Bug 854604 - Null-check funobj. r=mrbkap

I've audited all the places where we instantiate an XPCCallContext with more
than just (cx, {NATIVE,JS}_CALLER), and the toString hook is the only place
where we don't check IsValid() or something that depends on it.

js/xpconnect/crashtests/854604.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+  SpecialPowers.wrap(SpecialPowers.Components).toString();
+</script>
+</head>
+<body>
+</body>
+</html>

js/xpconnect/crashtests/crashtests.list

@@ -50,3 +50,4 @@ load 791845.html
 load 797583.html
 load 806751.html
 load 833856.html
+load 854604.html

js/xpconnect/src/XPCCallContext.cpp

@@ -462,6 +462,10 @@ XPCCallContext::UnwrapThisIfAllowed(JSObject *object, JSObject *fun, unsigned ar
     MOZ_ASSERT(!js::UnwrapObjectChecked(obj));
     MOZ_ASSERT(js::IsObjectInContextCompartment(obj, mJSContext));
 
+    // We can't do anything here without a function.
+    if (!fun)
+        return nullptr;
+
     // Determine if we're allowed to unwrap the security wrapper to invoke the
     // method.
     //

js/xpconnect/src/XPCWrappedNativeJSOps.cpp

@@ -106,6 +106,8 @@ XPC_WN_Shared_ToString(JSContext *cx, unsigned argc, jsval *vp)
     }
 
     XPCCallContext ccx(JS_CALLER, cx, obj);
+    if (!ccx.IsValid())
+        return Throw(NS_ERROR_XPC_BAD_OP_ON_WN_PROTO, cx);
     ccx.SetName(ccx.GetRuntime()->GetStringID(XPCJSRuntime::IDX_TO_STRING));
     ccx.SetArgsAndResultPtr(argc, JS_ARGV(cx, vp), vp);
     return ToStringGuts(ccx);