Bug 261815

`in` and `instanceof` expressions in JS ```js a in obj; a instanceof C; ``` can be negated by grouping them and applying the `!` operator, i.e. ```js !(a in obj); !(a instanceof C); ``` Applying the `!` operator incorrectly (on the LHS operand) leads to bugs: ```js !a in obj; // will evaluate to false, unless obj has a "true" or "false" key !a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method ``` For more information, please see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/instanceof#not_an_instanceof and the no-unsafe-negation recommended Eslint rule, https://eslint.org/docs/latest/rules/no-unsafe-negation. I have found several potentially problematic instances of the above bugs in your codebase: `in` bugs: https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5C%27%5C%22%5D%2B+in+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo `instanceof` bugs: https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5D%2B+instanceof+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo