Separate validity and safety invariants in the specification?

[bjorn3]

Violating either is currently considered UB, while safety invariants can be temporarily violated provided that you don't pass it to any function expecting the safety invariants to hold, while violating the validity invariants is unconditionally UB¹. As an example for bool the value being 0 or 1 is a validity invariant, while for str the value being valid UTF-8 is a safety invariant².

Footnotes

1. https://www.ralfj.de/blog/2018/08/22/two-kinds-of-invariants.html ↩

2. https://github.com/rust-lang/reference/pull/792 ↩