Some context:
- Our HTML parser treats element creation, attribute-parsing, and
"DoneCreatingElement"-calls as being separate operations, and it can yield
between them.
- HTMLInputElement doesn't sanitize its values until DoneCreatingElement has
been called, presumably sanitization itself depends on values (e.g. min/max)
that might not have been parsed yet.
- So if the HTML parser yields at just the right point (before
DoneCreatingElement), then we might generate and reflow a nsRangeFrame whose
underlying values (on the element) haven't yet been sanitized.
This patch handles this situation by exposing a getter to tell us whether
DoneCreatingElement has been called. If that getter returns false, we assume
that value-sanitization hasn't happened, and we disregard the element's
(presumed-to-be-unsanitized) numeric values when determining the
range's thumb-position.
Differential Revision: https://phabricator.services.mozilla.com/D198331