When CodeFragment::appendAccessVal writes a SlotAccessor* to memory, it incorrectly assumes that the address of of the baseclass (SlotAccess) and derived class (OwnedValueAccessor) are the same (have offset 0).

While this is usually true, it is a compiled-dependent behavior, see:
https://en.cppreference.com/w/cpp/language/derived_class
 

 Each direct and indirect base class is present, as base class subobject, within the object representation of the derived class at an ABI-dependent offset. Empty base classes usually do not increase the size of the derived object due to empty base optimization. The constructors of base class subobjects are called by the constructor of the derived class: arguments may be provided to those constructors in the member initializer list. 

We should downcast to proper that derived class before writing the pointer to code fragment. This would make the "writeToMemory" call take the correct address. Note that sizeof(accessor) does not need to change since this will be correct regardless of whether it sees the base class or derived class