Dead Code Finder: The Hard Reality of Static Analysis

I built a tool for a hackathon to find dead code. The goal was simple. Find code that nothing calls.

I did not want to know what breaks if you delete code. I wanted to know if anything calls a specific piece of code at all.

I called it Dead Code Finder. It uses a knowledge graph to look for calls and imports. It sorts every finding into three categories:

• Confident: Zero incoming edges and not an entry point. • Uncertain: Cases like inheritance where static analysis is not enough. • Skipped: Things like decorators or test frameworks that the tool cannot resolve.

I followed one strict rule. Never say code is safe to delete. The report only says no reference was found in the graph.

The project was harder than I expected. I ran into two main problems with the platform:

  1. Missing Tools: The graph tools were missing during runtime even though they were in the config.
  2. Unreliable Injection: The system sometimes failed to provide the full logic for the agent.

I fixed this by building a fallback mode. If the graph tools are missing, the tool reads the actual files in the repository. It uses file searches to find references. If it uses this method, it marks findings as inferred.

I also had to fix logic errors for specific cases:

  • Dunder methods: Methods like init often show zero incoming edges because the graph links the call to the class instead of the method. I fixed this by checking the enclosing class.
  • Decorators: Functions called via string lookups in a dictionary look dead to a static graph. I moved these to the Skipped bucket.
  • Tests: Test frameworks find methods through reflection. These also go into the Skipped bucket.

The results were reliable. My fallback mode correctly identified dead code and matched the real graph data. It also correctly labeled uncertain cases like inheritance.

Lessons learned:

  • Confirm available tools before writing logic that depends on them.
  • A report that says "I do not know" is better than a report that is confidently wrong.
  • Labeling uncertainty makes your confident findings worth acting on.

Source: https://dev.to/hereforlolz/dead-code-finder-gitlab-orbit-based-static-analysis-that-turned-out-to-be-harder-than-expected-4jgk

Optional learning community: https://t.me/GyaanSetuAi