In V8 bindings toNative conversion of a v8 handle to the wrapped native object is implemented as a reinterpret_cast<> to the exact type of the wrapped object, e.g.: class V8Element { ... static Element* toNative(v8::Handle<v8::Object> object) { return reinterpret_cast<Element*>(object->GetPointerFromInternalField(v8DOMWrapperObjectIndex)); } this is true for all wrapper classes in the prototype chain that cast the pointer stored in v8DOMWrapperObjectIndex internal field to the type they require. Given that wrapSlow method will always store Node* pointer, toNative method assumes that the pointer to the wrapped object cast to Node* will point to the same address as the original one. This assumption may easily be broken if we have some classes with virtual methods in the ancestors list before the Node(see attached patch for example). This can be fixed by changing the toNative method to something like this: static Element* toNative(v8::Handle<v8::Object> object) { return static_cast<Element*>(static_cast<Node*>(object->GetPointerFromInternalField(v8DOMWrapperObjectIndex))); } There is a worse problem in case of external arrays(and probably something else) where we first store pointer to Int32Array into the field and later may reinterpret_cast it to ArrayBufferView*