The reason why this works correctly for Nodes is that in the generated wrapSlow function we get the proxy from the frame of the node. For non nodes we do not generally have a way to get to the frame. For things like DOMTokenList and NodeList we sometimes have a pointer to the owner node but maybe a better thing to do is to include the proxy/frame/node in the call to toV8 when we first get the object. Today: static v8::Handle<v8::Value> childNodesAttrGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info) { INC_STATS("DOM.Node.childNodes._get"); Node* imp = V8Node::toNative(info.Holder()); return toV8(imp->childNodes()); } maybe we should do something like: static v8::Handle<v8::Value> childNodesAttrGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info) { INC_STATS("DOM.Node.childNodes._get"); Node* imp = V8Node::toNative(info.Holder()); return toV8(imp->childNodes(), imp); } and then generate toV8 functions that take T* and a Node*. Another option might be to enter the context of imp before calling toV8 but seems a lot more expensive. JSC passes the global into toJS JSValue result = toJS(exec, castedThis->globalObject(), WTF::getPtr(impl->childNodes())); Still, this will not work for collections and other things. I think we need to be able to get the global out of the object and pass that to toV8.

This is a pervasive problem in the V8 bindings. We fixed this in JSC a while ago, but it will take some work to fix comprehensively in V8.

Closing some V8-related work items.