The vulnerability as documented in ISO/IEC 24772-1 clause 6.26 exists in C++ in function bodies compiled into the target program.
This clause does not consider other parts of the C++ source that do not result in the generation of code, such as: - discarded statements that are intentionally unreachable, e.g., through branches of the if constexpr'{.cpp} statement. - commented out code; - a function deactivated with=delete`{.cpp}; - an uninstantiated template; - code excluded using the C++ preprocessor.
An instantiated template follows the same reachability rules as would be followed for the non-template case.
C++ overload resolution rules can cause confusion (see 6.21 Namespace issues[BJL]). To prevent the selection of an unintented overload, a function can be defined with =delete. C++ provides std::unreachable() to mark branches that are intentionally dead, but care is necessary since calling std::unreachable() at runtime is undefined behaviour.
To avoid the vulnerability or mitigate its ill effects, C++ software developers can:
= deleteif constexpr or static_assert to force compile-time processing.std::unreachable() to document code as intentionally deactivated.