It is less likely to hit the "splice" or "callee" getter than the "length" one. See http://code.google.com/p/chromium/issues/detail?id=78862 for downstream bug.
Created attachment 132253 [details] Patch
Comment on attachment 132253 [details] Patch Clearing flags on attachment: 132253 Committed r111385: <http://trac.webkit.org/changeset/111385>
All reviewed patches have been landed. Closing bug.