Thanks for this - I was a bit worried about this myself but the one-liner for #1691 seemed too good to pass up on :)

x = [undefined]
x.pop()

This one especially looks big and is something I'm very surprised hasn't been found before.

It seems like the solution may be to add a new variable type that causes a referenceerror when accessed, and to then use that in jspGetNamedVariable if the variable is not found. It's not ideal as it causes another allocation every time a new variable is written to, but I guess that is actually reasonable rare in well-written code anyway.

I think fixing specifically the arguments case solved the majority of real cases of this bug though, so thanks for that fix.

Btw the way ES handles this is by having the named reference be a pair of name and parent value, instead of name and child value. This way, the parent can't be freed until the reference is forced to a value. But the approach of introducing a new kind of var for ReferenceErrors sounds easier to integrate with existing code.

What about just calling jsExceptionHere at the site where a reference error would be created, instead of using jsvCheckReferenceError?

What about just calling jsExceptionHere at the site where a reference error would be created

I'm not sure I understand? Because of the parsing, you get an ID, for instance foo, and you don't know if it's from: print(foo) or print(foo=3) when you hit it. It's not as easy as just creating the error as soon as you come across the ID

Ah, that makes sense. Thanks for explaining

Also seen with g.theme: http://forum.espruino.com/conversations/367936/#comment16178913

Looks like this got mostly fixed.

({a: undefined})['a']

Would seem to still be a problem though