Dead Code Detection
Also Known As
unreachable code detection
dead code analysis
unused code finder
TL;DR
Identifying code that can never be executed — unreachable branches, always-true conditions, unused variables — via static analysis or coverage reports.
Explanation
Dead code accumulates over time: unreachable branches after a return or throw, conditions that are always true or false due to type constraints, methods never called from anywhere, and variables written but never read. It increases cognitive load (readers wonder why it exists), masks real logic, and can hide bugs (the 'dead' branch may have been reached and mattered at some point). Detection tools: PHPStan level 4+ reports always-true/false conditions and unreachable code; Psalm's dead-code analysis finds uncalled methods with --find-dead-code; code coverage reports (Xdebug + PHPUnit) highlight never-executed lines. Remove dead code promptly — git history preserves it if needed. Never comment it out: commented code is worse than deleted code.
Common Misconception
✗ IDE warnings are sufficient to catch all dead code. IDEs miss dead code behind dynamic dispatch, unreferenced public methods called via reflection, and code that is conditionally excluded by configuration rather than control flow.
Why It Matters
Automated dead code detection surfaces unreachable code that human review misses — eliminating it reduces attack surface, build times, and the cognitive cost of navigating the codebase.
Common Mistakes
- Relying solely on manual code review to find dead code in large codebases — it scales poorly.
- Not running PHPStan or Psalm at maximum level — lower levels skip unused method and property checks.
- Deleting flagged dead code without checking if it's used via Reflection or dynamic calls like call_user_func.
- Treating dead code warnings as low priority — they often indicate structural problems worth investigating.
Code Examples
✗ Vulnerable
class UserService {
public function getUser(int $id): User { /* used */ }
public function legacyFetch(int $id): User { /* never called — dead */ }
private function internalHelper(): void { /* unreferenced — dead */ }
}
✓ Fixed
// PHP tools that find dead code:
// PHPStan — flags unreachable code and unused methods:
$ vendor/bin/phpstan analyse --level=6 src/
// 'Call to an always-true condition'
// 'Return type is never used'
// Psalm — taint analysis also finds dead paths:
$ vendor/bin/psalm --find-dead-code
// php-dead-code-detector:
$ composer require --dev povils/phpmnd
// IDE support:
// PhpStorm highlights unreachable code, unused private methods in grey
// Git approach — blame + coverage:
// Lines never covered by tests AND never changed in 12 months = candidates
$ vendor/bin/phpunit --coverage-text | grep -v ' 100%'
// Remove dead code — don't comment it out; version control preserves historyTags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
22 Mar 2026
Views
33
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 0
No pings yet today
Amazonbot 8
Perplexity 7
Google 5
Unknown AI 2
Ahrefs 2
Majestic 1
ChatGPT 1
Also referenced
How they use it
crawler 24
crawler_json 1
pre-tracking 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟡 Medium
⚙ Fix effort: Low
⚡ Quick Fix
Run PHPStan level 6+ with the dead code extension — it finds unused methods, unreachable code, and always-false conditions; Rector can auto-remove many of them
📦 Applies To
PHP 7.1+
web
cli
queue-worker
🔗 Prerequisites
🔍 Detection Hints
Private methods never called; code after return/throw; class never instantiated; constant never referenced
Auto-detectable:
✓ Yes
phpstan
psalm
rector
phploc
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Medium
✓ Auto-fixable
Fix: Low
Context: File
Tests: Update
CWE-561