Note | ||
---|---|---|
| ||
This rule has been deprecated. It has been merged with: 10/07/2014 -- Version 2.0 |
Code Code within a program that is never executed is known as dead code. The Typically, the presence of dead code often indicates that a logic error has occurred . Typically, this error is an as a result of changes to the a program or assumptions made by the program's environment. Dead code is often identified and usually optimized out dead code of a program during compilation. However, it should be identified, understood, and removed from a program's source code to improve readability and ensure that logic errors are resolved, dead code should be identified, understood, and eliminated.
...
This recommendation is related to MSC12-C. Detect and remove code that has no effect or is never executed.
Noncompliant Code Example
This noncompliant code example , inspired by Fortify demonstrates how dead code can be introduced into a program . Because s
is set to NULL
everything inside [Fortify 2006]. The second conditional statement, if (s)
, will never be executed. It evaluate true because it requires that condition
be non-null, while on s
not be assigned NULL
, and the only path where s
can be assigned a non-null value there is ends with a return
statement.
Code Block | ||||
---|---|---|---|---|
| ||||
int func(int condition) { intchar *s = NULL; if (condition) { s = (char *)malloc(10); if (s == NULL) { /* Handle Error */ } /* insert data into s Process s */ return 0; } /* ... */ if (s) { /* This code is never reached */ } return 0; } |
Compliant Solution
Remediation of dead code requires the programmer to determine why the code is never executed and then to resolve the situation appropriately. To correct the preceding noncompliant code, the return
is removed from the body of the first conditional statement.
Code Block | ||||
---|---|---|---|---|
| ||||
int func(int condition) { char *s = NULL; if (condition) { s = (char *)malloc(10); if (s == NULL) { /* Handle error */ } /* Process s */ } /* ... */ if (s) { /* This code is now reachable */ } return 0; } |
Noncompliant Code Example
In this example, the strlen()
function is used to limit the number of times the function s_loop()
will iterate. The conditional statement inside the loop evaluates to true when the current character in the string is the null terminator. However, because strlen()
returns the number of characters that precede the null terminator, the conditional statement never evaluates true.
Code Block | ||||
---|---|---|---|---|
| ||||
int s_loop(char *s) { size_t i; size_t len = strlen(s); for (i=0; i < len; i++) { /* ... */ if (s[i] == '\0') { /* This code is never reached */ } } return 0; } |
Compliant Solution
Removing the dead code depends on the intent of the programmer. Assuming the intent is to flag and process the last character before the null terminator, the conditional is adjusted to correctly determine if the i
refers to the index of the last character before the null terminator.
Code Block | ||||
---|---|---|---|---|
| ||||
int s_loop(char *s) { size_t i; size_t len = strlen(s); for (i=0; i < len; i++) { /* ... */ if (s[i+1] == '\0') { /* This code is now reached */ } } return 0; } |
Exceptions
Anchor | ||||
---|---|---|---|---|
|
default
label in a switch
statement whose controlling expression has an enumerated type and that specifies labels for all enumerations of the type. (See MSC01-C. Strive for logical completeness.) Because valid values of an enumerated type include all those of its underlying integer type, unless enumeration constants are provided for all those values, the default
label is appropriate and necessary.Code Block | ||||
---|---|---|---|---|
| ||||
typedef enum { Red, Green, Blue } Color; const char* f(Color c) { switch (c) { case Red: return "Red"; case Green: return "Green"; case Blue: return "Blue"; default: return "Unknown color"; /* Not dead code */ } } void g() { Color unknown = (Color)123; puts(f(unknown)); } |
Anchor | ||||
---|---|---|---|---|
|
Risk Assessment
The presence of dead code may indicate logic errors that can lead to unintended program behavior. The ways in which dead code can be introduced into a program and the effort required to remove it can be complex. As a result, resolving dead code can be an in-depth process requiring significant analysis.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC07-C | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| dead-assignemnt dead-initializer | Partially checked and soundly supported. | ||||||
CodeSonar |
| DIAG.UNEX.* | Code not exercised by analysis | ||||||
| DEADCODE
| Can detect the specific instance where code can never be reached because of a logical contradiction or a dead "default" in Can detect the instances where code block is unreachable because of the syntactic structure of the code | |||||||
GCC |
| Can detect violations of this recommendation when the | |||||||
Helix QAC |
| C1501, C1503, C2008, C2877, C2880, C2881, C2882, C2883,C3202, C3203, C3205, C3206, C3207, C3210, C3219, C3229, C3404, C3422, C3423, C3425, C3470 DF2877, DF2880, DF2881, DF2882, DF2883, DF2980, DF2981, DF2982, DF2983, DF2984, DF2985, DF2986 | |||||||
Klocwork |
| LA_UNUSED INVARIANT_CONDITION.UNREACH | |||||||
LDRA tool suite |
| 1 J | Fully implemented | ||||||
Parasoft C/C++test |
| CERT_C-MSC07-a | There shall be no unreachable code in "else" block | ||||||
Polyspace Bug Finder |
| CERT C: Rule MSC07-C | Checks for:
| ||||||
RuleChecker |
| dead-assignemnt | Partially checked | ||||||
SonarQube C/C++ Plugin |
| S1763, S1751 | |||||||
Splint |
| Can detect violations of this recommendation when the |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
CVE-2014-1266 results from a violation of this rule. There is a spurious goto fail
statement on line 631 of sslKeyExchange.c. This goto
statement gets executed unconditionally, even though it is indented as if it were part of the preceding if
statement. As a result, the call to sslRawVerify()
(which would perform the actual signature verification) becomes dead code. [ImperialViolet 2014]
Related Guidelines
SEI CERT C++ Coding Standard | VOID MSC07-CPP. Detect and remove dead code |
ISO/IEC TR 24772 | Unspecified functionality [BVQ] Dead and deactivated code [XYQ] |
MISRA C:2012 | Rule 2.1 (required) |
MITRE CWE | CWE-561, Dead code |
Bibliography
[Fortify 2006] | Code Quality, "Dead Code" |
...