h
index feb8f658d42d..f010071777d4 100644
--- a/dom/svg/SVGElement.h
+++ b/dom/svg/SVGElement.h
@@ -77,19 +77,6 @@ class SVGElement : public SVGElementBase  // nsIContent
   virtual nsresult Clone(mozilla::dom::NodeInfo*,
                          nsINode** aResult) const MOZ_MUST_OVERRIDE override;
 
-  typedef mozilla::SVGEnum SVGEnum;
-  typedef mozilla::SVGEnumMapping SVGEnumMapping;
-  typedef mozilla::SVGNumberList SVGNumberList;
-  typedef mozilla::SVGAnimatedNumberList SVGAnimatedNumberList;
-  typedef mozilla::SVGUserUnitList SVGUserUnitList;
-  typedef mozilla::SVGAnimatedLengthList SVGAnimatedLengthList;
-  typedef mozilla::SVGAnimatedPointList SVGAnimatedPointList;
-  typedef mozilla::SVGAnimatedPathSegList SVGAnimatedPathSegList;
-  typedef mozilla::SVGAnimatedPreserveAspectRatio
-      SVGAnimatedPreserveAspectRatio;
-  typedef mozilla::SVGAnimatedTransformList SVGAnimatedTransformList;
-  typedef mozilla::SVGStringList SVGStringList;
-
   // nsISupports
   NS_INLINE_DECL_REFCOUNTING_INHERITED(SVGElement, SVGElementBase)
 
diff --git a/dom/svg/SVGTextPathElement.h b/dom/svg/SVGTextPathElement.h
index dcf27d0b82e4..27a2c2a0692e 100644
--- a/dom/svg/SVGTextPathElement.h
+++ b/dom/svg/SVGTextPathElement.h
@@ -9,8 +9,8 @@
 
 #include "SVGEnum.h"
 #include "nsSVGLength2.h"
+#include "SVGAnimatedPathSegList.h"
 #include "SVGString.h"
-#include "mozilla/dom/SVGAnimatedPathSegList.h"
 #include "mozilla/dom/SVGTextContentElement.h"
 
 class nsAtom;
diff --git a/dom/svg/moz.build b/dom/svg/moz.build
index f3d7715f9505..9f30bafd2e7a 100644
--- a/dom/svg/moz.build
+++ b/dom/svg/moz.build
@@ -19,7 +19,6 @@ EXPORTS.mozilla += [
 
 EXPORTS.mozilla.dom += [
     'SVGAElement.h',
-    'SVGAnimatedPathSegList.h',
     'SVGAnimatedRect.h',
     'SVGAnimateElement.h',
     'SVGAnimateMotionElement.h',
diff --git a/gfx/ipc/GPUProcessManager.cpp b/gfx/ipc/GPUProcessManager.cpp
index c8fecf0570f2..2c81abb46215 100644
--- a/gfx/ipc/GPUProcessManager.cpp
+++ b/gfx/ipc/GPUProcessManager.cpp
@@ -804,8 +804,8 @@ bool GPUProcessManager::CreateContentCompositorManager(
 
   if (mGPUChild) {
     mGPUChild->SendNewContentCompositorManager(std::move(parentPipe));
-  } else {
-    CompositorManagerParent::Create(std::move(parentPipe));
+  } else if (!CompositorManagerParent::Create(std::move(parentPipe))) {
+    return false;
   }
 
   *aOutEndpoint = std::move(childPipe);
diff --git a/gfx/ipc/VsyncBridgeChild.cpp b/gfx/ipc/VsyncBridgeChild.cpp
index 40b1b17e6c55..31f2a49aa922 100644
--- a/gfx/ipc/VsyncBridgeChild.cpp
+++ b/gfx/ipc/VsyncBridgeChild.cpp
@@ -12,7 +12,7 @@ namespace gfx {
 
 VsyncBridgeChild::VsyncBridgeChild(RefPtr<VsyncIOThreadHolder> aThread,
                                    const uint64_t& aProcessToken)
-    : mThread(aThread), mLoop(nullptr), mProcessToken(aProcessToken) {}
+    : mThread(aThread), mProcessToken(aProcessToken) {}
 
 VsyncBridgeChild::~VsyncBridgeChild() {}
 
@@ -39,8 +39,6 @@ void VsyncBridgeChild::Open(Endpoint<PVsyncBridgeChild>&& aEndpoint) {
     return;
   }
 
-  mLoop = MessageLoop::current();
-
   // Last reference is freed in DeallocPVsyncBridgeChild.
   AddRef();
 }
@@ -66,7 +64,7 @@ class NotifyVsyncTask : public Runnable {
 };
 
 bool VsyncBridgeChild::IsOnVsyncIOThread() const {
-  return MessageLoop::current() == mLoop;
+  return mThread->IsOnCurrentThread();
 }
 
 void VsyncBridgeChild::NotifyVsync(const VsyncEvent& aVsync,
@@ -75,7 +73,7 @@ void VsyncBridgeChild::NotifyVsync(const VsyncEvent& aVsync,
   MOZ_ASSERT(!IsOnVsyncIOThread());
 
   RefPtr<NotifyVsyncTask> task = new NotifyVsyncTask(this, aVsync, aLayersId);
-  mLoop->PostTask(task.forget());
+  mThread->Dispatch(task.forget());
 }
 
 void VsyncBridgeChild::NotifyVsyncImpl(const VsyncEvent& aVsync,
@@ -91,8 +89,8 @@ void VsyncBridgeChild::NotifyVsyncImpl(const VsyncEvent& aVsync,
 
 void VsyncBridgeChild::Close() {
   if (!IsOnVsyncIOThread()) {
-    mLoop->PostTask(NewRunnableMethod("gfx::VsyncBridgeChild::Close", this,
-                                      &VsyncBridgeChild::Close));
+    mThread->Dispatch(NewRunnableMethod("gfx::VsyncBridgeChild::Close", this,
+                                        &VsyncBridgeChild::Close));
     return;
   }
 
diff --git a/gfx/ipc/VsyncBridgeChild.h b/gfx/ipc/VsyncBridgeChild.h
index d49c557c91b6..9e25a45db496 100644
--- a/gfx/ipc/VsyncBridgeChild.h
+++ b/gfx/ipc/VsyncBridgeChild.h
@@ -47,7 +47,6 @@ class VsyncBridgeChild final : public PVsyncBridgeChild {
 
  private:
   RefPtr<VsyncIOThreadHolder> mThread;
-  MessageLoop* mLoop;
   uint64_t mProcessToken;
 };
 
diff --git a/gfx/ipc/VsyncIOThreadHolder.h b/gfx/ipc/VsyncIOThreadHolder.h
index ac305c7898c3..b5ea0c2c1fa5 100644
--- a/gfx/ipc/VsyncIOThreadHolder.h
+++ b/gfx/ipc/VsyncIOThreadHolder.h
@@ -23,6 +23,14 @@ class VsyncIOThreadHolder final {
 
   RefPtr<nsIThread> GetThread() const;
 
+  bool IsOnCurrentThread() const {
+    return mThread->IsOnCurrentThread();
+  }
+
+  void Dispatch(already_AddRefed<nsIRunnable> task) {
+    mThread->Dispatch(std::move(task), NS_DISPATCH_NORMAL);
+  }
+
  private:
   ~VsyncIOThreadHolder();
 
diff --git a/gfx/layers/ipc/CompositorManagerParent.cpp b/gfx/layers/ipc/CompositorManagerParent.cpp
index bb42a0350b08..5b954b4b6038 100644
--- a/gfx/layers/ipc/CompositorManagerParent.cpp
+++ b/gfx/layers/ipc/CompositorManagerParent.cpp
@@ -49,7 +49,7 @@ CompositorManagerParent::CreateSameProcess() {
 }
 
 /* static */
-void CompositorManagerParent::Create(
+bool CompositorManagerParent::Create(
     Endpoint<PCompositorManagerParent>&& aEndpoint) {
   MOZ_ASSERT(NS_IsMainThread());
 
@@ -57,6 +57,10 @@ void CompositorManagerParent::Create(
   // (or UI process if it subsumbed the GPU process).
   MOZ_ASSERT(aEndpoint.OtherPid() != base::GetCurrentProcId());
 
+  if (!CompositorThreadHolder::IsActive()) {
+    return false;
+  }
+
   RefPtr<CompositorManagerParent> bridge = new CompositorManagerParent();
 
   RefPtr<Runnable> runnable =
@@ -64,6 +68,7 @@ void CompositorManagerParent::Create(
           "CompositorManagerParent::Bind", bridge,
           &CompositorManagerParent::Bind, std::move(aEndpoint));
   CompositorThreadHolder::Loop()->PostTask(runnable.forget());
+  return true;
 }
 
 /* static */
diff --git a/gfx/layers/ipc/CompositorManagerParent.h b/gfx/layers/ipc/CompositorManagerParent.h
index e18dc095a6ba..e925e8c918f7 100644
--- a/gfx/layers/ipc/CompositorManagerParent.h
+++ b/gfx/layers/ipc/CompositorManagerParent.h
@@ -30,7 +30,7 @@ class CompositorManagerParent final : public PCompositorManagerParent {
 
  public:
   static already_AddRefed<CompositorManagerParent> CreateSameProcess();
-  static void Create(Endpoint<PCompositorManagerParent>&& aEndpoint);
+  static bool Create(Endpoint<PCompositorManagerParent>&& aEndpoint);
   static void Shutdown();
 
   static already_AddRefed<CompositorBridgeParent>
diff --git a/gfx/layers/ipc/ImageBridgeParent.cpp b/gfx/layers/ipc/ImageBridgeParent.cpp
index 5a360ed34f12..888fa9110192 100644
--- a/gfx/layers/ipc/ImageBridgeParent.cpp
+++ b/gfx/layers/ipc/ImageBridgeParent.cpp
@@ -91,6 +91,10 @@ bool ImageBridgeParent::CreateForGPUProcess(
   MOZ_ASSERT(XRE_GetProcessType() == GeckoProcessType_GPU);
 
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
+
   RefPtr<ImageBridgeParent> parent =
       new ImageBridgeParent(loop, aEndpoint.OtherPid());
 
@@ -211,6 +215,9 @@ mozilla::ipc::IPCResult ImageBridgeParent::RecvUpdate(
 bool ImageBridgeParent::CreateForContent(
     Endpoint<PImageBridgeParent>&& aEndpoint) {
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
 
   RefPtr<ImageBridgeParent> bridge =
       new ImageBridgeParent(loop, aEndpoint.OtherPid());
diff --git a/gfx/vr/ipc/VRManagerParent.cpp b/gfx/vr/ipc/VRManagerParent.cpp
index b6a51825d372..81d594ba052f 100644
--- a/gfx/vr/ipc/VRManagerParent.cpp
+++ b/gfx/vr/ipc/VRManagerParent.cpp
@@ -74,6 +74,9 @@ void VRManagerParent::UnregisterFromManager() {
 /* static */
 bool VRManagerParent::CreateForContent(Endpoint<PVRManagerParent>&& aEndpoint) {
   MessageLoop* loop = CompositorThreadHolder::Loop();
+  if (!loop) {
+    return false;
+  }
 
   RefPtr<VRManagerParent> vmp = new VRManagerParent(aEndpoint.OtherPid(), true);
   loop->PostTask(NewRunnableMethod<Endpoint<PVRManagerParent>&&>(
diff --git a/ipc/chromium/src/base/pickle.cc b/ipc/chromium/src/base/pickle.cc
index 999e9a78dad0..cc07ebaa9ae3 100644
--- a/ipc/chromium/src/base/pickle.cc
+++ b/ipc/chromium/src/base/pickle.cc
@@ -491,7 +491,7 @@ void Pickle::BeginWrite(uint32_t length, uint32_t alignment) {
         kBytePaddingMarker, kBytePaddingMarker, kBytePaddingMarker,
         kBytePaddingMarker, kBytePaddingMarker,
     };
-    buffers_.WriteBytes(padding_data, padding);
+    MOZ_ALWAYS_TRUE(buffers_.WriteBytes(padding_data, padding));
   }
 
   DCHECK((header_size_ + header_->payload_size + padding) % alignment == 0);
@@ -511,7 +511,7 @@ void Pickle::EndWrite(uint32_t length) {
         kBytePaddingMarker,
         kBytePaddingMarker,
     };
-    buffers_.WriteBytes(padding_data, padding);
+    MOZ_ALWAYS_TRUE(buffers_.WriteBytes(padding_data, padding));
   }
 }
 
@@ -627,7 +627,7 @@ bool Pickle::WriteBytes(const void* data, uint32_t data_len,
 
   BeginWrite(data_len, alignment);
 
-  buffers_.WriteBytes(reinterpret_cast<const char*>(data), data_len);
+  MOZ_ALWAYS_TRUE(buffers_.WriteBytes(reinterpret_cast<const char*>(data), data_len));
 
   EndWrite(data_len);
   return true;
@@ -667,7 +667,7 @@ bool Pickle::WriteData(const char* data, uint32_t length) {
 }
 
 void Pickle::InputBytes(const char* data, uint32_t length) {
-  buffers_.WriteBytes(data, length);
+  MOZ_ALWAYS_TRUE(buffers_.WriteBytes(data, length));
 }
 
 int32_t* Pickle::GetInt32PtrForTest(uint32_t offset) {
diff --git a/js/rust/build.rs b/js/rust/build.rs
index cde5a58cf630..a2a3f134dcf0 100644
--- a/js/rust/build.rs
+++ b/js/rust/build.rs
@@ -221,6 +221,7 @@ const WHITELIST_TYPES: &'static [&'static str] = &[
     "JS::Rooted",
     "JS::RootedObject",
     "JS::RootedObjectVector",
+    "JS::RootedValue",
     "JS::RootingContext",
     "JS::RootKind",
     "js::Scalar::Type",
diff --git a/js/src/jit-test/tests/debug/Environment-selfhosted-builtins.js b/js/src/jit-test/tests/debug/Environment-selfhosted-builtins.js
new file mode 100644
index 000000000000..1026a486f401
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Environment-selfhosted-builtins.js
@@ -0,0 +1,15 @@
+// The environment of self-hosted builtins is not exposed to the debugger and
+// instead is reported as |undefined| just like native builtins.
+
+let g = newGlobal({newCompartment: true});
+
+let dbg = new Debugger();
+let gw = dbg.addDebuggee(g);
+
+// Array is a known native builtin function.
+let nativeBuiltin = gw.makeDebuggeeValue(g.Array);
+assertEq(nativeBuiltin.environment, undefined);
+
+// Array.prototype[@@iterator] is a known self-hosted builtin function.
+let selfhostedBuiltin = gw.makeDebuggeeValue(g.Array.prototype[Symbol.iterator]);
+assertEq(selfhostedBuiltin.environment, undefined);
diff --git a/js/src/jit-test/tests/debug/Script-selfhosted-builtins.js b/js/src/jit-test/tests/debug/Script-selfhosted-builtins.js
new file mode 100644
index 000000000000..ff981f5400be
--- /dev/null
+++ b/js/src/jit-test/tests/debug/Script-selfhosted-builtins.js
@@ -0,0 +1,15 @@
+// The script of self-hosted builtins is not exposed to the debugger and
+// instead is reported as |undefined| just like native builtins.
+
+let g = newGlobal({newCompartment: true});
+
+let dbg = new Debugger();
+let gw = dbg.addDebuggee(g);
+
+// Array is a known native builtin function.
+let nativeBuiltin = gw.makeDebuggeeValue(g.Array);
+assertEq(nativeBuiltin.script, undefined);
+
+// Array.prototype[@@iterator] is a known self-hosted builtin function.
+let selfhostedBuiltin = gw.makeDebuggeeValue(g.Array.prototype[Symbol.iterator]);
+assertEq(selfhostedBuiltin.script, undefined);
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index 2d3974c90b26..940180e9f13d 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -202,6 +202,10 @@ static const Class DebuggerSource_class = {
 
 /*** Utils ******************************************************************/
 
+static inline bool IsInterpretedNonSelfHostedFunction(JSFunction* fun) {
+  return fun->isInterpreted() && !fun->isSelfHostedBuiltin();
+}
+
 static inline bool EnsureFunctionHasScript(JSContext* cx, HandleFunction fun) {
   if (fun->isInterpretedLazy()) {
     AutoRealm ar(cx, fun);
@@ -212,7 +216,7 @@ static inline bool EnsureFunctionHasScript(JSContext* cx, HandleFunction fun) {
 
 static inline JSScript* GetOrCreateFunctionScript(JSContext* cx,
                                                   HandleFunction fun) {
-  MOZ_ASSERT(fun->isInterpreted());
+  MOZ_ASSERT(IsInterpretedNonSelfHostedFunction(fun));
   if (!EnsureFunctionHasScript(cx, fun)) {
     return nullptr;
   }
@@ -6332,8 +6336,8 @@ static bool DebuggerScript_getChildScripts(JSContext* cx, unsigned argc,
     for (const GCPtrObject& obj : script->objects()) {
       if (obj->is<JSFunction>()) {
         fun = &obj->as<JSFunction>();
-        // The inner function could be a wasm native.
-        if (fun->isNative()) {
+        // The inner function could be an asm.js native.
+        if (!IsInterpretedNonSelfHostedFunction(fun)) {
           continue;
         }
         funScript = GetOrCreateFunctionScript(cx, fun);
@@ -10318,7 +10322,7 @@ bool DebuggerObject::scriptGetter(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   RootedFunction fun(cx, &obj->as<JSFunction>());
-  if (!fun->isInterpreted()) {
+  if (!IsInterpretedNonSelfHostedFunction(fun)) {
     args.rval().setUndefined();
     return true;
   }
@@ -10357,7 +10361,7 @@ bool DebuggerObject::environmentGetter(JSContext* cx, unsigned argc,
   }
 
   RootedFunction fun(cx, &obj->as<JSFunction>());
-  if (!fun->isInterpreted()) {
+  if (!IsInterpretedNonSelfHostedFunction(fun)) {
     args.rval().setUndefined();
     return true;
   }
@@ -11469,7 +11473,7 @@ bool DebuggerObject::getParameterNames(JSContext* cx,
   if (!result.growBy(referent->nargs())) {
     return false;
   }
-  if (referent->isInterpreted()) {
+  if (IsInterpretedNonSelfHostedFunction(referent)) {
     RootedScript script(cx, GetOrCreateFunctionScript(cx, referent));
     if (!script) {
       return false;
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
index c858feacd850..ba986eaec4ab 100644
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -9595,8 +9595,7 @@ static nsRect ComputeSVGReferenceRect(nsIFrame* aFrame,
         //    system established by the `viewBox` attribute.
         // 2. The dimension of the reference box is set to the width and height
         //    values of the `viewBox` attribute.
-        SVGViewBox* viewBox = svgElement->GetViewBox();
-        const SVGViewBoxRect& value = viewBox->GetAnimValue();
+        const SVGViewBoxRect& value = svgElement->GetViewBox()->GetAnimValue();
         r = nsRect(nsPresContext::CSSPixelsToAppUnits(value.x),
                    nsPresContext::CSSPixelsToAppUnits(value.y),
                    nsPresContext::CSSPixelsToAppUnits(value.width),
diff --git a/mfbt/BufferList.h b/mfbt/BufferList.h
index 377cf84d5091..99e6ead4aea4 100644
--- a/mfbt/BufferList.h
+++ b/mfbt/BufferList.h
@@ -307,7 +307,7 @@ class BufferList : private AllocPolicy {
 
   // Copies aSize bytes from aData into the BufferList. The storage for these
   // bytes may be split across multiple buffers. Size() is increased by aSize.
-  inline bool WriteBytes(const char* aData, size_t aSize);
+  inline MOZ_MUST_USE bool WriteBytes(const char* aData, size_t aSize);
 
   // Allocates a buffer of at most |aMaxBytes| bytes and, if successful, returns
   // that buffer, and places its size in |aSize|. If unsuccessful, returns null
@@ -399,7 +399,7 @@ class BufferList : private AllocPolicy {
 };
 
 template <typename AllocPolicy>
-bool BufferList<AllocPolicy>::WriteBytes(const char* aData, size_t aSize) {
+MOZ_MUST_USE bool BufferList<AllocPolicy>::WriteBytes(const char* aData, size_t aSize) {
   MOZ_RELEASE_ASSERT(mOwning);
   MOZ_RELEASE_ASSERT(mStandardCapacity);
 
diff --git a/mfbt/Vector.h b/mfbt/Vector.h
index 7f483161f919..696da9ab7ad8 100644
--- a/mfbt/Vector.h
+++ b/mfbt/Vector.h
@@ -403,7 +403,14 @@ class MOZ_NON_PARAM Vector final : private AllocPolicy {
         : CapacityAndReserved(aCapacity, aReserved) {}
     CRAndStorage() = default;
 
-    T* storage() { return nullptr; }
+    T* storage() {
+      // If this returns |nullptr|, functions like |Vector::begin()| would too,
+      // breaking callers that pass a vector's elements as pointer/length to
+      // code that bounds its operation by length but (even just as a sanity
+      // check) always wants a non-null pointer.  Fake up an aligned, non-null
+      // pointer to support these callers.
+      return reinterpret_cast<T*>(sizeof(T));
+    }
   };
 
   CRAndStorage<kInlineCapacity, 0> mTail;
diff --git a/mfbt/tests/TestBufferList.cpp b/mfbt/tests/TestBufferList.cpp
index 823bd06b318b..566bad20ac42 100644
--- a/mfbt/tests/TestBufferList.cpp
+++ b/mfbt/tests/TestBufferList.cpp
@@ -80,7 +80,7 @@ int main(void) {
 
   char toWrite[kSmallWrite];
   memset(toWrite, 0x0a, kSmallWrite);
-  bl.WriteBytes(toWrite, kSmallWrite);
+  MOZ_ALWAYS_TRUE(bl.WriteBytes(toWrite, kSmallWrite));
 
   MOZ_RELEASE_ASSERT(bl.Size() == kInitialSize + kSmallWrite);
 
@@ -140,7 +140,7 @@ int main(void) {
   for (unsigned i = 0; i < kBigWrite; i++) {
     toWriteBig[i] = i % 37;
   }
-  bl.WriteBytes(toWriteBig, kBigWrite);
+  MOZ_ALWAYS_TRUE(bl.WriteBytes(toWriteBig, kBigWrite));
 
   char* toReadBig = static_cast<char*>(malloc(kBigWrite));
   iter = bl.Iter();
@@ -189,9 +189,9 @@ int main(void) {
   const size_t kSmallCapacity = 8;
 
   BufferList bl2(0, kSmallCapacity, kSmallCapacity);
-  bl2.WriteBytes(toWrite, kSmallWrite);
-  bl2.WriteBytes(toWrite, kSmallWrite);
-  bl2.WriteBytes(toWrite, kSmallWrite);
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
+  MOZ_ALWAYS_TRUE(bl2.WriteBytes(toWrite, kSmallWrite));
 
   bl = std::move(bl2);
   MOZ_RELEASE_ASSERT(bl2.Size() == 0);
@@ -262,7 +262,7 @@ int main(void) {
   MOZ_RELEASE_ASSERT(iter.Done());
 
   BufferList bl4(8, 8, 8);
-  bl4.WriteBytes("abcd1234", 8);
+  MOZ_ALWAYS_TRUE(bl4.WriteBytes("abcd1234", 8));
   iter = bl4.Iter();
   iter.Advance(bl4, 8);
 
@@ -270,8 +270,8 @@ int main(void) {
   MOZ_RELEASE_ASSERT(!success);
 
   BufferList bl6(0, 0, 16);
-  bl6.WriteBytes("abcdefgh12345678", 16);
-  bl6.WriteBytes("ijklmnop87654321", 16);
+  MOZ_ALWAYS_TRUE(bl6.WriteBytes("abcdefgh12345678", 16));
+  MOZ_ALWAYS_TRUE(bl6.WriteBytes("ijklmnop87654321", 16));
   iter = bl6.Iter();
   iter.Advance(bl6, 8);
   BufferList bl7 = bl6.Extract(iter, 16, &success);
@@ -284,7 +284,7 @@ int main(void) {
   MOZ_RELEASE_ASSERT(memcmp(data, "12345678ijklmnop", 16) == 0);
 
   BufferList bl8(0, 0, 16);
-  bl8.WriteBytes("abcdefgh12345678", 16);
+  MOZ_ALWAYS_TRUE(bl8.WriteBytes("abcdefgh12345678", 16));
   iter = bl8.Iter();
   BufferList bl9 = bl8.Extract(iter, 8, &success);
   MOZ_RELEASE_ASSERT(success);
@@ -292,8 +292,8 @@ int main(void) {
   MOZ_RELEASE_ASSERT(!iter.Done());
 
   BufferList bl10(0, 0, 8);
-  bl10.WriteBytes("abcdefgh", 8);
-  bl10.WriteBytes("12345678", 8);
+  MOZ_ALWAYS_TRUE(bl10.WriteBytes("abcdefgh", 8));
+  MOZ_ALWAYS_TRUE(bl10.WriteBytes("12345678", 8));
   iter = bl10.Iter();
   BufferList bl11 = bl10.Extract(iter, 16, &success);
   MOZ_RELEASE_ASSERT(success);
diff --git a/mfbt/tests/TestVector.cpp b/mfbt/tests/TestVector.cpp
index 158addef9520..1164e10266a8 100644
--- a/mfbt/tests/TestVector.cpp
+++ b/mfbt/tests/TestVector.cpp
@@ -506,6 +506,67 @@ static_assert(sizeof(Vector<Incomplete, 0>) ==
 
 #endif  // DEBUG
 
+static void TestVectorBeginNonNull() {
+  // Vector::begin() should never return nullptr, to accommodate callers that
+  // (either for hygiene, or for semantic reasons) need a non-null pointer even
+  // for zero elements.
+
+  Vector<bool, 0> bvec0;
+  MOZ_RELEASE_ASSERT(bvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec0.begin() != nullptr);
+
+  Vector<bool, 1> bvec1;
+  MOZ_RELEASE_ASSERT(bvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec1.begin() != nullptr);
+
+  Vector<bool, 64> bvec64;
+  MOZ_RELEASE_ASSERT(bvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(bvec64.begin() != nullptr);
+
+  Vector<int, 0> ivec0;
+  MOZ_RELEASE_ASSERT(ivec0.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec0.begin() != nullptr);
+
+  Vector<int, 1> ivec1;
+  MOZ_RELEASE_ASSERT(ivec1.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec1.begin() != nullptr);
+
+  Vector<int, 64> ivec64;
+  MOZ_RELEASE_ASSERT(ivec64.length() == 0);
+  MOZ_RELEASE_ASSERT(ivec64.begin() != nullptr);
+
+  Vector<long, 0> lvec0;
+  MOZ_RELEASE_ASSERT(lvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec0.begin() != nullptr);
+
+  Vector<long, 1> lvec1;
+  MOZ_RELEASE_ASSERT(lvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec1.begin() != nullptr);
+
+  Vector<long, 64> lvec64;
+  MOZ_RELEASE_ASSERT(lvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(lvec64.begin() != nullptr);
+
+  // Vector<T, N> doesn't guarantee N inline elements -- the actual count is
+  // capped so that any Vector fits in a not-crazy amount of space -- so the
+  // code below won't overflow stacks or anything crazy.
+  struct VeryBig {
+    int array[16 * 1024 * 1024];
+  };
+
+  Vector<VeryBig, 0> vbvec0;
+  MOZ_RELEASE_ASSERT(vbvec0.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec0.begin() != nullptr);
+
+  Vector<VeryBig, 1> vbvec1;
+  MOZ_RELEASE_ASSERT(vbvec1.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec1.begin() != nullptr);
+
+  Vector<VeryBig, 64> vbvec64;
+  MOZ_RELEASE_ASSERT(vbvec64.length() == 0);
+  MOZ_RELEASE_ASSERT(vbvec64.begin() != nullptr);
+}
+
 int main() {
   VectorTesting::testReserved();
   VectorTesting::testConstRange();
@@ -516,4 +577,5 @@ int main() {
   VectorTesting::testReplaceRawBuffer();
   VectorTesting::testInsert();
   VectorTesting::testPodResizeToFit();
+  TestVectorBeginNonNull();
 }
diff --git a/old-configure.in b/old-configure.in
index 8ea8c83e6a3c..cd15290fdb0b 100644
--- a/old-configure.in
+++ b/old-configure.in
@@ -1538,7 +1538,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.42, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.44, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
diff --git a/security/nss/.taskcluster.yml b/security/nss/.taskcluster.yml
index efd0dd75dd75..4fffc9c82b3a 100644
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -24,7 +24,7 @@ tasks:
     in:
       taskId: '${ownTaskId}'
       taskGroupId: '${ownTaskId}'
-      schedulerId: 'gecko-level-nss'
+      schedulerId: 'nss-level-${repository.level}'
       created: {$fromNow: ''}
       deadline: {$fromNow: '1 day'}
       expires: {$fromNow: '14 days'}
@@ -41,7 +41,6 @@ tasks:
 
       scopes:
         - 'assume:repo:${repoUrl[8:]}:branch:default'
-        - 'queue:route:notify.email.${ownerEmail}.*'
       tags:
         createdForUser: "${ownerEmail}"
 
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
index ab4b4e8cc279..1a71b4bc7b65 100644
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_43_RTM
+67c41e385581
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
index a4c767310134..c24dae4253ab 100644
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -1,5 +1,5 @@
 
 1 Added function:
 
-  'function SECOidTag HASH_GetHashOidTagByHashType(HASH_HashType)'    {HASH_GetHashOidTagByHashType@@NSS_3.43}
+  'function SECStatus CERT_GetCertificateDer(const CERTCertificate*, SECItem*)'    {CERT_GetCertificateDer@@NSS_3.44}
 
diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
index 8ef488de0758..e69de29bb2d1 100644
--- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
@@ -1,20 +0,0 @@
-
-2 functions with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_GetCipherSuiteInfo(PRUint16, SSLCipherSuiteInfo*, PRUintn)' at sslinfo.c:326:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLCipherSuiteInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLCipherSuiteInfo' at sslt.h:433:1:
-        underlying type 'struct SSLCipherSuiteInfoStr' at sslt.h:366:1 changed:
-          type size changed from 768 to 832 (in bits)
-          1 data member insertion:
-            'SSLHashType SSLCipherSuiteInfoStr::kdfHash', at offset 768 (in bits) at sslt.h:429:1
-
-  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:111:1 has some indirect sub-type changes:
-    parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:379:1:
-        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:333:1 changed:
-          type size changed from 160 to 192 (in bits)
-          1 data member insertion:
-            'PRUint16 SSLPreliminaryChannelInfoStr::zeroRttCipherSuite', at offset 160 (in bits) at sslt.h:375:1
-
-
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index d7418dbfda21..da7472286fa1 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_42_BRANCH
+NSS_3_43_BRANCH
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 5182f75552c8..590d1bfaeee3 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+
diff --git a/security/nss/gtests/certdb_gtest/cert_unittest.cc b/security/nss/gtests/certdb_gtest/cert_unittest.cc
new file mode 100644
index 000000000000..93003fa59ccd
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/cert_unittest.cc
@@ -0,0 +1,47 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "nss.h"
+#include "secerr.h"
+#include "pk11pub.h"
+#include "nss_scoped_ptrs.h"
+
+namespace nss_test {
+
+class CertTest : public ::testing::Test {};
+
+// Tests CERT_GetCertificateDer for the certs we have.
+TEST_F(CertTest, GetCertDer) {
+  // Listing all the certs should get us the default trust anchors.
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+
+  for (PRCList* cursor = PR_NEXT_LINK(&certs->list); cursor != &certs->list;
+       cursor = PR_NEXT_LINK(cursor)) {
+    CERTCertListNode* node = (CERTCertListNode*)cursor;
+    SECItem der;
+    ASSERT_EQ(SECSuccess, CERT_GetCertificateDer(node->cert, &der));
+    ASSERT_EQ(0, SECITEM_CompareItem(&der, &node->cert->derCert));
+  }
+}
+
+TEST_F(CertTest, GetCertDerBad) {
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  ScopedCERTCertList certs(PK11_ListCerts(PK11CertListAll, nullptr));
+  ASSERT_FALSE(PR_CLIST_IS_EMPTY(&certs->list));
+  CERTCertListNode* node = (CERTCertListNode*)PR_NEXT_LINK(&certs->list);
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(node->cert, nullptr));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+
+  SECItem der;
+  EXPECT_EQ(SECFailure, CERT_GetCertificateDer(nullptr, &der));
+  EXPECT_EQ(SEC_ERROR_INVALID_ARGS, PORT_GetError());
+}
+}
diff --git a/security/nss/gtests/certdb_gtest/certdb_gtest.gyp b/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
index 898102defe30..7f5bb324b53a 100644
--- a/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
+++ b/security/nss/gtests/certdb_gtest/certdb_gtest.gyp
@@ -12,6 +12,8 @@
       'type': 'executable',
       'sources': [
         'alg1485_unittest.cc',
+        'cert_unittest.cc',
+        'decode_certs_unittest.cc',
         '<(DEPTH)/gtests/common/gtests.cc'
       ],
       'dependencies': [
@@ -20,6 +22,7 @@
         '<(DEPTH)/lib/util/util.gyp:nssutil3',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
         '<(DEPTH)/lib/nss/nss.gyp:nss3',
+        '<(DEPTH)/lib/smime/smime.gyp:smime3',
       ]
     }
   ],
diff --git a/security/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
new file mode 100644
index 000000000000..405194edcc8a
--- /dev/null
+++ b/security/nss/gtests/certdb_gtest/decode_certs_unittest.cc
@@ -0,0 +1,28 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "gtest/gtest.h"
+
+#include "cert.h"
+#include "prerror.h"
+#include "secerr.h"
+
+class DecodeCertsTest : public ::testing::Test {};
+
+TEST_F(DecodeCertsTest, EmptyCertPackage) {
+  // This represents a PKCS#7 ContentInfo with a contentType of
+  // '2.16.840.1.113730.2.5' (Netscape data-type cert-sequence) and a content
+  // consisting of an empty SEQUENCE. This is valid ASN.1, but it contains no
+  // certificates, so CERT_DecodeCertFromPackage should just return a null
+  // pointer.
+  unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+                                      0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+                                      0x05, 0xa0, 0x02, 0x30, 0x00};
+  EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+                         reinterpret_cast<char*>(emptyCertPackage),
+                         sizeof(emptyCertPackage)));
+  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
diff --git a/security/nss/gtests/certdb_gtest/manifest.mn b/security/nss/gtests/certdb_gtest/manifest.mn
index 4a3a1fda09ca..c95cf991f31f 100644
--- a/security/nss/gtests/certdb_gtest/manifest.mn
+++ b/security/nss/gtests/certdb_gtest/manifest.mn
@@ -8,6 +8,8 @@ MODULE = nss
 
 CPPSRCS = \
       alg1485_unittest.cc \
+      cert_unittest.cc \
+      decode_certs_unittest.cc \
       $(NULL)
 
 INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
diff --git a/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
index c69042014762..8a1dea5bfbca 100644
--- a/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_recordsep_unittest.cc
@@ -442,6 +442,48 @@ TEST_P(TlsConnectStream, ReplaceRecordLayerAsyncLateAuth) {
   SendForwardReceive(client_, client_stage, server_);
 }
 
+TEST_F(TlsConnectStreamTls13, ReplaceRecordLayerAsyncPostHandshake) {
+  StartConnect();
+  client_->SetServerKeyBits(server_->server_key_bits());
+
+  BadPrSocket bad_layer_client(client_);
+  BadPrSocket bad_layer_server(server_);
+  StagedRecords client_stage(client_);
+  StagedRecords server_stage(server_);
+
+  client_->SetAuthCertificateCallback(AuthCompleteBlock);
+
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+  client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTING);
+  server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTING);
+
+  ASSERT_TRUE(client_stage.empty());
+  client_->Handshake();
+  ASSERT_TRUE(client_stage.empty());
+  EXPECT_EQ(TlsAgent::STATE_CONNECTING, client_->state());
+
+  // Now declare the certificate good.
+  EXPECT_EQ(SECSuccess, SSL_AuthCertificateComplete(client_->ssl_fd(), 0));
+  client_->Handshake();
+  ASSERT_FALSE(client_stage.empty());
+
+  if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+    EXPECT_EQ(TlsAgent::STATE_CONNECTED, client_->state());
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+  } else {
+    client_stage.ForwardAll(server_, TlsAgent::STATE_CONNECTED);
+    server_stage.ForwardAll(client_, TlsAgent::STATE_CONNECTED);
+  }
+  CheckKeys();
+
+  // Reading and writing application data should work.
+  SendForwardReceive(client_, client_stage, server_);
+
+  // Post-handshake messages should work here.
+  EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
+  SendForwardReceive(server_, server_stage, client_);
+}
+
 // This test ensures that data is correctly forwarded when the handshake is
 // resumed after asynchronous server certificate authentication, when
 // SSL_AuthCertificateComplete() is called.  The logic for resuming the
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index 333ba4c9dd42..1981b8f549fd 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -215,6 +215,12 @@ extern void CERT_DestroyCertificate(CERTCertificate *cert);
 */
 extern CERTCertificate *CERT_DupCertificate(CERTCertificate *c);
 
+/* Access the DER of the certificate. This only creates a reference to the DER
+ * in the outparam not a copy.  To avoid the pointer becoming invalid, use
+ * CERT_DupCertificate() and keep a reference to the duplicate alive.
+ */
+extern SECStatus CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der);
+
 /*
 ** Create a new certificate request. This result must be wrapped with an
 ** CERTSignedData to create a signed certificate request.
diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 85b5f291703b..7eede8d0e191 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1314,6 +1314,17 @@ CERT_DupCertificate(CERTCertificate *c)
     return c;
 }
 
+SECStatus
+CERT_GetCertificateDer(const CERTCertificate *c, SECItem *der)
+{
+    if (!c || !der) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    *der = c->derCert;
+    return SECSuccess;
+}
+
 /*
  * Allow use of default cert database, so that apps(such as mozilla) don't
  * have to pass the handle all over the place.
diff --git a/security/nss/lib/freebl/blinit.c b/security/nss/lib/freebl/blinit.c
index f369e62e71af..d1bb037fc1fd 100644
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@@ -92,23 +92,32 @@ CheckX86CPUSupport()
 #endif /* NSS_X86_OR_X64 */
 
 /* clang-format off */
-#if (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#if defined(__aarch64__) || defined(__arm__)
 #ifndef __has_include
 #define __has_include(x) 0
 #endif
 #if (__has_include(<sys/auxv.h>) || defined(__linux__)) && \
     defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)
+/* This might be conflict with host compiler */
+#if !defined(__ANDROID__)
 #include <sys/auxv.h>
+#endif
 extern unsigned long getauxval(unsigned long type) __attribute__((weak));
 #else
 static unsigned long (*getauxval)(unsigned long) = NULL;
-#define AT_HWCAP2 0
-#define AT_HWCAP 0
 #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/
-#endif /* (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__) */
+
+#ifndef AT_HWCAP2
+#define AT_HWCAP2 26
+#endif
+#ifndef AT_HWCAP
+#define AT_HWCAP 16
+#endif
+
+#endif /* defined(__aarch64__) || defined(__arm__) */
 /* clang-format on */
 
-#if defined(__aarch64__) && !defined(__ANDROID__)
+#if defined(__aarch64__)
 // Defines from hwcap.h in Linux kernel - ARM64
 #ifndef HWCAP_AES
 #define HWCAP_AES (1 << 3)
@@ -138,9 +147,9 @@ CheckARMSupport()
     /* aarch64 must support NEON. */
     arm_neon_support_ = disable_arm_neon == NULL;
 }
-#endif /* defined(__aarch64__) && !defined(__ANDROID__) */
+#endif /* defined(__aarch64__) */
 
-#if defined(__arm__) && !defined(__ANDROID__)
+#if defined(__arm__)
 // Defines from hwcap.h in Linux kernel - ARM
 /*
  * HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
@@ -165,23 +174,58 @@ CheckARMSupport()
 #define HWCAP2_SHA2 (1 << 3)
 #endif
 
+PRBool
+GetNeonSupport()
+{
+    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
+    if (disable_arm_neon) {
+        return PR_FALSE;
+    }
+#if defined(__ARM_NEON) || defined(__ARM_NEON__)
+    // Compiler generates NEON instruction as default option.
+    // If no getauxval, compiler generate NEON instruction by default,
+    // we should allow NOEN support.
+    return PR_TRUE;
+#elif !defined(__ANDROID__)
+    // Android's cpu-features.c detects features by the following logic
+    //
+    // - Call getauxval(AT_HWCAP)
+    // - Parse /proc/self/auxv if getauxval is nothing or returns 0
+    // - Parse /proc/cpuinfo if both cannot detect features
+    //
+    // But we don't use it for Android since Android document
+    // (https://developer.android.com/ndk/guides/cpu-features) says
+    // one problem with AT_HWCAP sometimes devices (Nexus 4 and emulator)
+    // are mistaken for IDIV.
+    if (getauxval) {
+        return (getauxval(AT_HWCAP) & HWCAP_NEON);
+    }
+#endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */
+    return PR_FALSE;
+}
+
 void
 CheckARMSupport()
 {
-    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     if (getauxval) {
+        // Android's cpu-features.c uses AT_HWCAP2 for newer features.
+        // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust
+        // it since cpu-features.c doesn't have workaround / fallback.
+        // Also, AT_HWCAP2 is supported by glibc 2.18+ on Linux/arm, If
+        // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will
+        // returns 0.
         long hwcaps = getauxval(AT_HWCAP2);
         arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL;
         arm_pmull_support_ = hwcaps & HWCAP2_PMULL;
         arm_sha1_support_ = hwcaps & HWCAP2_SHA1;
         arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
-        arm_neon_support_ = hwcaps & HWCAP_NEON && disable_arm_neon == NULL;
     }
+    arm_neon_support_ = GetNeonSupport();
 }
-#endif /* defined(__arm__) && !defined(__ANDROID__) */
+#endif /* defined(__arm__) */
 
-// Enable when Firefox can use it.
+// Enable when Firefox can use it for Android API 16 and 17.
 // #if defined(__ANDROID__) && (defined(__arm__) || defined(__aarch64__))
 // #include <cpu-features.h>
 // void
@@ -262,7 +306,7 @@ FreeblInit(void)
 {
 #ifdef NSS_X86_OR_X64
     CheckX86CPUSupport();
-#elif (defined(__aarch64__) || defined(__arm__)) && !defined(__ANDROID__)
+#elif (defined(__aarch64__) || defined(__arm__))
     CheckARMSupport();
 #endif
     return PR_SUCCESS;
diff --git a/security/nss/lib/freebl/crypto_primitives.c b/security/nss/lib/freebl/crypto_primitives.c
index 49c8ca5ca6ed..937e1dd720f2 100644
--- a/security/nss/lib/freebl/crypto_primitives.c
+++ b/security/nss/lib/freebl/crypto_primitives.c
@@ -22,7 +22,7 @@ swap8b(PRUint64 value)
     return (value);
 }
 
-#elif !defined(_MSC_VER)
+#elif !defined(_MSC_VER) && !__has_builtin(__builtin_bswap64)
 
 PRUint64
 swap8b(PRUint64 x)
diff --git a/security/nss/lib/freebl/crypto_primitives.h b/security/nss/lib/freebl/crypto_primitives.h
index f19601f4b4e8..177e6f3fffe5 100644
--- a/security/nss/lib/freebl/crypto_primitives.h
+++ b/security/nss/lib/freebl/crypto_primitives.h
@@ -11,6 +11,11 @@
 #include <stdlib.h>
 #include "prtypes.h"
 
+/* For non-clang platform */
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
 /* Unfortunately this isn't always set when it should be. */
 #if defined(HAVE_LONG_LONG)
 
@@ -29,11 +34,16 @@
 /*
  * FREEBL_HTONLL(x): swap bytes in a 64-bit integer.
  */
+#if defined(IS_LITTLE_ENDIAN)
 #if defined(_MSC_VER)
 
 #pragma intrinsic(_byteswap_uint64)
 #define FREEBL_HTONLL(x) _byteswap_uint64(x)
 
+#elif __has_builtin(__builtin_bswap64)
+
+#define FREEBL_HTONLL(x) __builtin_bswap64(x)
+
 #elif defined(__GNUC__) && (defined(__x86_64__) || defined(__x86_64))
 
 PRUint64 swap8b(PRUint64 value);
@@ -48,4 +58,8 @@ PRUint64 swap8b(PRUint64 x);
 
