Put inline caching is semantically incorrect in some cases with poly proto. See https://bugs.webkit.org/show_bug.cgi?id=208261. We sometimes continue to cache a setter, even though it has changed the prototype chain. Additional cases to consider are puts involving prototype chains that have static property accessors. This is exposed as a result of 206430 since DefineOwnProperty used to transition to uncacheable dictionary. A - setter for x defines a new setter for x on B | B | C We set (new C).x We first call the setter, then try to figure out what the state of things were before it was called. We see that A's setter still exists, so we cache it without ever checking that B has a setter now too. In the code, A = target, C = base. Get is correct because it collects caching information before any calls.