This is a cleaned up fix of Christian's original patch in ...

webkit/port/bindings/v8/v8_proxy.cpp

 // Copyright (c) 2008, Google Inc.
 // All rights reserved.
 // 
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 // 
 //     * Redistributions of source code must retain the above copyright
 // notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
@@ skipping 1335 matching lines @@
     result = function->Call(receiver, argc, args);
   }
 
   if (v8::V8::IsDead())
     HandleFatalErrorInV8();
 
   return result;
 }
 
 
+v8::Local<v8::Function> V8Proxy::GetConstructor(V8ClassIndex::V8WrapperType t)
+{
+    ASSERT(ContextInitialized());
+    v8::Local<v8::Value> cached =
+        m_dom_constructor_cache->Get(v8::Integer::New(V8ClassIndex::ToInt(t)));
+    if (cached->IsFunction()) {
+        return v8::Local<v8::Function>::Cast(cached);
+    }
+
+    // Not in cache.
+    {
+        v8::Handle<v8::FunctionTemplate> templ = GetTemplate(t);
+        v8::TryCatch try_catch;
+        // This might fail if we're running out of stack or memory.
+        v8::Local<v8::Function> value = templ->GetFunction();
+        if (value.IsEmpty())
+            return v8::Local<v8::Function>();
+        m_dom_constructor_cache->Set(v8::Integer::New(t), value);
+        // Hotmail fix, see comments in v8_proxy.h above
+        // m_dom_constructor_cache.
+        value->Set(v8::String::New("__proto__"), m_object_prototype);
+        return value;
+    }
+}
+
+
 v8::Persistent<v8::FunctionTemplate> V8Proxy::GetTemplate(
     V8ClassIndex::V8WrapperType type)
 {
   v8::Persistent<v8::FunctionTemplate>* cache_cell =
       V8ClassIndex::GetCache(type);
   if (!(*cache_cell).IsEmpty())
     return *cache_cell;
 
   // not found
   FunctionTemplateFactory factory = V8ClassIndex::GetFactory(type);
@@ skipping 430 matching lines @@
     if (!m_document.IsEmpty()) {
 #ifndef NDEBUG
         UnregisterGlobalHandle(this, m_document);
 #endif
         m_document.Dispose();
         m_document.Clear();
     }
 }
 
 
+void V8Proxy::DisposeContext() {
+    ASSERT(!m_context.IsEmpty());
+    m_context.Dispose();
+    m_context.Clear();
+
+#ifndef NDEBUG
+    UnregisterGlobalHandle(this, m_object_prototype);
+    UnregisterGlobalHandle(this, m_dom_constructor_cache);
+#endif
+
+    ASSERT(!m_dom_constructor_cache.IsEmpty());
+    m_dom_constructor_cache.Dispose();
+    m_dom_constructor_cache.Clear();
+
+    ASSERT(!m_object_prototype.IsEmpty());
+    m_object_prototype.Dispose();
+    m_object_prototype.Clear();
+}
+
 void V8Proxy::clearForClose()
 {
     if (!m_context.IsEmpty()) {
         v8::HandleScope handle_scope;
 
         ClearDocumentWrapper();
-        m_context.Dispose();
-        m_context.Clear();
+        DisposeContext();
     }
 }
 
 
 void V8Proxy::clearForNavigation()
 {
     if (!m_context.IsEmpty()) {
         v8::HandleScope handle;
         ClearDocumentWrapper();
 
         v8::Context::Scope context_scope(m_context);
 
         // Turn on access check on the old DOMWindow wrapper.
         v8::Handle<v8::Object> wrapper =
             LookupDOMWrapper(V8ClassIndex::DOMWINDOW, m_global);
         ASSERT(!wrapper.IsEmpty());
         wrapper->TurnOnAccessCheck();
 
         // Clear all timeouts.
         DOMWindow* domWindow =
             ToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, wrapper);
         domWindow->clearAllTimeouts();
 
         // disconnect all event listeners
         DisconnectEventListeners();
 
         // Separate the context from its global object.
         m_context->DetachGlobal();
 
-        m_context.Dispose();
-        m_context.Clear();
+        DisposeContext();
 
         // Reinitialize the context so the global object points to
         // the new DOM window.
         initContextIfNeeded();
     }
 }
 
 
 void V8Proxy::SetSecurityToken() {
     Document* document = m_frame->document();
@@ skipping 234 matching lines @@
   v8::Context::Scope scope(context);
 
