In my comments Pavel ask:
How does the CLR decide if a given AV should be converted to a NullReferenceException or not?
Jonathan Keljo the PM in charge of the CLR exception story tells me that in v1 and v1.1, all AV's, regardless of the target address, are converted to NullReferenceExceptions. We had the same concerns that Pavel raises about this, so in a future version we are considering changing this. One idea we are looking into is that CLR will try to look at the target address and make a best effort to use the new AccessViolationException instead of NullReferenceException for the corrupting ones. This can only be a best effort because on some OSes, in some situations, we may not be able to tell (for example Win9x doesn't tell us the address of the bad access).
What do you think? Good idea?