From 15961d24c35a51201591639917e3f94efdb9c4a4 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 25 Aug 2018 16:59:09 +0200 Subject: [PATCH 1/1] only must --- ralf/_posts/2018-08-22-two-kinds-of-invariants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ralf/_posts/2018-08-22-two-kinds-of-invariants.md b/ralf/_posts/2018-08-22-two-kinds-of-invariants.md index c54a010..34f33bb 100644 --- a/ralf/_posts/2018-08-22-two-kinds-of-invariants.md +++ b/ralf/_posts/2018-08-22-two-kinds-of-invariants.md @@ -185,7 +185,7 @@ My gut feeling is that it should not be (i.e., validity should require that `i32 I have talked about two kinds of invariants that come with every type, the safety invariant and the validity invariant. For unsafe code authors, the slogan summarizing this post is: -> *You must always be valid, but you must only be safe in safe code.* +> *You must always be valid, but you only must be safe in safe code.* I think we have enough experience writing unsafe code at this point that we can reasonably discuss which validity invariants make sense and which do not -- and I think that it is high time that we do so, because many unsafe code authors are wondering about these exact things all the time. -- 2.30.2