Here's the disassembly from a good build with vanilla gcc 4.8.4. It's basically identical, but it contains 3 extra instructions that are missing from the broken build.
0xf57fe991 <+1729>: mov 0xa0(%ebp),%edx
0xf57fe997 <+1735>: mov 0x84(%esp),%esi // %esi now points to |pn|
0xf57fe99e <+1742>: add $0x18,%edx
0xf57fe9a1 <+1745>: cmpl $0xfe,0x28(%esp) // Compare |hops| with 254 (FREE_LEVEL - 1)
0xf57fe9a9 <+1753>: mov %al,0x2(%esi) // Calls pn->SetOp(op)
0xf57fe9ac <+1756>: mov 0x34(%esp),%eax // %eax now contains |slot|
0xf57fe9b0 <+1760>: ja 0xf57fea10 <js::frontend::BytecodeEmitter::tryConvertFreeName(js::frontend::ParseNode*)+1856> // Jump if |hops| > 254
0xf57fe9b2 <+1762>: cmp $0xffffff,%eax // Compare |slot| with 0xffffff
0xf57fe9b7 <+1767>: ja 0xf57fe9f9 <js::frontend::BytecodeEmitter::tryConvertFreeName(js::frontend::ParseNode*)+1833> // Jump if |slot| > 0xffffff
0xf57fe9b9 <+1769>: mov 0x84(%esp),%esi // %esi now points to |pn|
0xf57fe9c0 <+1776>: shl $0x8,%eax // Left shift new |slot| value by 8-bits
// These next 3 instructions are missing in the broken build
0xf57fe9c3 <+1779>: mov $0x1,%edi
0xf57fe9c8 <+1784>: movzbl 0x28(%esp),%edx // %edx now contains |hops|
0xf57fe9cd <+1789>: mov %dl,0x20(%esi) // Save |hops| in to |level_| in pn->pn_u.name.cookie
0xf57fe9d0 <+1792>: mov %eax,%edx // %edx now contains |slot|
0xf57fe9d2 <+1794>: movzbl 0x20(%esi),%eax // Load |level_| from pn->pn_u.name.cookie in to %eax
0xf57fe9d6 <+1798>: or %edx,%eax // %eax now contains the bitwise-OR of |level_| and new |slot| value
0xf57fe9d8 <+1800>: mov %eax,0x20(%esi) // Save the new values to |level_| and |slot_| in pn->pn_u.name.cookie
Here's the disassembly from a good build with vanilla gcc 4.8.4. It's basically identical, but it contains 3 extra instructions that are missing from the broken build.
0xf57fe991 <+1729>: mov 0xa0(%ebp),%edx :BytecodeEmitte r::tryConvertFr eeName( js::frontend: :ParseNode* )+1856> // Jump if |hops| > 254 :BytecodeEmitte r::tryConvertFr eeName( js::frontend: :ParseNode* )+1833> // Jump if |slot| > 0xffffff
0xf57fe997 <+1735>: mov 0x84(%esp),%esi // %esi now points to |pn|
0xf57fe99e <+1742>: add $0x18,%edx
0xf57fe9a1 <+1745>: cmpl $0xfe,0x28(%esp) // Compare |hops| with 254 (FREE_LEVEL - 1)
0xf57fe9a9 <+1753>: mov %al,0x2(%esi) // Calls pn->SetOp(op)
0xf57fe9ac <+1756>: mov 0x34(%esp),%eax // %eax now contains |slot|
0xf57fe9b0 <+1760>: ja 0xf57fea10 <js::frontend:
0xf57fe9b2 <+1762>: cmp $0xffffff,%eax // Compare |slot| with 0xffffff
0xf57fe9b7 <+1767>: ja 0xf57fe9f9 <js::frontend:
0xf57fe9b9 <+1769>: mov 0x84(%esp),%esi // %esi now points to |pn|
0xf57fe9c0 <+1776>: shl $0x8,%eax // Left shift new |slot| value by 8-bits
// These next 3 instructions are missing in the broken build u.name. cookie
0xf57fe9c3 <+1779>: mov $0x1,%edi
0xf57fe9c8 <+1784>: movzbl 0x28(%esp),%edx // %edx now contains |hops|
0xf57fe9cd <+1789>: mov %dl,0x20(%esi) // Save |hops| in to |level_| in pn->pn_
0xf57fe9d0 <+1792>: mov %eax,%edx // %edx now contains |slot| u.name. cookie in to %eax u.name. cookie
0xf57fe9d2 <+1794>: movzbl 0x20(%esi),%eax // Load |level_| from pn->pn_
0xf57fe9d6 <+1798>: or %edx,%eax // %eax now contains the bitwise-OR of |level_| and new |slot| value
0xf57fe9d8 <+1800>: mov %eax,0x20(%esi) // Save the new values to |level_| and |slot_| in pn->pn_