Update to NSS 3.16.2 Beta 3.

nss/lib/pk11wrap/pk11cert.c

Index: nss/lib/pk11wrap/pk11cert.c
diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c
index 39168b96cc9bc004939501764a5efbce82af2bfb..3f3edb1194643f8345d3f67938b0193c9f3eeccf 100644
--- a/nss/lib/pk11wrap/pk11cert.c
+++ b/nss/lib/pk11wrap/pk11cert.c
@@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
      * CERTCertificate, and finish
      */
     nssPKIObject_AddInstance(&c->object, certobj);
+    /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
+     * replace 'c' by a different value. So we add a reference to 'c' to
+     * prevent 'c' from being destroyed. */
+    nssCertificate_AddRef(c);

[Ryan Sleevi, 2014/06/05 00:22:30]

I wonder if this is responsible for the crashes we've been seeing

[wtc, 2014/06/05 03:00:10]

Yes, this is the best lead I have. I found PK11_ImportCert calls
in the Chromium source tree, e.g., in net/cert/cert_database_nss.cc.

     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
+    /* XXX should we pass the original value of 'c' to
+     * STAN_ForceCERTCertificateUpdate? */
     (void)STAN_ForceCERTCertificateUpdate(c);
+    nssCertificate_Destroy(c);
     SECITEM_FreeItem(keyID,PR_TRUE);
     return SECSuccess;
 loser: