At OffensiveCon 2018 I presented my already a bit dated ASM.JS JIT-Spray research. You can find more information in previous blogposts.
Besides using arithmetic calculations and array elements, another interesting technique to spray payloads is to use float values. Using these values as payload bytes has the advantage that an attacker’s shellcode resides continuous in memory at run time, because the float values are next to each other located in a constant pool. As the payload bytes are not interrupted by disturbing opcodes emitted by the ASM.JS compiler, all eight bytes of a double float constant are usable as payload.
If you are into (over)hyping and naming vulnerabilities you can call it: ConstantDesaster