It is less likely to hit the "splice" or "callee" getter than the "length" one.
See http://code.google.com/p/chromium/issues/detail?id=78862 for downstream bug.
Created attachment 132253 [details]
Comment on attachment 132253 [details]
Clearing flags on attachment: 132253
Committed r111385: <http://trac.webkit.org/changeset/111385>
All reviewed patches have been landed. Closing bug.