MethodInfo.Invoke AVs when invoking a method with an 'out void*' parameter

[GrabYourPitchforks]

Minimum repro (compile with /unsafe+):

namespace SampleApp
{
    class Program
    {
        public static unsafe void MyMethod(out void* ptr)
        {
            ptr = (void*)0xdeadbeef;
        }

        public static void Main(string[] args)
        {
            typeof(Program).GetMethod("MyMethod").Invoke(null, new object[1]);
        }
    }
}

Stack trace:

 # Child-SP          RetAddr               Call Site
00 000000f6`4c97e210 00007ffc`4f2fc5de     System_Private_CoreLib_ni!System.Runtime.CompilerServices.CastHelpers.StelemRef(System.Array, Int32, System.Object)+0x1d [/_/src/coreclr/System.Private.CoreLib/src/System/Runtime/CompilerServices/CastHelpers.cs @ 575] 
01 000000f6`4c97e240 00007ffc`4f2ef126     System_Private_CoreLib_ni!System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)+0x12e [/_/src/coreclr/System.Private.CoreLib/src/System/Reflection/RuntimeMethodInfo.cs @ 439] 
02 000000f6`4c97e310 00007ffb`effb2abf     System.Reflection.MethodBase.Invoke(System.Object, System.Object[])+0x26
03 000000f6`4c97e350 00007ffc`4fb205c3     SampleApp.Program.Main(System.String[])+0x7f

Disasm:

00007ffb`effa7fa9 4863d2          movsxd  rdx,edx
00007ffb`effa7fac 488d44d110      lea     rax,[rcx+rdx*8+10h]
00007ffb`effa7fb1 488b11          mov     rdx,qword ptr [rcx]
00007ffb`effa7fb4 488b5230        mov     rdx,qword ptr [rdx+30h]
00007ffb`effa7fb8 4d85c0          test    r8,r8
00007ffb`effa7fbb 7414            je      System_Private_CoreLib_ni!System.Runtime.CompilerServices.CastHelpers.StelemRef(System.Array, Int32, System.Object)+0x31 (00007ffb`effa7fd1)
00007ffb`effa7fbd 493b10          cmp     rdx,qword ptr [r8] ds:00000000`deadbeef=???????????????? ; <-- illegal dereference here (r8 := 0xdeadbeef)
00007ffb`effa7fc0 7519            jne     System_Private_CoreLib_ni!System.Runtime.CompilerServices.CastHelpers.StelemRef(System.Array, Int32, System.Object)+0x3b (00007ffb`effa7fdb)
00007ffb`effa7fc2 488bc8          mov     rcx,rax
00007ffb`effa7fc5 498bd0          mov     rdx,r8
00007ffb`effa7fc8 4883c428        add     rsp,28h
00007ffb`effa7fcc e98f8ab75f      jmp     coreclr!JIT_WriteBarrier_Callable (00007ffc`4fb20a60)

Instead of creating a new Pointer object which wraps the value 0xdeadbeef (as would occur if I were trying to return a void* rather than out a void*), the runtime appears to be trying to read 0xdeadbeef as an object reference or some other legal address. This is incorrect: the runtime should treat this as an opaque value rather than a reference to legitimate data.

Similar to #7430, but I think it's a different underlying issue since the reflection stack is trying to set an element on the return.

Note that this doesn't work on .NET Framework either. But in the case of .NET Framework, it triggers an MDA:

Managed Debugging Assistant 'FatalExecutionEngineError' : 'The runtime has encountered a fatal error. The address of the error was at 0xacab4158, on thread 0x53e0. The error code is 0xc0000005. This error may be a bug in the CLR or in the unsafe or non-verifiable portions of user code. Common sources of this bug include user marshaling errors for COM-interop or PInvoke, which may corrupt the stack.'

[MichalStrehovsky]

Looks like a duplicate of #10842.

[joperezr]

Setting milestone as 7.0 since this doesn't appear to be a regression.

[steveharter]

Closing as a duplicate.