Aikido
Start for Free
No CC required
Rules

How to identify and remove unreachable dead code

Readability

Published on:
December 16, 2025
Last updated on:
December 16, 2025
Rule
Remove unreachable dead code
Unreachable code is confusing, 
untestable, and should be removed.

Supported languages: 45+

Introduction

Unreachable code signals broken logic in your codebase. Code after return or throw statements was written to execute but never runs. Conditions that are always false hide validation or error handling that never triggers. Branches that logic never reaches due to control flow contain functionality that can't execute. When you find unreachable code, you've found a bug where your code isn't doing what it was intended to do.

Why it matters

Security vulnerabilities: Unreachable security checks don't protect your application. If authentication, authorization, or input validation appears after a return statement, your code looks secure but isn't. Attackers can exploit functions that appear to have security measures but actually bypass them. Code review might miss these vulnerabilities because the security logic exists in the codebase, just never executes.

Logic bugs in production: Dead code means your function isn't implementing the logic you think it is. Validation that never runs lets invalid data through. Error handling that's unreachable means errors propagate uncaught. Business rules that are bypassed produce incorrect results. The code looks correct but behaves differently than intended.Testing gaps: Unreachable code can't be tested. If your test suite passes despite critical code being unreachable, it means you don't have tests covering those paths. Unreachable code reveals gaps in your test coverage where important logic exists but has no tests verifying it runs.

Bundle size impact: Unreachable code still ships to users as dead weight in your JavaScript bundle. Users download and parse code that never runs, but this is secondary to the logic bugs that dead code indicates.

Code examples

❌ Non-compliant:

function transferFunds(fromAccount, toAccount, amount) {
    if (!fromAccount || !toAccount) {
        return { success: false, error: 'Invalid accounts' };
    }

    if (amount <= 0) {
        return { success: false, error: 'Invalid amount' };
        logSuspiciousActivity(fromAccount, amount);
    }

    const balance = getBalance(fromAccount);
    if (balance >= amount) {
        deductFunds(fromAccount, amount);
        addFunds(toAccount, amount);
        return { success: true };
    }

    return { success: false, error: 'Insufficient funds' };

    // Check for fraud patterns
    if (isHighRiskTransaction(fromAccount, toAccount, amount)) {
        notifyFraudTeam(fromAccount, toAccount, amount);
        return { success: false, error: 'Transaction blocked' };
    }
}

Why it's wrong: The fraud detection logic never runs because the function returns before reaching it. The suspicious activity logging after the amount check also never executes. This function looks like it has security measures but actually processes all transfers without fraud checks.

✅ Compliant:

function transferFunds(fromAccount, toAccount, amount) {
    if (!fromAccount || !toAccount) {
        return { success: false, error: 'Invalid accounts' };
    }

    if (amount <= 0) {
        logSuspiciousActivity(fromAccount, amount);
        return { success: false, error: 'Invalid amount' };
    }

    if (isHighRiskTransaction(fromAccount, toAccount, amount)) {
        notifyFraudTeam(fromAccount, toAccount, amount);
        return { success: false, error: 'Transaction blocked' };
    }

    const balance = getBalance(fromAccount);
    if (balance >= amount) {
        deductFunds(fromAccount, amount);
        addFunds(toAccount, amount);
        return { success: true };
    }

    return { success: false, error: 'Insufficient funds' };
}

Why this matters: All security checks execute before processing the transfer. Fraud detection runs on every transaction. Suspicious activity gets logged. The function implements the security logic it appears to have.

Conclusion

Unreachable code indicates bugs in your logic where intended functionality never executes. Find it with static analysis tools in your CI pipeline and treat it as a critical issue, not just code cleanup. When you discover unreachable code, investigate why it exists and what logic was supposed to run but doesn't.

Jump to:
Text Link
<div class="toc-wrap"><a class="toc" name=":zap:Part I: Sales Cycle with Potential Lead" fs-toc-element="link"></a></div>

Apply this rule on your repo

Try for free
No card required
Book a demo
Share:

www.aikido.dev/code-quality-rules/how-to-identify-and-remove-unreachable-dead-code-2

FAQs

Got Questions?

How do I identify unreachable code in large codebases?

Static analysis tools detect obvious cases like code after return or throw statements. For complex cases, use code coverage tools during testing. Code showing zero coverage across comprehensive test suites is likely unreachable, though you should verify manually since it might just be untested.

What about code after early returns in try-catch blocks?

Code after return in a try block but before finally is unreachable. The finally block always executes even after returns. A common bug is placing cleanup code after return in a try block instead of in finally where it would actually run.

Can unreachable code cause runtime errors?

Unreachable code IS the error. It means critical logic that should run doesn't execute. If your unreachable code contains validation, security checks, or error handling, your function is broken even though it doesn't throw exceptions. The bug is that intended functionality never runs, not that unreachable code crashes.

What about feature flags and conditional compilation?

Code behind disabled feature flags is still reachable at runtime even if disabled in your environment. True unreachable code is structurally impossible to execute due to control flow. Feature-flagged code is conditionally reachable and should stay until you remove the feature completely.

Should I remove unused functions and imports?

Yes, but that's a different problem. Unreachable code is structurally impossible to execute within its function due to control flow. Unused functions are callable but never invoked. Both waste resources, but they require different detection strategies. Unreachable code detection works at the function level, while unused code detection requires whole-program analysis.

Related rules

December 17, 2025
Vulnerabilities & Threats

The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security

A deep dive into a GitHub security flaw where forked commits let attackers spoof dependencies. Understand the commit SHA issue and why package managers need API-level protection.

#Software Supply Chain Security

#Malware

#open-source

#NPM

#Dependencies

December 15, 2025
Product & Company Updates

SAST in the IDE is now free: Moving SAST to where development actually happens

Run free SAST scans directly in your IDE with real-time feedback and project-wide visibility. Use the same SAST rules and engine as Aikido, with optional AutoFix for supported findings.

#SAST

#autofix

December 15, 2025
Guides

AI Pentesting in Action: A TL;DV Recap of Our Live Demo

A recap of Aikido’s AI pentesting live demo. See how autonomous agents test real apps, validate findings, generate reports, and enable retesting.

#AI

#Pentesting

Get secure now

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.