   // Store the first global object created so we can reuse it.
   if (m_global.IsEmpty()) {
     m_global = v8::Persistent<v8::Object>::New(context->Global());
 #ifndef NDEBUG
     RegisterGlobalHandle(PROXY, this, m_global);
 #endif
   }
 
+  v8::Handle<v8::Object> object = v8::Handle<v8::Object>::Cast(
+      m_global->Get(v8::String::New("Object")));
+  m_object_prototype = v8::Persistent<v8::Value>::New(
+      object->Get(v8::String::New("prototype")));
+  m_dom_constructor_cache = v8::Persistent<v8::Array>::New(
+      v8::Array::New(V8ClassIndex::WRAPPER_TYPE_COUNT));
+#ifndef NDEBUG
+  RegisterGlobalHandle(PROXY, this, m_object_prototype);
+  RegisterGlobalHandle(PROXY, this, m_dom_constructor_cache);
+#endif
+
   // Create a new JS window object and use it as the prototype for the
   // shadow global object.
-  v8::Persistent<v8::FunctionTemplate> window_descriptor =
-      GetTemplate(V8ClassIndex::DOMWINDOW);
+  v8::Handle<v8::Function> window_constructor =
+      GetConstructor(V8ClassIndex::DOMWINDOW);
   v8::Local<v8::Object> js_window =
-      SafeAllocation::NewInstance(window_descriptor->GetFunction());
+      SafeAllocation::NewInstance(window_constructor);
   if (js_window.IsEmpty())
     return;
 
   DOMWindow* window = m_frame->domWindow();
 
   // Wrap the window.
   SetDOMWrapper(js_window,
                 V8ClassIndex::ToInt(V8ClassIndex::DOMWINDOW),
                 window);
 
@@ skipping 293 matching lines @@
     V8ClassIndex::V8WrapperType desc_type,
     V8ClassIndex::V8WrapperType cptr_type,
     void* imp)
 {
   // Make a special case for document.all
   if (desc_type == V8ClassIndex::HTMLCOLLECTION &&
       static_cast<HTMLCollection*>(imp)->type() == HTMLCollection::DocAll) {
     desc_type = V8ClassIndex::UNDETECTABLEHTMLCOLLECTION;
   }
 
-  v8::Persistent<v8::FunctionTemplate> desc = GetTemplate(desc_type);
-  v8::Local<v8::Function> function = desc->GetFunction();
+  v8::Local<v8::Function> function;
+  V8Proxy* proxy = V8Proxy::retrieve();
+  if (proxy) {
+    // Constructor is configured.
+    function = proxy->GetConstructor(desc_type);
+  } else {
+    function = GetTemplate(desc_type)->GetFunction();

[Mads Ager (chromium), 2008/12/06 19:03:36]

When do we get in the situation that we cannot use GetConstructor?  I guess this
means that you can get to the resulting DOM wrapper's constructor, which will be
a DOM wrapper constructor function which will actually have Function.prototype
as it's prototype.  It seems unlikely that this will matter since accessing the
constructor functions directly by name will always set it up correctly, but it
would still be nice if we could set the prototype to Object.prototype in this
case as well.

[Feng Qian, 2008/12/08 05:49:41]

The problem is that it may not get proxy because the Frame is in teardown mode,
and JS is disabled.

We should stick m_dom_constructor_cache and m_object_prototype to the context
instead of on V8Proxy, then we can avoid this problem.

This is a quick workaround one layout test crash. I need to file a bug for this.

On 2008/12/06 19:03:36, Mads Ager wrote:

+  }
   v8::Local<v8::Object> instance = SafeAllocation::NewInstance(function);
   if (!instance.IsEmpty()) {
     // Avoid setting the DOM wrapper for failed allocations.
     SetDOMWrapper(instance, V8ClassIndex::ToInt(cptr_type), imp);
   }
   return instance;
 }
 
 v8::Handle<v8::Value> V8Proxy::CheckNewLegal(const v8::Arguments& args)
 {
@@ skipping 711 matching lines @@
     v8::Handle<v8::Object> global = context->Global();
     global->Set(v8::String::New(name), instance);
 }
 
 void V8Proxy::ProcessConsoleMessages()
 {
     ConsoleMessageManager::ProcessDelayedMessages();
 }
 
 }  // namespace WebCore