There have been similar bugs in browser JITs that allow websites to escape the sandbox - usually incorrect optimisations that cause the JIT to elide bounds checks when it can't safely do so, probably since those are the easiest to exploit.