Some errors, such as out-of-range values, might be the result of erroneous user input. Interactive programs typically handle such errors by rejecting the input and prompting the user for an acceptable value. Servers reject invalid user input by indicating an error to the client while at the same time continuing to service other clients' valid requests. All robust programs must be prepared to gracefully handle resource exhaustion, such as low memory or disk space conditions, at a minimum by preventing the loss of user data kept in volatile storage. Interactive programs may give the user the option to save data on an alternative medium, whereas network servers may respond by reducing throughput or otherwise degrading the quality of service. However, when certain kinds of errors are detected, such as irrecoverable logic errors, rather than risk data corruption by continuing to execute in an indeterminate state, the appropriate strategy may be for the system to quickly shut down, allowing the operator to start it afresh in a determinate state.
ISO/IEC TR 24772:2013, Section 6.39, "Termination Strategy [REU]," [ISO/IEC TR 24772:2013], says:
When a fault is detected, there are many ways in which a system can react. The quickest and most noticeable way is to fail hard, also known as fail fast or fail stop. The reaction to a detected fault is to immediately halt the system. Alternatively, the reaction to a detected fault could be to fail soft. The system would keep working with the faults present, but the performance of the system would be degraded. Systems used in a high availability environment such as telephone switching centers, e-commerce, or other "always available" applications would likely use a fail soft approach. What is actually done in a fail soft approach can vary depending on whether the system is used for safety-critical or security critical purposes. For fail-safe systems, such as flight controllers, traffic signals, or medical monitoring systems, there would be no effort to meet normal operational requirements, but rather to limit the damage or danger caused by the fault. A system that fails securely, such as cryptologic systems, would maintain maximum security when a fault is detected, possibly through a denial of service.
The reaction to a fault in a system can depend on the criticality of the part in which the fault originates. When a program consists of several tasks, each task may be critical, or not. If a task is critical, it may or may not be restartable by the rest of the program. Ideally, a task that detects a fault within itself should be able to halt leaving its resources available for use by the rest of the program, halt clearing away its resources, or halt the entire program. The latency of task termination and whether tasks can ignore termination signals should be clearly specified. Having inconsistent reactions to a fault can potentially be a vulnerability.
C provides several options for program termination, including
exit(), returning from
exit() causes normal program termination to occur. Other than returning from
exit() is the typical way to end a program. The function takes one argument of type
int, which should be either
EXIT_FAILURE, indicating successful or unsuccessful termination respectively. The value of
EXIT_SUCCESS is guaranteed to be 0. The C Standard, subclause 188.8.131.52 [ISO/IEC 9899:2011], says, "If the value of status is zero or
EXIT_SUCCESS, an implementation-defined form of the status successful termination is returned." The
exit() function never returns.
- Flushes unwritten buffered data.
- Closes all open files.
- Removes temporary files.
- Returns an integer exit status to the operating system.
The C Standard
atexit() function can be used to customize
exit() to perform additional actions at program termination.
For example, calling
turn_gizmo_off() function so that a subsequent call to
exit() will invoke
turn_gizmo_off() as it terminates the program. C requires that
atexit() can register at least 32 functions.
Functions registered by the
atexit() function are called by
exit() or upon normal completion of
Note that the behavior of a program that calls
exit() from an
atexit handler is undefined. (See undefined behavior 182 in Annex J of the C Standard. See also ENV32-C. All exit handlers must return normally.)
main() causes normal program termination to occur, which is the preferred way to terminate a program. Evaluating the
return statement has the same effect as calling
exit() with the same argument.
The C Standard, subclause 184.108.40.206.3 [ISO/IEC 9899:2011], has this to say about returning from
If the return type of the
mainfunction is a type compatible with
int, a return from the initial call to the
mainfunction is equivalent to calling the
exitfunction with the value returned by the
mainfunction as its argument; reaching the
}that terminates the
mainfunction returns a value of 0. If the return type is not compatible with
int, the termination status returned to the host environment is unspecified.
Consequently, returning from
main() is equivalent to calling
exit(). Many compilers implement this behavior with something analogous to
However, exiting from
main is conditional on correctly handling all errors in a way that does not force premature termination. (See ERR00-C. Adopt and implement a consistent and comprehensive error-handling policy and ERR05-C. Application-independent code should provide error detection without dictating error handling.)
_Exit() causes normal program termination to occur. Like the
_Exit() takes one argument of type
int and never returns. However, unlike
_Exit() closes open streams, flushes stream buffers, or deletes temporary files is implementation-defined. Functions registered by
atexit() are not executed.
 Note that POSIX strengthens the specification for
_Exit() by prohibiting the function from flushing stream buffers. See the documentation of the function in The Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2013 Edition [IEEE Std 1003.1:2013].
_exit() function is an alias for
abort() causes abnormal program termination to occur unless the
SIGABRT signal is caught and the signal handler calls
_Exit(), whether open streams with unwritten buffered data are flushed, open streams are closed, or temporary files are removed is implementation-defined. Functions registered by
atexit() are not executed. (See ERR06-C. Understand the termination behavior of assert() and abort().)
 Unlike in the case of
_Exit(), POSIX explicitly permits but does not require implementations to flush stream buffers. See the documentation of the function in The Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2013 Edition [IEEE Std 1003.1:2013].
The following table summarizes the exit behavior of the program termination functions.
- – Yes. The specified action is performed.
- – No. The specified action is not performed.
- – Implementation-defined. Whether the specified action is performed depends on the implementation.
Noncompliant Code Example
abort() function should not be called if it is important to perform application-specific cleanup before exiting. In this noncompliant code example,
abort() is called after data is sent to an open file descriptor. The data may or may not be written to the file.
In this compliant solution, the call to
abort() is replaced with
exit(), which guarantees that buffered I/O data is flushed to the file descriptor and the file descriptor is properly closed:
Although this particular example benefits from calling
abort(), in some situations,
abort() is the better choice. Usually,
abort() is preferable when a programmer does not need to close any file descriptors or call any handlers registered with
atexit(), for instance, if the speed of terminating the program is critical.
For more details on proper usage of
abort(), see ERR06-C. Understand the termination behavior of assert() and abort().
As an example, using
_Exit() in place of
exit() may leave written files in an inconsistent state and may also leave sensitive temporary files on the file system.
The library functions abort, exit, getenv and system from library stdlib.h shall not be used
|SEI CERT C++ Coding Standard||VOID ERR04-CPP. Choose an appropriate termination strategy|
|CERT Oracle Secure Coding Standard for Java||FIO14-J. Perform proper cleanup at program termination|
|ISO/IEC TR 24772:2013||Termination Strategy [REU]|
|MITRE CWE||CWE-705, Incorrect control flow scoping|
|[IEEE Std 1003.1:2013]||XSH, System Interfaces, |
|[ISO/IEC 9899:2011]||Subclause 220.127.116.11.3, "Program Termination"|
Subclause 7.22.4, "Communication with the Environment"