X-Git-Url: https://git.ralfj.de/web.git/blobdiff_plain/7f5e175b23e3681e3601d3717b9d0aa08d579289..51f3cf55b720feb9172a25f401a5577c22467358:/personal/_posts/2018-08-22-two-kinds-of-invariants.md

diff --git a/personal/_posts/2018-08-22-two-kinds-of-invariants.md b/personal/_posts/2018-08-22-two-kinds-of-invariants.md
index b403c70..785a9fd 100644
--- a/personal/_posts/2018-08-22-two-kinds-of-invariants.md
+++ b/personal/_posts/2018-08-22-two-kinds-of-invariants.md
@@ -1,5 +1,5 @@
 ---
-title: "Two Kinds of Invariants"
+title: "Two Kinds of Invariants: Safety and Validity"
 categories: internship rust
 forum: https://internals.rust-lang.org/t/two-kinds-of-invariants/8264
 ---
@@ -180,7 +180,7 @@ My gut feeling is that it should not be (i.e., validity should require that `i32
 I have talked about two kinds of invariants that come with every type, the safety invariant and the validity invariant.
 For unsafe code authors, the slogan summarizing this post is:
 
-> *You must always be valid, but you must not always be safe.*
+> *You must always be valid, but you must only be safe in safe code.*
 
 I think we have enough experience writing unsafe code at this point that we can reasonably discuss which validity invariants make sense and which do not -- and I think that it is high time that we do so, because many unsafe code authors are wondering about these exact things all the time.