Bug 261815

`in` and `instanceof` expressions in JS
```js
a in obj;
a instanceof C;
```
can be negated by grouping them and applying the `!` operator, i.e.

```js
!(a in obj);
!(a instanceof C);
```

Applying the `!` operator incorrectly (on the LHS operand) leads to bugs:
```js
!a in obj; // will evaluate to false, unless obj has a "true" or "false" key
!a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method
```
For more information, please see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/instanceof#not_an_instanceof and the no-unsafe-negation recommended Eslint rule, https://eslint.org/docs/latest/rules/no-unsafe-negation.

I have found several potentially problematic instances of the above bugs in your codebase:

`in` bugs:
https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5C%27%5C%22%5D%2B+in+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo

`instanceof` bugs:
https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5D%2B+instanceof+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo