* SUMMARY
When spoofing as Firefox 2.0, using the FreeTextBox rich text editor causes a reproducible assertion on debug builds of WebKit.

* STEPS TO REPRODUCE
1. Launch Safari/WebKit with a debug build of WebKit.
2. Set user agent to spoof as Firefox 2.0.0.2.
3. Go to URL:  http://freetextbox.com/demos/
4. Click the "Insert Rule" icon once.
5. Click the "Numbered List" icon once.

* RESULTS
Safari/WebKit crashes with an assertion failure.

* REGRESSION
Tested with a local debug build of WebKit r25008 with Safari 3 Public Beta v. 3.0.3 (522.12.1) on Mac OS X 10.4.10 (8R218).

* NOTES
Console output:
ASSERTION FAILED: ec == 0
(/path/to/WebKit/WebCore/dom/Range.cpp:112 WebCore::Range::Range(WebCore::Document*, const WebCore::Position&, const WebCore::Position&))
Segmentation fault

Stack trace:
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef

Thread 0 Crashed:
0   com.apple.WebCore        	0x01037c14 WebCore::Range::Range[in-charge](WebCore::Document*, WebCore::Position const&, WebCore::Position const&) + 400 (Range.cpp:112)
1   com.apple.WebCore        	0x01220280 WebCore::CompositeEditCommand::moveParagraphs(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) + 836 (CompositeEditCommand.cpp:706)
2   com.apple.WebCore        	0x01220fc4 WebCore::CompositeEditCommand::moveParagraph(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, bool, bool) + 224 (CompositeEditCommand.cpp:683)
3   com.apple.WebCore        	0x01383ac0 WebCore::InsertListCommand::doApply() + 4280 (InsertListCommand.cpp:225)
4   com.apple.WebCore        	0x012288a8 WebCore::EditCommand::apply() + 460 (EditCommand.cpp:92)
5   com.apple.WebCore        	0x01228a24 WebCore::applyCommand(WTF::PassRefPtr<WebCore::EditCommand>) + 116 (EditCommand.cpp:227)
6   com.apple.WebCore        	0x01236018 WebCore::(anonymous namespace)::execInsertOrderedList(WebCore::Frame*, bool, WebCore::String const&) + 124 (JSEditor.cpp:364)
7   com.apple.WebCore        	0x01236888 WebCore::JSEditor::execCommand(WebCore::String const&, bool, WebCore::String const&) + 212 (JSEditor.cpp:88)
8   com.apple.WebCore        	0x0110c100 WebCore::Document::execCommand(WebCore::String const&, bool, WebCore::String const&) + 68 (Document.cpp:2788)
9   com.apple.WebCore        	0x012bcc9c WebCore::JSDocumentPrototypeFunction::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 5984 (JSDocument.cpp:622)
10  com.apple.JavaScriptCore 	0x0059f3c0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
11  com.apple.JavaScriptCore 	0x005bf034 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:791)
12  com.apple.JavaScriptCore 	0x005aaf70 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1764)
13  com.apple.JavaScriptCore 	0x005a7698 KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2570)
14  com.apple.JavaScriptCore 	0x005ab194 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1741)
15  com.apple.JavaScriptCore 	0x005abd74 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:321)
16  com.apple.JavaScriptCore 	0x005ac6fc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:109)
17  com.apple.JavaScriptCore 	0x0059f3c0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
18  com.apple.JavaScriptCore 	0x005bf034 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:791)
19  com.apple.JavaScriptCore 	0x005aaf70 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1764)
20  com.apple.JavaScriptCore 	0x005aadf8 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1783)
21  com.apple.JavaScriptCore 	0x005aae7c KJS::IfNode::execute(KJS::ExecState*) + 636 (nodes.cpp:1791)
22  com.apple.JavaScriptCore 	0x005a7544 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2564)
23  com.apple.JavaScriptCore 	0x005ab194 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1741)
24  com.apple.JavaScriptCore 	0x005aadf8 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1783)
25  com.apple.JavaScriptCore 	0x005a7544 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2564)
26  com.apple.JavaScriptCore 	0x005ab194 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1741)
27  com.apple.JavaScriptCore 	0x005abd74 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:321)
28  com.apple.JavaScriptCore 	0x005ac6fc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:109)
29  com.apple.JavaScriptCore 	0x0059f3c0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
30  com.apple.JavaScriptCore 	0x005bf034 KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:791)
31  com.apple.JavaScriptCore 	0x005aaf70 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1764)
32  com.apple.JavaScriptCore 	0x005aae7c KJS::IfNode::execute(KJS::ExecState*) + 636 (nodes.cpp:1791)
33  com.apple.JavaScriptCore 	0x005a7544 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2564)
34  com.apple.JavaScriptCore 	0x005ab194 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1741)
35  com.apple.JavaScriptCore 	0x005abd74 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:321)
36  com.apple.JavaScriptCore 	0x005ac6fc KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:109)
37  com.apple.JavaScriptCore 	0x0059f3c0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:98)
38  com.apple.WebCore        	0x012c662c WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 760 (kjs_events.cpp:116)
39  com.apple.WebCore        	0x0128b0e4 WebCore::EventTargetNode::handleLocalEvents(WebCore::Event*, bool) + 548 (EventTargetNode.cpp:166)
40  com.apple.WebCore        	0x0128ba14 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 1036 (EventTargetNode.cpp:207)
41  com.apple.WebCore        	0x0128c6cc WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 396 (EventTargetNode.cpp:308)
42  com.apple.WebCore        	0x0128c760 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 80 (EventTargetNode.cpp:292)
43  com.apple.WebCore        	0x0128d640 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::AtomicString const&, int, int, int, int, int, int, bool, bool, bool, bool, bool, WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 724 (EventTargetNode.cpp:480)
44  com.apple.WebCore        	0x0128dea0 WebCore::EventTargetNode::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WebCore::AtomicString const&, int, WebCore::Node*) + 560 (EventTargetNode.cpp:397)
45  com.apple.WebCore        	0x014c0208 WebCore::EventHandler::dispatchMouseEvent(WebCore::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) + 212 (EventHandler.cpp:1236)
46  com.apple.WebCore        	0x014c0cb4 WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) + 1028 (EventHandler.cpp:1067)
47  com.apple.WebCore        	0x014b786c WebCore::EventHandler::mouseUp(NSEvent*) + 500 (EventHandlerMac.mm:523)
48  com.apple.WebKit         	0x00353c18 -[WebHTMLView mouseUp:] + 372 (WebHTMLView.mm:3109)
49  com.apple.AppKit         	0x937fd900 -[NSWindow sendEvent:] + 4728
50  com.apple.Safari         	0x000ab334 0x1000 + 697140
51  com.apple.AppKit         	0x937a68d4 -[NSApplication sendEvent:] + 4172
52  com.apple.Safari         	0x00016444 0x1000 + 87108
53  com.apple.AppKit         	0x9379dd10 -[NSApplication run] + 508
54  com.apple.AppKit         	0x9388e87c NSApplicationMain + 452
55  com.apple.Safari         	0x0000244c 0x1000 + 5196
56  com.apple.Safari         	0x0004f1b0 0x1000 + 319920