...
Code that is executed but does not fails to perform any action, or that has an unintended effect, most likely results from a coding error and can cause unexpected behavior. Statements or expressions that have no effect should be identified and removed from code. Most modern compilers can warn about code that has no effect.
...
This noncompliant code example demonstrates how dead code can be introduced into a program [Fortify 20062013]:
| Code Block | ||
|---|---|---|
| ||
public int func(boolean condition) {
int x = 0;
if (condition) {
x = foo();
/* Process x */
return x;
}
/* ... */
if (x != 0) {
/* This code is never executed */
}
return x;
}
|
...
Remediation of dead code requires the programmer to determine not only why the code is never executed but also whether the code should have been executed, and then to resolve that situation appropriately. This compliant solution assumes that the dead code should have executed, and consequently removes the return from , the body of the first conditional statement no long ends with a return.
| Code Block | ||
|---|---|---|
| ||
public int func(boolean condition) {
int x = 0;
if (condition) {
x = foo();
/* Process x */
}
/* ... */
if (x != 0) {
/* This code is now executed */
}
return 0;
}
|
...
In this example, the length() function is used to limit the number of times the function string_loop() iterates. The condition of the if statement inside the loop evaluates to true when the current index is the length of str. However, because i is always strictly less than str.length(), that will can never happen.
| Code Block | ||
|---|---|---|
| ||
public int string_loop(String str) {
for (int i=0; i < str.length(); i++) {
/* ... */
if (i == str.length()) {
/* This code is never executed */
}
}
return 0;
}
|
Compliant Solution
Remediating Proper remediation of the dead code properly depends on the intent of the programmer. Assuming the intent is to do something special with the last character in str, the conditional statement is adjusted to check whether i refers to the index of the last character in str.
| Code Block | ||
|---|---|---|
| ||
public int string_loop(String str) {
for (int i=0; i < str.length(); i++) {
/* ... */
if (i == str.length()-1) {
/* This code is now executed */
}
}
return 0;
}
|
...
| Code Block | ||
|---|---|---|
| ||
int p1 = foo(); bar(); /* Removable if bar() does not produce any lacks side effects */ baz(); /* Removable if baz() does not produce any lacks side effects */ return p1; |
...
It is also permissible to temporarily leave retain dead code that may be needed later. Such cases should be clearly indicated with an appropriate comment.
The presence of code that has no effect can indicate logic errors that may result in unexpected behavior and vulnerabilities. Unused values in code may indicate significant logic errors.
Code and values that have no effect can be detected by suitable static analysis.
Bibliography
...
| [Coverity 2007] | Coverity Prevent User's Manual (3.3.0) |
| [Fortify 2013] | Code Quality, "Dead Code" |
...