1. Home
  2. CWE Database
  3. CWE-561
Base · Medium

CWE-561: Dead Code

The product contains dead code, which can never be executed.

CWE-561 · Base Level ·1 CVEs ·1 Mitigations

Description

The product contains dead code, which can never be executed.

Dead code is code that can never be executed in a running program. The surrounding code makes it impossible for a section of code to ever be executed.

Potential Impact

Other

Quality Degradation

Other

Reduce Maintainability

Demonstrative Examples

The condition for the second if statement is impossible to satisfy. It requires that the variables be non-null. However, on the only path where s can be assigned a non-null value, there is a return statement.
Bad
String s = null;if (b) {s = "Yes";return;}
                     if (s != null) {Dead();}
In the following class, two private methods call each other, but since neither one is ever invoked from anywhere else, they are both dead code.
Bad
public class DoubleDead {private void doTweedledee() {doTweedledumb();}private void doTweedledumb() {doTweedledee();}public static void main(String[] args) {System.out.println("running DoubleDead");}}
(In this case it is a good thing that the methods are dead: invoking either one would cause an infinite loop.)
The field named glue is not used in the following class. The author of the class has accidentally put quotes around the field name, transforming it into a string constant.
Bad
public class Dead {
                        String glue;
                           public String getGlue() {return "glue";}
                     }

Mitigations & Prevention

Implementation

Remove dead code before deploying the application.

Detection Methods

  • Architecture or Design Review High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Binary or Bytecode High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Manual Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Automated Static Analysis - Source Code High — According to SOAR [REF-1479], the following detection techniques may be useful:
  • Dynamic Analysis with Automated Results Interpretation SOAR Partial — According to SOAR [REF-1479], the following detection techniques may be useful:

Real-World CVE Examples

CVE IDDescription
CVE-2014-1266Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-56

CWE-1164: Irrelevant Code

The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects...

Taxonomy Mappings

  • CERT C Secure Coding: MSC07-C — Detect and remove dead code
  • SEI CERT Perl Coding Standard: MSC00-PL — Detect and remove dead code
  • Software Fault Patterns: SFP2 — Unused Entities
  • OMG ASCMM: ASCMM-MNT-20 —

Frequently Asked Questions

What is CWE-561?

CWE-561 (Dead Code) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product contains dead code, which can never be executed.

How can CWE-561 be exploited?

Attackers can exploit CWE-561 (Dead Code) to quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-561?

Key mitigations include: Remove dead code before deploying the application.

What is the severity of CWE-561?

CWE-561 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.