Page History

Some errors, such as out-of-range values, might be the result of erroneous user input. Interactive programs typically handle such errors by rejecting the input and prompting the user for an acceptable value. Servers reject invalid user input by indicating an error to the client while at the same time continuing to service other clients' valid requests. All robust programs must be prepared to gracefully handle resource exhaustion, such as low memory or disk space conditions, at a minimum by preventing the loss of user data kept in volatile storage. Interactive programs may give the user the option to save data on an alternative medium, whereas network servers may respond by reducing throughput or otherwise degrading the quality of service. However, when certain kinds of errors are detected, such as irrecoverable logic errors, rather than risk data corruption by continuing to execute in an indeterminate state, the appropriate strategy may be for the system to quickly shut down, allowing the operator to start it afresh in a determinate state.

[ISO/IEC TR 24772]:2013, Section 6.4739, "REU Termination strategy [REU]," [ISO/IEC TR 24772:2013], says:

When a fault is detected, there are many ways in which a system can react. The quickest and most noticeable way is to fail hard, also known as fail fast or fail stop. The reaction to a detected fault is to immediately halt the system. Alternatively, the reaction to a detected fault could be to fail soft. The system would keep working with the faults present, but the performance of the system would be degraded. Systems used in a high availability environment such as telephone switching centers, e-commerce, etc. or other "always available" applications would likely use a fail soft approach. What is actually done in a fail soft approach can vary depending on whether the system is used for safety-critical or security critical purposes. For fail-safe systems, such as flight controllers, traffic signals, or medical monitoring systems, there would be no effort to meet normal operational requirements, but rather to limit the damage or danger caused by the fault. A system that fails securely, such as cryptologic systems, would maintain maximum security when a fault is detected, possibly through a denial of service.

...

The reaction to a fault in a system can depend on the criticality of the part in which the fault originates. When a program consists of several tasks, the tasks each task may be critical, or not. If a task is critical, it may or may not be restartable by the rest of the program. Ideally, a task which that detects a fault within itself should be able to halt leaving its resources available for use by the rest of the program, halt clearing away its resources, or halt the entire program. The latency of any such communication, task termination and whether other tasks can ignore such a communication, termination signals should be clearly specified. Having inconsistent reactions to a fault, such as the fault reaction to a crypto fault , can potentially be a vulnerability.

...

Calling exit() causes normal program termination to occur. Other than returning from main(), calling exit() is the typical way to end a program. The function takes one argument of type int, which should be either EXIT_SUCCESS or EXIT_FAILURE, indicating successful or unsuccessful termination respectively. The value of EXIT_SUCCESS is guaranteed to be zero0. The C Standard, Section 7.22.4.4 [ISO/IEC 9899:2011], says, "If the value of status is zero or EXIT_SUCCESS, an implementation-defined form of the status successful termination is returned." The exit() function never returns.

...

Note that the behavior of a program that calls exit() from an atexit handler is undefined. (See undefined behavior 182 in Annex J of C11the C Standard. See also ENV32-C. All atexit handlers must return normally.)

...

int main(int argc, char **argv) {
  /* ... */
  if (/* something really bad happened */) {
    return EXIT_FAILURE;
  }
  /* ... */
  return EXIT_SUCCESS;
}

The C standardStandard, Section 5.1.2.2.3 [ISO/IEC 9899:2011], has this to say about returning from main() [ISO/IEC 9899:2011]:

If the return type of the main function is a type compatible with int, a return from the initial call to the main function is equivalent to calling the exit function with the value returned by the main function as its argument; reaching the } that terminates the main function returns a value of 0. If the return type is not compatible with int, the termination status returned to the host environment is unspecified.

...

#include <stdlib.h>
/* ... */

if (/* something really bad happened */) {
  _Exit(EXIT_FAILURE);
}

...

As with _Exit(), whether open streams with unwritten buffered data are flushed,^[2] open streams are closed, or temporary files are removed is implementation-defined. Functions registered by atexit() are not executed. (See ERR06-C. Understand the termination behavior of assert() and abort().)

Summary

The following table summarizes the exit behavior of the program termination functions.

Table legend:

• – Yes. The specified action is performed.
• – No. The specified action is not performed.
• – Implementation-defined. Whether the specified action is performed depends on the implementation.

...

#include <stdlib.h>
#include <stdio.h>

int write_data(void) {
  const char *filename = "hello.txt";
  FILE *f = fopen(filename, "w");
  if (f == NULL) {
    /* Handle error */
  }
  fprintf(f, "Hello, World\n");
  /* ... */
  abort(); /* oopsOops! dataData might not be written! */
  /* ... */
  return 0;
}

int main(void) {
  write_data();
  return 0;
}

...

#include <stdlib.h>
#include <stdio.h>

int write_data(void) {
  const char *filename = "hello.txt";
  FILE *f = fopen(filename, "w");
  if (f == NULL) {
    /* Handle error */
  }
  fprintf(f, "Hello, World\n");
  /* ... */
  exit(EXIT_FAILURE); /* writesWrites data &and closes f. */
  /* ... */
  return 0;
}

int main(void) {
  write_data();
  return 0;
}

While Although this particular example benefits from calling exit() over abort(), in some situations, abort() is the better choice. Usually, abort() is preferable when a programmer does not need to close any file descriptors or call any handlers registered with atexit(), for instance, if the speed of terminating the program is critical.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

...

Bibliography

...

...

...

ISO/IEC PDTR 24772 "REU Termination strategy"

MITRE CWE: CWE-705, "Incorrect control flow scoping"

...