Some obfuscation techniques use unreachable code and dead code variables to clutter the output of a disassembler. The goal of this is to either hinder or slow down the analysis of the code. In the grey code below we can see a basic block of unreachable code.
FlowChart function can we get all the blocks ids and their exit point(s). If all the exit points are saved into a set; we will also have a set of corresponding entry points for other basic blocks. The last block which is usually the function epilogue will not have an exit point (from a
Notice the last block in the output does not contain an exit point. Since we have all the entry points we now just need to iterate through all the block ids and see if it's id is in the exit point set. All the block ids (except for the function entry point) should be an exit point from another block id. Or simply, all exit points are another blocks entry point. If the block id is not the function entry point and is not entry point from another basic block we know that block is unreachable code. Let's see an example run.
The function needs only one argument which is the address. A second argument can be True or False for colors, and True or False for verbose. unreachable(here(), False, False) would only return a list of tuples (start address, end address) for the unreachable basic block. The code can be easily modified to loop through every function to print out all unreachable code in an executable. Or could be used to highlight functions via a hot-key similar to deroko's color eip redirection script. Just a quick post. Cheers.
 "The IDA SDK's notion of basic block membership within a function is based upon function chunk association and not control flow." - via Rolf on RE Reddit - source