Performing Array.includes on a sufficiently large array crashes the engine by overflowing the engine stack into one of the guard pages.

let arr = new Array(10000000);
arr.includes(42);

This happens because method_includes (at qv4arrayobject.cpp:1053) turns every object in the array into a ScopedValue, and never cleans it up inbetween even though the object no longer necessarily needs to stay alive once method_includes is done with it (the ScopedValue itself is of course destroyed, but cleanup of the stack only happens when the underlying Scope goes away).