Created attachment 180762 [details] Demo

Oh, thanks for filing this Ryosuke. When I made the reduction, I meant to file it but forgot :(.

Quoting Sam: It looks like the issue is that in JSHTMLFormControlsCollection::getOwnPropertySlot, we are looking up in the name getter before we have a chance to lookup the "length" builtin propert. This was not an issue when we returned an HTMLCollection, because HTMLCollection is the interface that contains a length property, so the early call to: const HashEntry* entry = JSHTMLFormControlsCollectionTable.entry(exec, propertyName); if (entry) { slot.setCustom(thisObject, entry->propertyGetter()); return true; } (which in HTMLCollection replaces JSHTMLFormControlsCollectionTable with JSHTMLCollectionTable) gets the length property. The fix is probably to make that call also chain up to any parents (as is done in getStaticValueSlot), or just to move the call to getStaticValueSlot earlier. I say probably, as we should test what other browsers do and make sure this in line with WebIDL.

Created attachment 182031 [details] Fixes the bug

Attachment 182031 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/WebCore/ChangeLog:16: Line contains tab character. [whitespace/tab] [5] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.

Committed r139278: <http://trac.webkit.org/changeset/139278>