Bugs in negated instanceof expressions

[gorosgobe]

in and instanceof expressions in JS

a in obj;
a instanceof C;

can be negated by grouping them and applying the ! operator, i.e.

!(a in obj);
!(a instanceof C);

Applying the ! operator incorrectly (on the LHS operand) leads to bugs:

!a in obj; // will evaluate to false, unless obj has a "true" or "false" key
!a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method

For more information, please see these MDN docs and the no-unsafe-negation recommended Eslint rule.

I have found several potentially problematic instances of the above bugs in your codebase:
https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/chakra-core/ChakraCore%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5D%2B+instanceof+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo

[rhuanjl]

The Sourcegraph link shows errors in 3 of our test files where they will be failing to test what's intended:
test/Array/array_splice.js
test/es5/RegExpStrictDelete.js
test/Array/array_splice_double.js

We should fix these