 #endif /* _MSC_VER */
 
-#endif /* HAVE_LONG_LONG */
\ No newline at end of file
+#else /* IS_LITTLE_ENDIAN */
+#define FREEBL_HTONLL(x) (x)
+#endif
+
+#endif /* HAVE_LONG_LONG */
diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
index 288ff07a3bf8..4bc127ce9229 100644
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -76,11 +76,11 @@
             '__SSSE3__',
           ],
         }],
-        [ 'OS=="android"', {
-          # On Android we can't use any of the hardware acceleration :(
-          'defines!': [
-            '__ARM_NEON__',
-            '__ARM_NEON',
+        [ 'target_arch=="arm"', {
+          # Gecko doesn't support non-NEON platform on Android, but tier-3
+          # platform such as Linux/arm will need it
+          'cflags_mozilla': [
+            '-mfpu=neon'
           ],
         }],
       ],
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index d589fd30e26f..53d463a66ffd 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1145,3 +1145,9 @@ HASH_GetHashOidTagByHashType;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.44 { 	# NSS 3.44 release
+;+    global:
+CERT_GetCertificateDer;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 1df2125172b5..d82b64980417 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.43" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.44" _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR 3
-#define NSS_VMINOR 43
+#define NSS_VMINOR 44
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_FALSE
+#define NSS_BETA PR_TRUE
 
 #ifndef RC_INVOKED
 
diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c
index 2d692f1a2d5e..3091f9947ee4 100644
--- a/security/nss/lib/pkcs7/certread.c
+++ b/security/nss/lib/pkcs7/certread.c
@@ -492,14 +492,16 @@ typedef struct {
 static SECStatus
 collect_certs(void *arg, SECItem **certs, int numcerts)
 {
-    SECStatus rv;
-    collect_args *collectArgs;
-
-    collectArgs = (collect_args *)arg;
-
-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
-
-    return (rv);
+    collect_args *collectArgs = (collect_args *)arg;
+    if (!collectArgs || !collectArgs->arena) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (numcerts < 1 || !certs || !*certs) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        return SECFailure;
+    }
+    return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
 }
 
 /*
diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c
index fb897d68ccc8..4830bc111fb2 100644
--- a/security/nss/lib/softoken/sdb.c
+++ b/security/nss/lib/softoken/sdb.c
@@ -858,7 +858,6 @@ sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind)
     return sdb_mapSQLError(sdb_p->type, sqlerr);
 }
 
-static const char GET_ATTRIBUTE_CMD[] = "SELECT ALL %s FROM %s WHERE id=$ID;";
 CK_RV
 sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
                             CK_ATTRIBUTE *template, CK_ULONG count)
@@ -866,8 +865,6 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
     SDBPrivate *sdb_p = sdb->private;
     sqlite3 *sqlDB = NULL;
     sqlite3_stmt *stmt = NULL;
-    char *getStr = NULL;
-    char *newStr = NULL;
     const char *table = NULL;
     int sqlerr = SQLITE_OK;
     CK_RV error = CKR_OK;
@@ -875,55 +872,74 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
     int retry = 0;
     unsigned int i;
 
+    if (count == 0) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
+
     /* open a new db if necessary */
     error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
     if (error != CKR_OK) {
         goto loser;
     }
 
+    char *columns = NULL;
     for (i = 0; i < count; i++) {
-        getStr = sqlite3_mprintf("a%x", template[i].type);
-
-        if (getStr == NULL) {
+        char *newColumns;
+        if (columns) {
+            newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type);
+            sqlite3_free(columns);
+            columns = NULL;
+        } else {
+            newColumns = sqlite3_mprintf("a%x", template[i].type);
+        }
+        if (!newColumns) {
             error = CKR_HOST_MEMORY;
             goto loser;
         }
+        columns = newColumns;
+    }
+    if (!columns) {
+        error = CKR_OBJECT_HANDLE_INVALID;
+        goto loser;
+    }
 
-        newStr = sqlite3_mprintf(GET_ATTRIBUTE_CMD, getStr, table);
-        sqlite3_free(getStr);
-        getStr = NULL;
-        if (newStr == NULL) {
-            error = CKR_HOST_MEMORY;
-            goto loser;
+    char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;",
+                                      columns, table);
+    sqlite3_free(columns);
+    columns = NULL;
+    if (!statement) {
+        error = CKR_HOST_MEMORY;
+        goto loser;
+    }
+
+    sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL);
+    sqlite3_free(statement);
+    statement = NULL;
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
+
+    // NB: indices in sqlite3_bind_int are 1-indexed
+    sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+    if (sqlerr != SQLITE_OK) {
+        goto loser;
+    }
+
+    do {
+        sqlerr = sqlite3_step(stmt);
+        if (sqlerr == SQLITE_BUSY) {
+            PR_Sleep(SDB_BUSY_RETRY_TIME);
         }
-
-        sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
-        sqlite3_free(newStr);
-        newStr = NULL;
-        if (sqlerr == SQLITE_ERROR) {
-            template[i].ulValueLen = -1;
-            error = CKR_ATTRIBUTE_TYPE_INVALID;
-            continue;
-        } else if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
-
-        sqlerr = sqlite3_bind_int(stmt, 1, object_id);
-        if (sqlerr != SQLITE_OK) {
-            goto loser;
-        }
-
-        do {
-            sqlerr = sqlite3_step(stmt);
-            if (sqlerr == SQLITE_BUSY) {
-                PR_Sleep(SDB_BUSY_RETRY_TIME);
-            }
-            if (sqlerr == SQLITE_ROW) {
+        if (sqlerr == SQLITE_ROW) {
+            PORT_Assert(!found);
+            for (i = 0; i < count; i++) {
                 unsigned int blobSize;
                 const char *blobData;
 
-                blobSize = sqlite3_column_bytes(stmt, 0);
-                blobData = sqlite3_column_blob(stmt, 0);
+                // NB: indices in sqlite_column_{bytes,blob} are 0-indexed
+                blobSize = sqlite3_column_bytes(stmt, i);
+                blobData = sqlite3_column_blob(stmt, i);
                 if (blobData == NULL) {
                     template[i].ulValueLen = -1;
                     error = CKR_ATTRIBUTE_TYPE_INVALID;
@@ -945,13 +961,13 @@ sdb_GetAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
                     PORT_Memcpy(template[i].pValue, blobData, blobSize);
                 }
                 template[i].ulValueLen = blobSize;
-                found = 1;
             }
-        } while (!sdb_done(sqlerr, &retry));
-        sqlite3_reset(stmt);
-        sqlite3_finalize(stmt);
-        stmt = NULL;
-    }
+            found = 1;
+        }
+    } while (!sdb_done(sqlerr, &retry));
+    sqlite3_reset(stmt);
+    sqlite3_finalize(stmt);
+    stmt = NULL;
 
 loser:
     /* fix up the error if necessary */
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index 9834d3ba0104..9f97c77038fa 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -859,92 +859,77 @@ static CK_RV
 sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
                 CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_ATTRIBUTE authAttrs[] = {
-        { CKA_MODULUS, NULL, 0 },
-        { CKA_PUBLIC_EXPONENT, NULL, 0 },
-        { CKA_CERT_SHA1_HASH, NULL, 0 },
-        { CKA_CERT_MD5_HASH, NULL, 0 },
-        { CKA_TRUST_SERVER_AUTH, NULL, 0 },
-        { CKA_TRUST_CLIENT_AUTH, NULL, 0 },
-        { CKA_TRUST_EMAIL_PROTECTION, NULL, 0 },
-        { CKA_TRUST_CODE_SIGNING, NULL, 0 },
-        { CKA_TRUST_STEP_UP_APPROVED, NULL, 0 },
-        { CKA_NSS_OVERRIDE_EXTENSIONS, NULL, 0 },
-    };
-    CK_ULONG authAttrCount = sizeof(authAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
     SFTKDBHandle *keyHandle = handle;
     SDB *keyTarget = NULL;
-
-    id &= SFTK_OBJ_ID_MASK;
-
     if (handle->type != SFTK_KEYDB_TYPE) {
         keyHandle = handle->peerDB;
     }
-
     if (keyHandle == NULL) {
         return CKR_OK;
     }
-
-    /* old DB's don't have meta data, finished with MACs */
+    // Old DBs don't have metadata, so we can return early here.
     keyTarget = SFTK_GET_SDB(keyHandle);
     if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
         return CKR_OK;
     }
 
-    /*
-     * STEP 1: find the MACed attributes of this object
-     */
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    count = 0;
-    /* allocate space for the attributes */
-    for (i = 0; i < authAttrCount; i++) {
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
+    id &= SFTK_OBJ_ID_MASK;
+
+    CK_ATTRIBUTE_TYPE authAttrTypes[] = {
+        CKA_MODULUS,
+        CKA_PUBLIC_EXPONENT,
+        CKA_CERT_SHA1_HASH,
+        CKA_CERT_MD5_HASH,
+        CKA_TRUST_SERVER_AUTH,
+        CKA_TRUST_CLIENT_AUTH,
+        CKA_TRUST_EMAIL_PROTECTION,
+        CKA_TRUST_CODE_SIGNING,
+        CKA_TRUST_STEP_UP_APPROVED,
+        CKA_NSS_OVERRIDE_EXTENSIONS,
+    };
+    const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]);
+
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
+    for (i = 0; i < authAttrTypeCount; i++) {
+        CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
+        CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
             continue;
         }
-        count++;
-        authAttrs[i].pValue = PORT_ArenaAlloc(arena, authAttrs[i].ulValueLen);
-        if (authAttrs[i].pValue == NULL) {
-            break;
-        }
-    }
-
-    /* if count was zero, none were found, finished with MACs */
-    if (count == 0) {
-        return CKR_OK;
-    }
-
-    (void)sftkdb_GetAttributeValue(handle, id, authAttrs, authAttrCount);
-    /* ignore error code, we expect some possible errors */
-
-    /* GetAttributeValue just verified the old macs, safe to write
-     * them out then... */
-    for (i = 0; i < authAttrCount; i++) {
-        SECItem *signText;
-        SECItem plainText;
-        SECStatus rv;
-
-        if ((authAttrs[i].ulValueLen == -1) || (authAttrs[i].ulValueLen == 0)) {
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
             continue;
         }
-
-        if (authAttrs[i].ulValueLen == sizeof(CK_ULONG) &&
-            sftkdb_isULONGAttribute(authAttrs[i].type)) {
-            CK_ULONG value = *(CK_ULONG *)authAttrs[i].pValue;
-            sftk_ULong2SDBULong(authAttrs[i].pValue, value);
-            authAttrs[i].ulValueLen = SDB_ULONG_SIZE;
+        authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
+        if (authAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
         }
-
-        plainText.data = authAttrs[i].pValue;
-        plainText.len = authAttrs[i].ulValueLen;
-        rv = sftkdb_SignAttribute(arena, newKey, id,
-                                  authAttrs[i].type, &plainText, &signText);
-        if (rv != SECSuccess) {
+        rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+        if (rv != CKR_OK) {
+            return rv;
+        }
+        if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
             return CKR_GENERAL_ERROR;
         }
-        rv = sftkdb_PutAttributeSignature(handle, keyTarget, id,
-                                          authAttrs[i].type, signText);
-        if (rv != SECSuccess) {
+        // GetAttributeValue just verified the old macs, so it is safe to write
+        // them out now.
+        if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
+            sftkdb_isULONGAttribute(authAttr.type)) {
+            CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
+            sftk_ULong2SDBULong(authAttr.pValue, value);
+            authAttr.ulValueLen = SDB_ULONG_SIZE;
+        }
+        SECItem *signText;
+        SECItem plainText;
+        plainText.data = authAttr.pValue;
+        plainText.len = authAttr.ulValueLen;
+        if (sftkdb_SignAttribute(arena, newKey, id, authAttr.type, &plainText,
+                                 &signText) != SECSuccess) {
+            return CKR_GENERAL_ERROR;
+        }
+        if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type,
+                                         signText) != SECSuccess) {
             return CKR_GENERAL_ERROR;
         }
     }
@@ -956,110 +941,64 @@ static CK_RV
 sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
                      CK_OBJECT_HANDLE id, SECItem *newKey)
 {
-    CK_RV crv = CKR_OK;
-    CK_RV crv2;
-    CK_ATTRIBUTE *first, *last;
-    CK_ATTRIBUTE privAttrs[] = {
-        { CKA_VALUE, NULL, 0 },
-        { CKA_PRIVATE_EXPONENT, NULL, 0 },
-        { CKA_PRIME_1, NULL, 0 },
-        { CKA_PRIME_2, NULL, 0 },
-        { CKA_EXPONENT_1, NULL, 0 },
-        { CKA_EXPONENT_2, NULL, 0 },
-        { CKA_COEFFICIENT, NULL, 0 }
+    CK_ATTRIBUTE_TYPE privAttrTypes[] = {
+        CKA_VALUE,
+        CKA_PRIVATE_EXPONENT,
+        CKA_PRIME_1,
+        CKA_PRIME_2,
+        CKA_EXPONENT_1,
+        CKA_EXPONENT_2,
+        CKA_COEFFICIENT,
     };
-    CK_ULONG privAttrCount = sizeof(privAttrs) / sizeof(CK_ATTRIBUTE);
-    unsigned int i, count;
+    const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
 
