There is an overflow when reversing arrays in Chakra. On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array.
51efc1a7f671ca4ab3f0714c3f5a4fe110049441aaaf858fda262b78d884d718