NSS will refuse to close with NSS_Shutdown if any reference hasn’t been released.
(See <news:ct639f$id65@ripley.netscape.com> : « The reason do this is to prevent our clients from re-initializing NSS for a different user while some NSS objects that may potentially provide access to secret information of the previous user are still around. »)

But how to check for that ?

See <news:mailman.1096309200.26448.mozilla-crypto@mozilla.org> : « You can get the list of some objects (Modules and slots). Others aren’t necessarily kept around by NSS. The cert, and key objects are passed to the user with their own reference. These objects, in turn, contain references to slots. »

So NSS doesn’t keep a list of certs and keys, but each that is created increments a reference counters, and the counter will only go down when they are destroyed ?

The shutdown function is here : http://lxr.mozilla.org/seamonkey/source/security/nss/lib/pk11wrap/pk11util.c#117 and it only checks that secmod_PrivateModuleCount is 0.
In fact (cf http://lxr.mozilla.org/seamonkey/source/security/nss/lib/pk11wrap/pk11util.c#197), each module has is own slot list.

SECMOD_Shutdown calls PK11_FreeSlotList for each slot, and that one calls pk11_FreeListElement on each element. pk11_FreeListElement decrements the element, and releases it if it’s refCount is 1.

It doesn’t seem like making sure everything is freed is easy 🙁

<news:mailman.1096309200.26448.mozilla-crypto@mozilla.org> : « The best way to debug these is to step through your code globally and look at the slot reference values »

Indeed, but it seems there’s quite a lot to check. At least the message implies, you don’t need to check the modules separately.