-    /*
-     * STEP 1. Read the old attributes in the clear.
-     */
-
-    /* Get the attribute sizes.
-     *  ignore the error code, we will have unknown attributes here */
-    crv2 = sftkdb_GetAttributeValue(keydb, id, privAttrs, privAttrCount);
-
-    /*
-     * find the valid block of attributes and fill allocate space for
-     * their data */
-    first = last = NULL;
+    // We don't know what attributes this object has, so we update them one at a
+    // time.
+    unsigned int i;
     for (i = 0; i < privAttrCount; i++) {
-        /* find the block of attributes that are appropriate for this
-          * objects. There should only be once contiguous block, if not
-          * there's an error.
-          *
-          * find the first and last good entry.
-          */
-        if ((privAttrs[i].ulValueLen == -1) || (privAttrs[i].ulValueLen == 0)) {
-            if (!first)
-                continue;
-            if (!last) {
-                /* previous entry was last good entry */
-                last = &privAttrs[i - 1];
-            }
+        // Read the old attribute in the clear.
+        CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+        CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
             continue;
         }
-        if (!first) {
-            first = &privAttrs[i];
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+            continue;
         }
-        if (last) {
-            /* OOPS, we've found another good entry beyond the end of the
-             * last good entry, we need to fail here. */
-            crv = CKR_GENERAL_ERROR;
-            break;
+        privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
+        if (privAttr.pValue == NULL) {
+            return CKR_HOST_MEMORY;
         }
-        privAttrs[i].pValue = PORT_ArenaAlloc(arena, privAttrs[i].ulValueLen);
-        if (privAttrs[i].pValue == NULL) {
-            crv = CKR_HOST_MEMORY;
-            break;
+        crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+        if (crv != CKR_OK) {
+            return crv;
         }
-    }
-    if (first == NULL) {
-        /* no valid entries found, return error based on crv2 */
-        return crv2;
-    }
-    if (last == NULL) {
-        last = &privAttrs[privAttrCount - 1];
-    }
-    if (crv != CKR_OK) {
-        return crv;
-    }
-    /* read the attributes */
-    count = (last - first) + 1;
-    crv = sftkdb_GetAttributeValue(keydb, id, first, count);
-    if (crv != CKR_OK) {
-        return crv;
-    }
-
-    /*
-     * STEP 2: read the encrypt the attributes with the new key.
-     */
-    for (i = 0; i < count; i++) {
-        SECItem plainText;
-        SECItem *result;
-        SECStatus rv;
-
-        plainText.data = first[i].pValue;
-        plainText.len = first[i].ulValueLen;
-        rv = sftkdb_EncryptAttribute(arena, newKey, &plainText, &result);
-        if (rv != SECSuccess) {
+        if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
             return CKR_GENERAL_ERROR;
         }
-        first[i].pValue = result->data;
-        first[i].ulValueLen = result->len;
-        /* clear our sensitive data out */
+        SECItem plainText;
+        SECItem *result;
+        plainText.data = privAttr.pValue;
+        plainText.len = privAttr.ulValueLen;
+        if (sftkdb_EncryptAttribute(arena, newKey, &plainText, &result) != SECSuccess) {
+            return CKR_GENERAL_ERROR;
+        }
+        privAttr.pValue = result->data;
+        privAttr.ulValueLen = result->len;
+        // Clear sensitive data.
         PORT_Memset(plainText.data, 0, plainText.len);
+
+        // Write the newly encrypted attributes out directly.
+        CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
+        keydb->newKey = newKey;
+        crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+        keydb->newKey = NULL;
+        if (crv != CKR_OK) {
+            return crv;
+        }
     }
 
-    /*
-     * STEP 3: write the newly encrypted attributes out directly
-     */
-    id &= SFTK_OBJ_ID_MASK;
-    keydb->newKey = newKey;
-    crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, id, first, count);
-    keydb->newKey = NULL;
-
-    return crv;
+    return CKR_OK;
 }
 
 static CK_RV
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 906ee1d2cc4b..5702460254c7 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.43" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.44" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 43
+#define SOFTOKEN_VMINOR 44
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_FALSE
+#define SOFTOKEN_BETA PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 2797e627f571..9385e526384e 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -8625,6 +8625,45 @@ loser:
     return SECFailure;
 }
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ * up in the correct token for the master secret */
+PK11SymKey *
+ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                 CK_MECHANISM_TYPE wrapType, SECItem *param,
+                 SECItem *wrappedKey,
+                 CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                 int keySize, CK_FLAGS keyFlags, void *pinArg)
+{
+    PK11SymKey *unwrappedKey;
+
+    /* unwrap the master secret. */
+    unwrappedKey = PK11_UnwrapSymKeyWithFlags(wrapKey, wrapType, param,
+                                              wrappedKey, target, operation, keySize,
+                                              keyFlags);
+    if (!unwrappedKey) {
+        PK11SlotInfo *targetSlot = PK11_GetBestSlot(target, pinArg);
+        PK11SymKey *newWrapKey;
+
+        /* it's possible that we failed to unwrap because the wrapKey is in
+         * a slot that can't handle target. Move the wrapKey to a slot that
+         * can handle this mechanism and retry the operation */
+        if (targetSlot == NULL) {
+            return NULL;
+        }
+        newWrapKey = PK11_MoveSymKey(targetSlot, CKA_UNWRAP, 0,
+                                     PR_FALSE, wrapKey);
+        PK11_FreeSlot(targetSlot);
+        if (newWrapKey == NULL) {
+            return NULL;
+        }
+        unwrappedKey = PK11_UnwrapSymKeyWithFlags(newWrapKey, wrapType, param,
+                                                  wrappedKey, target, operation, keySize,
+                                                  keyFlags);
+        PK11_FreeSymKey(newWrapKey);
+    }
+    return unwrappedKey;
+}
+
 static SECStatus
 ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
 {
@@ -8646,12 +8685,14 @@ ssl3_UnwrapMasterSecretServer(sslSocket *ss, sslSessionID *sid, PK11SymKey **ms)
         keyFlags = CKF_SIGN | CKF_VERIFY;
     }
 
-    /* unwrap the master secret. */
-    *ms = PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech,
-                                     NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
-                                     CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH, keyFlags);
+    *ms = ssl_unwrapSymKey(wrapKey, sid->u.ssl3.masterWrapMech, NULL,
+                           &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
+                           CKA_DERIVE, SSL3_MASTER_SECRET_LENGTH,
+                           keyFlags, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!*ms) {
+        SSL_TRC(10, ("%d: SSL3[%d]: server wrapping key found, but couldn't unwrap MasterSecret. wrapMech=0x%0lx",
+                     SSL_GETPID(), ss->fd, sid->u.ssl3.masterWrapMech));
         return SECFailure;
     }
     return SECSuccess;
@@ -11874,7 +11915,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
             if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
                 (void)ssl3_DecodeError(ss);
                 PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
-                return SECFailure;
+                goto loser;
             }
 #undef MAX_HANDSHAKE_MSG_LEN
 
@@ -11899,7 +11940,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
             ss->ssl3.hs.msg_len = 0;
             ss->ssl3.hs.header_bytes = 0;
             if (rv != SECSuccess) {
-                return rv;
+                goto loser;
             }
         } else {
             /* must be copied to msg_body and dealt with from there */
@@ -11912,7 +11953,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
             rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
             if (rv != SECSuccess) {
                 /* sslBuffer_Grow has set a memory error code. */
-                return SECFailure;
+                goto loser;
             }
 
             PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
@@ -11932,7 +11973,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
                 ss->ssl3.hs.msg_len = 0;
                 ss->ssl3.hs.header_bytes = 0;
                 if (rv != SECSuccess) {
-                    return rv;
+                    goto loser;
                 }
             } else {
                 PORT_Assert(buf.len == 0);
@@ -11943,6 +11984,17 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 
     origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
     return SECSuccess;
+
+loser : {
+    /* Make sure to remove any data that was consumed. */
+    unsigned int consumed = origBuf->len - buf.len;
+    PORT_Assert(consumed == buf.buf - origBuf->buf);
+    if (consumed > 0) {
+        memmove(origBuf->buf, origBuf->buf + consumed, buf.len);
+        origBuf->len = buf.len;
+    }
+}
+    return SECFailure;
 }
 
 /* These macros return the given value with the MSB copied to all the other
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index 247d1107f417..575f4964a48a 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -1734,6 +1734,14 @@ SECStatus ssl_DecodeResumptionToken(sslSessionID *sid, const PRUint8 *encodedTic
                                     PRUint32 encodedTicketLen);
 PRBool ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid);
 
+/* unwrap helper function to handle the case where the wrapKey doesn't wind
+ *  * up in the correct token for the master secret */
+PK11SymKey *ssl_unwrapSymKey(PK11SymKey *wrapKey,
+                             CK_MECHANISM_TYPE wrapType, SECItem *param,
+                             SECItem *wrappedKey,
+                             CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
+                             int keySize, CK_FLAGS keyFlags, void *pinArg);
+
 /* Remove when stable. */
 
 SECStatus SSLExp_SetResumptionTokenCallback(PRFileDesc *fd,
diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c
index 825f8e1710d5..704618070078 100644
--- a/security/nss/lib/ssl/tls13con.c
+++ b/security/nss/lib/ssl/tls13con.c
@@ -981,13 +981,13 @@ tls13_RecoverWrappedSharedSecret(sslSocket *ss, sslSessionID *sid)
     wrappedMS.len = sid->u.ssl3.keys.wrapped_master_secret_len;
 
     /* unwrap the "master secret" which is actually RMS. */
-    ss->ssl3.hs.resumptionMasterSecret = PK11_UnwrapSymKeyWithFlags(
+    ss->ssl3.hs.resumptionMasterSecret = ssl_unwrapSymKey(
         wrapKey, sid->u.ssl3.masterWrapMech,
         NULL, &wrappedMS,
         CKM_SSL3_MASTER_KEY_DERIVE,
         CKA_DERIVE,
         tls13_GetHashSizeForHash(hashType),
-        CKF_SIGN | CKF_VERIFY);
+        CKF_SIGN | CKF_VERIFY, ss->pkcs11PinArg);
     PK11_FreeSymKey(wrapKey);
     if (!ss->ssl3.hs.resumptionMasterSecret) {
         return SECFailure;
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 45392b9391b8..75c32f46c004 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.43"
+#define NSSUTIL_VERSION "3.44 Beta"
 #define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 43
+#define NSSUTIL_VMINOR 44
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_FALSE
+#define NSSUTIL_BETA PR_TRUE
 
