expand post title

[web.git] / ralf / _posts / 2018-08-22-two-kinds-of-invariants.md

diff --git a/ralf/_posts/2018-08-22-two-kinds-of-invariants.md b/ralf/_posts/2018-08-22-two-kinds-of-invariants.md
index b403c70b1f58d38eb5cbde43728c310d6a4aa12e..785a9fd9efd311b382255f1b7a27935127f6ca85 100644 (file)
--- a/ralf/_posts/2018-08-22-two-kinds-of-invariants.md
+++ b/ralf/_posts/2018-08-22-two-kinds-of-invariants.md
@@ -1,5 +1,5 @@
 ---
-title: "Two Kinds of Invariants"
+title: "Two Kinds of Invariants: Safety and Validity"
 categories: internship rust
 forum: https://internals.rust-lang.org/t/two-kinds-of-invariants/8264
 ---
@@ -180,7 +180,7 @@ My gut feeling is that it should not be (i.e., validity should require that `i32
 I have talked about two kinds of invariants that come with every type, the safety invariant and the validity invariant.
 For unsafe code authors, the slogan summarizing this post is:
 
-> *You must always be valid, but you must not always be safe.*
+> *You must always be valid, but you must only be safe in safe code.*
 
 I think we have enough experience writing unsafe code at this point that we can reasonably discuss which validity invariants make sense and which do not -- and I think that it is high time that we do so, because many unsafe code authors are wondering about these exact things all the time.