I attached a trivial testcase to reproduce the leak.

Short version here:

    var queue = [];
    for (var i = 0; i < 1000; i++) {
        queue.unshift(5);
        queue.splice(0, 1);
    }

This code creates an array, and then adds an element to it and cuts out an array of length 1 starting from the element number 0. The last two steps are repeated 1000 times.

V4 utilizes all available memory and crashes.

300 iterations produce ~200 MiB memory usage for me.
350 iterations — ~1.5 GiB.
360 iterations — ~3.1 GiB.

Update:

Actually, unshift-pop produces the same behavior (memleak), unshift-shift does not.

unshift-pop — bad
unshift-splice — bad
unshift-shift — ok
push-pop — ok
push-splice — ok
push-shift — ok

So, the memleak could be reproduced even with

var queue = [];
for (var i = 0; i < 1000; i++) {
    queue.unshift(5);
    queue.pop();
}