 SEC_BEGIN_PROTOS
 
diff --git a/security/nss/tests/cert/cert.sh b/security/nss/tests/cert/cert.sh
index b74de9be5356..616043cff16b 100755
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -317,7 +317,7 @@ cert_create_cert()
 cert_add_cert()
 {
     CU_ACTION="Generate Cert Request for $CERTNAME"
-    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
@@ -343,7 +343,7 @@ cert_add_cert()
 #   Generate and add DSA cert
 #
 	CU_ACTION="Generate DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
@@ -367,7 +367,7 @@ cert_add_cert()
 
 #    Generate DSA certificate signed with RSA
 	CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k dsa -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
@@ -398,7 +398,7 @@ cert_add_cert()
 #
 	CURVE="secp384r1"
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
@@ -422,7 +422,7 @@ cert_add_cert()
 
 #    Generate EC certificate signed with RSA
 	CU_ACTION="Generate mixed EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
@@ -455,7 +455,7 @@ cert_add_cert()
 		grep 'TestUser-rsa-pss-interop$' | sed -n 's/^<.*> [^ ]\{1,\} *\([^ ]\{1,\}\).*/\1/p'`
 
 	CU_ACTION="Generate RSA-PSS Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-rsa-pss@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -d "${PROFILEDIR}" -k ${KEYID} -f "${R_PWFILE}" \
 	-z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -873,15 +873,15 @@ cert_smime_client()
 ## call to cert_create_cert ends up creating two separate certs
 ## one for Eve and another for Eve-ec but they both end up with
 ## the same Subject Alt Name Extension, i.e., both the cert for
-## Eve@bogus.com and the cert for Eve-ec@bogus.com end up 
-## listing eve@bogus.net in the Certificate Subject Alt Name extension. 
+## Eve@example.com and the cert for Eve-ec@example.com end up 
+## listing eve@example.net in the Certificate Subject Alt Name extension. 
 ## This can cause a problem later when cmsutil attempts to create
 ## enveloped data and accidently picks up the ECC cert (NSS currently
 ## does not support ECC for enveloped data creation). This script
 ## avoids the problem by ensuring that these conflicting certs are
 ## never added to the same cert database (see comment marked XXXX).
   echo "$SCRIPTNAME: Creating multiEmail's Certificate --------------------"
-  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@bogus.net,eve@bogus.cc,beve@bogus.com"
+  cert_create_cert "${EVEDIR}" "Eve" 60 ${D_EVE} "-7 eve@example.net,eve@example.org,beve@example.com"
 
   #echo "************* Copying CA files to ${SERVERDIR}"
   #cp ${CADIR}/*.db .
@@ -891,7 +891,7 @@ cert_smime_client()
   #
   #cd ${CERTDIR}
   #CU_ACTION="Creating ${CERTNAME}'s Server Cert"
-  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
+  #CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
   #certu -S -n "${CERTNAME}" -c "TestCA" -t "u,u,u" -m "$CERTSERIAL" \
   #	-d ${PROFILEDIR} -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
 
@@ -975,7 +975,7 @@ cert_extended_ssl()
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request (ext)"
@@ -995,7 +995,7 @@ cert_extended_ssl()
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1017,7 +1017,7 @@ cert_extended_ssl()
 #     Repeat again for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1040,7 +1040,7 @@ cert_extended_ssl()
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1063,7 +1063,7 @@ cert_extended_ssl()
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1124,7 +1124,7 @@ cert_extended_ssl()
   modu -add "RootCerts" -libfile "${ROOTCERTSFILE}" -dbdir "${PROFILEDIR}" 2>&1
 
   CU_ACTION="Generate Cert Request for $CERTNAME (ext)"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" \
       -o req 2>&1
 
@@ -1144,7 +1144,7 @@ cert_extended_ssl()
 #     Repeat the above for DSA certs
 #
       CU_ACTION="Generate DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsa@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1167,7 +1167,7 @@ cert_extended_ssl()
 #     Repeat the above for mixed DSA certs
 #
       CU_ACTION="Generate mixed DSA Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-dsamixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k dsa -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1191,7 +1191,7 @@ cert_extended_ssl()
 #     Repeat the above for EC certs
 #
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1214,7 +1214,7 @@ cert_extended_ssl()
 #     Repeat the above for mixed EC certs
 #
       CU_ACTION="Generate mixed EC Cert Request for $CERTNAME (ext)"
-      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+      CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ecmixed@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1387,7 +1387,7 @@ MODSCRIPT
   RETEXPECTED=0
 
   CU_ACTION="Generate Certificate for ${CERTNAME}"
-  CU_SUBJECT="CN=${CERTNAME}, E=fips@bogus.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=fips@example.com, O=BOGUS NSS, OU=FIPS PUB 140, L=Mountain View, ST=California, C=US"
   certu -S -n ${FIPSCERTNICK} -x -t "Cu,Cu,Cu" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -k dsa -v 600 -m 500 -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: FIPS passed"
@@ -1439,7 +1439,7 @@ cert_eccurves()
 	CERTNAME="Curve-${CURVE}"
 	CERTSERIAL=`expr $CERTSERIAL + 1 `
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
-	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 		-z "${R_NOISE_FILE}" -o req  2>&1
 	
@@ -1464,7 +1464,7 @@ cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
     CERTNAME=TestExt${COUNT}
-    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 
     echo
     echo certutil -d ${CERT_EXTENSIONS_DIR} -S -n ${CERTNAME} \
@@ -2026,7 +2026,7 @@ cert_test_password()
 
   # finally make sure we can use the old key with the new password
   CU_ACTION="Generate Certificate for ${CERTNAME} with new password"
-  CU_SUBJECT="CN=${CERTNAME}, E=password@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=password@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -S -n PasswordCert -c PasswordCA -t "u,u,u" -d "${PROFILEDIR}" -f "${R_FIPSPWFILE}" -z "${R_NOISE_FILE}" 2>&1
   if [ "$RET" -eq 0 ]; then
     cert_log "SUCCESS: PASSWORD passed"
@@ -2055,7 +2055,7 @@ cert_test_distrust()
   certu -M -n "Distrusted" -t p,p,p -d ${PROFILEDIR} -f "${R_PWFILE}" 2>&1
   echo "$SCRIPTNAME: Creating Distrusted Intermediate"
   CERTNAME="DistrustedCA"
-  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  ALL_CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   cert_CA ${CADIR} "${CERTNAME}" "-c TestCA" ",," ${D_CA} 2010 2>&1
   CU_ACTION="Import Distrusted Intermediate"
   certu -A -n "${CERTNAME}" -t "p,p,p" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
@@ -2065,7 +2065,7 @@ cert_test_distrust()
   # since it's not signed by TestCA it requires more steps.
   CU_ACTION="Generate Cert Request for Leaf Chained to Distrusted CA"
   CERTNAME="LeafChainedToDistrustedCA"
-  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=${CERTNAME}, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2205,7 +2205,7 @@ cert_test_rsapss()
   CERTNAME="TestUser-rsa-pss1"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2236,7 +2236,7 @@ EOF
   CERTNAME="TestUser-rsa-pss2"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2267,7 +2267,7 @@ EOF
   CERTNAME="TestUser-rsa-pss3"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2298,7 +2298,7 @@ EOF
   CERTNAME="TestUser-rsa-pss4"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2329,7 +2329,7 @@ EOF
   CERTNAME="TestUser-rsa-pss5"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2360,7 +2360,7 @@ EOF
   CERTNAME="TestUser-rsa-pss6"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2392,7 +2392,7 @@ EOF
   CERTNAME="TestUser-rsa-pss7"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2409,7 +2409,7 @@ EOF
   CERTNAME="TestUser-rsa-pss8"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2440,7 +2440,7 @@ EOF
   CERTNAME="TestUser-rsa-pss9"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2471,7 +2471,7 @@ EOF
   CERTNAME="TestUser-rsa-pss10"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2503,7 +2503,7 @@ EOF
   CERTNAME="TestUser-rsa-pss11"
 
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
@@ -2571,7 +2571,7 @@ cert_test_rsapss_policy()
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign and -Z SHA1)
   CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
 
   CU_ACTION="Sign ${CERTNAME}'s Request"
diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh
index 2b5cef840b1b..f9ee459e126b 100644
--- a/security/nss/tests/common/certsetup.sh
+++ b/security/nss/tests/common/certsetup.sh
@@ -47,11 +47,12 @@ make_cert() {
     rsa_ca_rsapss_chain) type_args=(-g 1024 --pss-sign);sign=(-c rsa_ca);type=rsa;;
     ecdh_rsa) type_args=(-q nistp256);sign=(-c rsa_ca);type=ec ;;
   esac
+  msg="create certificate: $@"
   shift 2
   counter=$(($counter + 1))
   certscript $@ | ${BINDIR}/certutil -S \
-    -z ${R_NOISE_FILE} -d "${PROFILEDIR}" \
+    -z "$R_NOISE_FILE" -d "$PROFILEDIR" \
     -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
     -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
-  html_msg $? 0 "create certificate: $@"
+  html_msg $? 0 "$msg"
 }
diff --git a/security/nss/tests/crmf/crmf.sh b/security/nss/tests/crmf/crmf.sh
index 6059c19912ea..4e1f357822db 100644
--- a/security/nss/tests/crmf/crmf.sh
+++ b/security/nss/tests/crmf/crmf.sh
@@ -58,12 +58,12 @@ crmf_init()
 crmf_main()
 {
   echo "$SCRIPTNAME: CRMF/CMMF Tests ------------------------------"
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss crmf decode
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss crmf decode
   html_msg $? 0 "CRMF test" "."
 
-  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf"
-  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@bogus.com -s TestCA -P nss cmmf 
+  echo "crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf"
+  ${BINDIR}/crmftest -d ${P_R_BOBDIR} -p Bob -e dave@example.com -s TestCA -P nss cmmf 
   html_msg $? 0 "CMMF test" "."
 
