In file usb_dev.c, routine _usb_device_call_service_internal(), which starts at line 231:
On line 239, service_ptr is set to NULL.
service_struct_t* service_ptr = NULL; // line 239
service_ptr is then dereferenced, on lines 248, 251, 255, 258, and 263.
USB_Control_Service(&usb_dev_ptr->usb_framework, event, service_ptr->arg); // line 248
USB_Reset_Service(&usb_dev_ptr->usb_framework, event, service_ptr->arg); // line 251
USB_Suspend_Service(&usb_dev_ptr->usb_framework, event, service_ptr->arg); // line 255
USB_Resume_Service(&usb_dev_ptr->usb_framework, event, service_ptr->arg); // line 258
USB_Error_Service(&usb_dev_ptr->usb_framework, event, service_ptr->arg); // line 263
You get away with it because Freescale processors traditionally have readable (usually read-only) memory starting at address 0x00000000, so the hardware doesn't trap those accesses.
This is really a bad idea, guys.
