js::LinearStringHasLatin1Chars just checks a flag and doesn't run, at that point, code changed in bug 1578339.
js::GetLatin1LinearStringChars doesn't run code changed there, either. So if bug 1578339 is to blame, we'd need a story of how bug 1578339 caused creation of the string in a bogus state.
I re-read the patches for bug 1578339 and, AFAICT, nothing these changes the coupling of the bit flag and the storage type. Also, with one exception, the memory allocations aren't changed. Considering the fuzzing and other usage history of the relevant Rust code, I find it extremely unlikely that any of the operations changed would have written out of their bounds and corrupted something that way.
The one allocation change is this bit that changed the manner of allocation in one case:
But when those two lines have run, the string is no longer a Latin1 string, so with the stacks reported here, those lines should not have run, so a subtle bug there doesn't appear to explain this.