 # Add tests for key recovery and challange as crmftest's capabilities increase
diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh
index f9f3ca81c2e4..2b45e1ccda00 100755
--- a/security/nss/tests/gtests/gtests.sh
+++ b/security/nss/tests/gtests/gtests.sh
@@ -23,6 +23,7 @@
 gtest_init()
 {
   cd "$(dirname "$1")"
+  pwd
   SOURCE_DIR="$PWD"/../..
   if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
       cd ../common
@@ -30,11 +31,14 @@ gtest_init()
   fi
 
   SCRIPTNAME=gtests.sh
+  . "${QADIR}"/common/certsetup.sh
 
   if [ -z "${CLEANUP}" ] ; then   # if nobody else is responsible for
     CLEANUP="${SCRIPTNAME}"       # cleaning this script will do it
   fi
 
+  mkdir -p "${GTESTDIR}"
+  cd "${GTESTDIR}"
 }
 
 ########################## gtest_start #############################
@@ -48,20 +52,22 @@ gtest_start()
       html_unknown "Skipping $i (not built)"
       continue
     fi
-    GTESTDIR="${HOSTDIR}/$i"
+    DIR="${GTESTDIR}/$i"
     html_head "$i"
-    if [ ! -d "$GTESTDIR" ]; then
-      mkdir -p "$GTESTDIR"
-      echo "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
-      "${BINDIR}/certutil" -N -d "$GTESTDIR" --empty-password 2>&1
+    if [ ! -d "$DIR" ]; then
+      mkdir -p "$DIR"
+      echo "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+      "${BINDIR}/certutil" -N -d "$DIR" --empty-password 2>&1
+
+      PROFILEDIR="$DIR" make_cert dummy p256 sign
     fi
-    cd "$GTESTDIR"
-    GTESTREPORT="$GTESTDIR/report.xml"
-    PARSED_REPORT="$GTESTDIR/report.parsed"
+    pushd "$DIR"
+    GTESTREPORT="$DIR/report.xml"
+    PARSED_REPORT="$DIR/report.parsed"
     echo "executing $i"
     "${BINDIR}/$i" "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-                 -d "$GTESTDIR" -w --gtest_output=xml:"${GTESTREPORT}" \
-                                   --gtest_filter="${GTESTFILTER:-*}"
+                 -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \
+                              --gtest_filter="${GTESTFILTER:-*}"
     html_msg $? 0 "$i run successfully"
     echo "test output dir: ${GTESTREPORT}"
     echo "executing sed to parse the xml report"
@@ -76,14 +82,14 @@ gtest_start()
         html_failed_ignore_core "$name"
       fi
     done
+    popd
   done
 }
 
 gtest_cleanup()
 {
   html "</TABLE><BR>"
-  cd "${QADIR}"
-  . common/cleanup.sh
+  . "${QADIR}"/common/cleanup.sh
 }
 
 ################## main #################################################
diff --git a/security/nss/tests/iopr/cert_iopr.sh b/security/nss/tests/iopr/cert_iopr.sh
index bb1bf047c250..b162a2d81ce1 100644
--- a/security/nss/tests/iopr/cert_iopr.sh
+++ b/security/nss/tests/iopr/cert_iopr.sh
@@ -252,7 +252,7 @@ download_install_certs() {
             CERTNAME=$HOSTADDR
             
             CU_ACTION="Generate Cert Request for $CERTNAME (ws: $host)"
-            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, \
+            CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@example.com, O=BOGUS NSS, \
                         L=Mountain View, ST=California, C=US"
             certu -R -d "${sslServerDir}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}"\
                 -o $sslServerDir/req 2>&1
diff --git a/security/nss/tests/iopr/server_scr/cert_gen.sh b/security/nss/tests/iopr/server_scr/cert_gen.sh
index 17771ade1640..6611a0f416a2 100644
--- a/security/nss/tests/iopr/server_scr/cert_gen.sh
+++ b/security/nss/tests/iopr/server_scr/cert_gen.sh
@@ -116,7 +116,7 @@ createSignedCert() {
 
     echo Creating cert $certName-$keyType with SN=$certSN
 
-    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=$certName, E=${certName}-${keyType}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -R -d $dir -f "${PW_FILE}" -z "${NOISE_FILE}" \
                   -k $keyType -o $dir/req  2>&1
@@ -267,7 +267,7 @@ generateAndExportCACert() {
 
     certName=TestCA
     [ "$caName" ] && certName=$caName
-    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    CU_SUBJECT="CN=NSS IOPR Test CA $$, E=${certName}@example.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
     repAndExec \
         certutil -S -n $certName -t "CTu,CTu,CTu" -v 600 -x -d ${dir} -1 -2 \
         -f ${PW_FILE} -z ${NOISE_FILE} -m `expr $$ + 2238` >&1 <<EOF
diff --git a/security/nss/tests/libpkix/certs/TestCA.ca.cert b/security/nss/tests/libpkix/certs/TestCA.ca.cert
index 929b793d39d6..627aead0e2cf 100644
Binary files a/security/nss/tests/libpkix/certs/TestCA.ca.cert and b/security/nss/tests/libpkix/certs/TestCA.ca.cert differ
diff --git a/security/nss/tests/libpkix/certs/TestUser50.cert b/security/nss/tests/libpkix/certs/TestUser50.cert
index ed71727fa26e..0ce25bb5de5d 100644
Binary files a/security/nss/tests/libpkix/certs/TestUser50.cert and b/security/nss/tests/libpkix/certs/TestUser50.cert differ
diff --git a/security/nss/tests/libpkix/certs/TestUser51.cert b/security/nss/tests/libpkix/certs/TestUser51.cert
index 1b45db286f34..12c74e9f9792 100644
Binary files a/security/nss/tests/libpkix/certs/TestUser51.cert and b/security/nss/tests/libpkix/certs/TestUser51.cert differ
diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51
index 5d8f920a9c15..9024e357dbed 100755
--- a/security/nss/tests/libpkix/certs/make-ca-u50-u51
+++ b/security/nss/tests/libpkix/certs/make-ca-u50-u51
@@ -26,9 +26,9 @@ n
 n
 CERTSCRIPT
 
-certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
+certutil -S -z noise -g 1024 -d . -n u50 -s "CN=TestUser50,E=TestUser50@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 50 -v 598
 
-certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@bogus.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
+certutil -S -z noise -g 1024 -d . -n u51 -s "CN=TestUser51,E=TestUser51@example.com,O=BOGUS NSS,L=Mountain View,ST=California,C=US" -t ,, -c ca -m 51 -v 598
 
 certutil -d . -L -n ca -r > TestCA.ca.cert
 certutil -d . -L -n u50 -r > TestUser50.cert
diff --git a/security/nss/tests/libpkix/certs/nss2alice b/security/nss/tests/libpkix/certs/nss2alice
old mode 100755
new mode 100644
index 48172a5ed51a..07ebff7ab2be
Binary files a/security/nss/tests/libpkix/certs/nss2alice and b/security/nss/tests/libpkix/certs/nss2alice differ
diff --git a/security/nss/tests/smime/bob.txt b/security/nss/tests/smime/bob.txt
index 330b2c94d576..5ec307f0b6bd 100644
--- a/security/nss/tests/smime/bob.txt
+++ b/security/nss/tests/smime/bob.txt
@@ -1,6 +1,6 @@
 Date: Wed, 20 Sep 2000 00:00:01 -0700 (PDT)
-From: bob@bogus.com
+From: bob@example.com
 Subject: message Bob --> Alice
-To: alice@bogus.com
+To: alice@example.com
 
 This is a test message from Bob to Alice.
diff --git a/security/nss/tests/smime/smime.sh b/security/nss/tests/smime/smime.sh
index 02a2b843e9a0..f319d93ccb45 100755
--- a/security/nss/tests/smime/smime.sh
+++ b/security/nss/tests/smime/smime.sh
@@ -107,8 +107,8 @@ cms_sign()
 }
 
 header_mime_from_to_subject="MIME-Version: 1.0
-From: Alice@bogus.com
-To: Bob@bogus.com
+From: Alice@example.com
+To: Bob@example.com
 Subject: "
 
 header_opaque_signed="Content-Type: application/pkcs7-mime; name=smime.p7m;
@@ -167,7 +167,7 @@ mime_init()
 
 smime_enveloped()
 {
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i tb/alice.mime -d ${P_R_ALICEDIR} -p nss -o tb/alice.mime.env
 
   OUT="tb/alice.env.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
@@ -191,7 +191,7 @@ smime_signed_enveloped()
   cat tb/alice.mime.d${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
   echo "${multipart_end}" >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.d${SIG}.multipart.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
@@ -213,7 +213,7 @@ smime_signed_enveloped()
   echo "$header_opaque_signed" >>${OUT}
   cat tb/alice.textplain.${SIG} | ${BINDIR}/btoa | sed 's/\r$//' >>${OUT}
 
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i ${OUT} -d ${P_R_ALICEDIR} -p nss -o ${OUT}.env
 
   OUT="tb/alice.${SIG}.opaque.eml"
   echo -n "${header_mime_from_to_subject}" >>${OUT}
@@ -301,9 +301,9 @@ smime_main()
   smime_signed_enveloped
 
   echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
-  echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
+  echo "cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"
   echo "        -o alice.env"
-  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
+  ${PROFTOOL} ${BINDIR}/cmsutil -E -r bob@example.com -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.env
   html_msg $? 0 "Create Enveloped Data Alice" "."
 
   echo "cmsutil -D -i alice.env -d ${P_R_BOBDIR} -p nss -o alice.data1"
@@ -317,23 +317,23 @@ smime_main()
   # multiple recip
   echo "$SCRIPTNAME: Testing multiple recipients ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \\"
-  echo "        -r bob@bogus.com,dave@bogus.com"
+  echo "        -r bob@example.com,dave@example.com"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o alicecc.env \
-          -r bob@bogus.com,dave@bogus.com
+          -r bob@example.com,dave@example.com
   ret=$?
   html_msg $ret 0 "Create Multiple Recipients Enveloped Data Alice" "."
   if [ $ret != 0 ] ; then
 	echo "certutil -L -d ${P_R_ALICEDIR}"
 	${BINDIR}/certutil -L -d ${P_R_ALICEDIR}
-	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com"
-	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@bogus.com
+	echo "certutil -L -d ${P_R_ALICEDIR} -n dave@example.com"
+	${BINDIR}/certutil -L -d ${P_R_ALICEDIR} -n dave@example.com
   fi
 
   echo "$SCRIPTNAME: Testing multiple email addrs ------------------------------"
   echo "cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \\"
-  echo "        -r eve@bogus.net"
+  echo "        -r eve@example.net"
   ${PROFTOOL} ${BINDIR}/cmsutil -E -i alice.txt -d ${P_R_ALICEDIR} -o aliceve.env \
-          -r eve@bogus.net
+          -r eve@example.net
   ret=$?
   html_msg $ret 0 "Encrypt to a Multiple Email cert" "."
 
@@ -359,9 +359,9 @@ smime_main()
   html_msg $? 0 "Compare Decoded with Multiple Email cert" "."
   
   echo "$SCRIPTNAME: Sending CERTS-ONLY Message ------------------------------"
-  echo "cmsutil -O -r \"Alice,bob@bogus.com,dave@bogus.com\" \\"
+  echo "cmsutil -O -r \"Alice,bob@example.com,dave@example.com\" \\"
   echo "        -d ${P_R_ALICEDIR} > co.der"
-  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@bogus.com,dave@bogus.com" -d ${P_R_ALICEDIR} > co.der
+  ${PROFTOOL} ${BINDIR}/cmsutil -O -r "Alice,bob@example.com,dave@example.com" -d ${P_R_ALICEDIR} > co.der
   html_msg $? 0 "Create Certs-Only Alice" "."
 
   echo "cmsutil -D -i co.der -d ${P_R_BOBDIR}"
@@ -370,9 +370,9 @@ smime_main()
 
   echo "$SCRIPTNAME: Encrypted-Data Message ---------------------------------"
   echo "cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \\"
-  echo "        -r \"bob@bogus.com\" > alice.enc"
+  echo "        -r \"bob@example.com\" > alice.enc"
   ${PROFTOOL} ${BINDIR}/cmsutil -C -i alice.txt -e alicehello.env -d ${P_R_ALICEDIR} \
-          -r "bob@bogus.com" > alice.enc
+          -r "bob@example.com" > alice.enc
   html_msg $? 0 "Create Encrypted-Data" "."
 
   echo "cmsutil -D -i alice.enc -d ${P_R_BOBDIR} -e alicehello.env -p nss \\"