The documentation for ReferenceCountedArray::removeRange() says If the range extends beyond the bounds of the array, it will be safely clipped to the size of the array. However no clipping is done and it crashes.
TriviallyCopyable::removeElementsInternal ends up getting called and no bounds checking gets done before it calls memmove.