If a raw symbol is created and never used, it's impossible to cause undefined behavior, even if the library is unloaded - creating a raw symbol isn't unsafe, using it is.

So, the somewhat unfortunate thing is that there’s no other place to put an unsafe for using a os::*::Symbol – this today happens through a Deref. And so there must be some location that imposes an invariant of not using the contents of the os::*::Symbol past the point when the Library is unloaded.

For os::*::Library this is part of its get method, however the top-level Library and Symbol both prevent this class of mistakes, and so the only reasonable location to surface this invariant is in into_raw.

Hopefully that makes sense?

(NB: this is largely closely related to #13 – yes Symbol should not implement a Deref, but as far as I’m aware there isn’t a viable alternative in today’s Rust)

Hmm, I think I understand your point. So in Symbol<T>, if there is a way to force T to be a raw pointer/unsafe function pointer, would that solve this dilemma?

Actually, since Library::get is already unsafe, could we say if the user assigned T a safe type, it's their mistake?