There’s a subtle but important
difference between protected access in unmanaged C++ and protected access (i.e.
family) in the CLR. The difference is due to the CLR’s ability to build
security guarantees on top of type safety.
Imagine you had a bifurcated
hierarchy:
Class
A { protected M }
/
\
Class G :
A Class X :
A
There is no relationship
between X and G, except for the fact that they both derive from A. We
don’t allow X to access A.M on instances of type G and we don’t allow G to
access A.M on instances of type X. Instead, X can only access A.M on
instances of X and instances that are subtypes of X.
The most efficient way
for us to enforce this is to require a cast to X before accessing A.M from any
of X’s methods. Of course, we only require this in verifiable
code.
