Value-Set Analysis (BPA)

• Value-Set Analysis (BPA) is a technique that partitions memory into disjoint blocks to conservatively over-approximate pointer value-sets, ensuring sound static analysis.
• It offers scalable indirect control-flow resolution in binary analysis and extends to systematic value classification in business processes under Lean principles.
• Despite its high recall (up to 100%), BPA's conservative over-approximation yields spurious targets, necessitating refinement layers like iResolveX for precise results.

Value-Set Analysis (BPA) provides a scalable and conservative technique for over-approximating the set of possible memory addresses or values that program variables (especially pointers) may take at each program point. Within static binary analysis, block-partitioned value-set analysis (BPA) is central to indirect control-flow resolution. BPA has also been adapted to qualitative assessment in business process contexts under Lean principles as a mechanism for systematic identification and classification of value in process steps.

1. Formal Definition and Abstract Domain

In block-partitioned value-set analysis (BPA), the program address space is partitioned into a finite set $B$ of disjoint memory blocks: text blocks (per function), data blocks (per unique global object), stack blocks (per call frame), and heap blocks (per allocation site) (Santra et al., 25 Jan 2026). The analysis defines a value-set lattice for pointers:

• Value sets: $V \triangleq \mathcal{P}(B)$, the powerset of blocks.
• Partial order: $$\forall X, Y \subseteq B,\ X \sqsubseteq Y \iff X \subseteq Y$$.
• Join (⊔): $X \sqcup Y = X \cup Y$.
• Bottom: $\perp = \varnothing$.
• Top: $\top = B$.

Program state abstraction $\hat{\sigma}$ is modeled as:

$$\hat{\sigma} \in \widehat{\mathrm{State}} = \mathrm{Vars} \to \mathcal{P}(B)$$

where $\mathrm{Vars}$ includes registers and abstract memory cells. For soundness, abstraction ($\alpha$) and concretization ($\gamma$) maps are defined so that $(\alpha, \gamma)$ forms a Galois connection.

2. Transfer Functions and Fixed-Point Computation

Transfer functions operate over abstract states and manage the propagation of value-sets for loads, stores, pointer arithmetic, and indirect calls (Santra et al., 25 Jan 2026):

• Load ($r \leftarrow *p$): Updates $r$ to the union of value-sets stored at all blocks in $\rho(p)$

$$\forall r, p.\ \llbracket r := *p \rrbracket (\rho) = \rho[r \mapsto \bigcup_{b \in \rho(p)} \mathrm{Mem}[b]]$$

• Store ($*p \leftarrow r$): Updates $\mathrm{Mem}[b]$ for $b \in \rho(p)$ by joining with $\rho(r)$.
• Pointer arithmetic ($q \leftarrow p + k$): Block identity is preserved, $\rho[q] = \rho[p]$.
• Indirect call ($\text{call }*q$): Potential targets are all $f \in \rho(q) \cap B_\mathit{entry}$.

Fixed-point iteration employs a standard worklist algorithm. At each program point $\ell$:

1. Remove $\ell$ from the worklist.
2. Apply the transfer function to compute $\hat{\sigma}_\text{out}$.
3. If $$\hat{\sigma}_\text{out} \not\sqsubseteq \hat{\sigma}(\ell.\text{next})$$, update $\hat{\sigma}(\ell.\text{next})$ via join and enqueue successors.

Because the lattice $\mathcal{P}(B)^{|\mathrm{Vars}|}$ is finite-height, termination is guaranteed.

3. Memory Block Partitioning and Analysis Properties

The partitioning of memory into blocks enables scalability and conservative soundness. Key properties include:

• Stack blocks: Each call frame is a distinct block.
• Heap blocks: Each dynamic allocation site receives a unique abstract block.
• Globals/text segements: Each global object and function entry point is treated as a separate block.

Pointer arithmetic is assumed not to cross block boundaries, so offset sensitivity within a block is sacrificed in favor of soundness—if a pointer falls within any block, the entire block is conservatively included as a possible target. This over-approximation is mitigated in subsequent analysis layers as in iResolveX (Santra et al., 25 Jan 2026).

4. Empirical Effectiveness and Soundness Guarantees

BPA guarantees soundness: no real pointer target is omitted. This achieves high recall for static indirect call target recovery ("AICT Recall"):

• On SPEC2006 and real-world binaries, BPA alone achieves average AICT = 195.9 and AICT Recall = 98.2% (Santra et al., 25 Jan 2026).
• On benchmarks such as gobmk-O0 and h264ref-O0, recall reaches 100%.
• However, the over-approximation can yield hundreds of spurious targets per indirect callsite (AICT as high as 884.6), necessitating further refinement for practical use.

This recall guarantee forms the basis for hybrid frameworks like iResolveX, which add learning-augmented refinement layers for precision improvement at minimal recall loss.

Benchmark (O0)	AICT	Recall
bzip2-O0	2.0	100%
h264ref-O0	5.7	100%
gobmk-O0	884.6	100%
perlbench-O0	400.3	99.1%
nginx-O0	444.0	100%

Average: AICT = 195.9 at Recall = 98.2% (Santra et al., 25 Jan 2026).

5. Applications in Business Process and Control-Flow Analysis

While BPA originated in binary/static analysis, analogous value-set frameworks are leveraged in business process analysis (BPA), notably in the context of value-added assessment under Lean principles (Michele et al., 9 Apr 2025). Here, the atomic steps $S$ in a business process are labeled via indicator functions:

• $f_n(s) = 1$ if $s$ directly contributes to customer-valued transformation,
• $f_b(s) = 1$ if $s$ is necessary for business operations but not valued by the customer.

Steps are labeled as:

$$\ell(s) = \begin{cases} \text{VA} & \text{if } f_n(s) = 1 \ \text{BVA} & \text{if } f_n(s) = 0 \wedge f_b(s) = 1 \ \text{NVA} & \text{if } f_n(s) = 0 \wedge f_b(s) = 0 \ \end{cases}$$

where VA = value-adding, BVA = business value-adding, NVA = non-value-adding (waste).

In the LLM-based approach (Michele et al., 9 Apr 2025), the value-set analysis is performed in two phases:

1. Decomposition of activities to atomic steps under structured guidelines.
2. Step-wise classification as VA, BVA, or NVA, with one-sentence justifications and Lean role prompts.

6. Evaluation Metrics and Experimental Findings

Quantitative evaluation of BPA's effectiveness employs precision, recall, and macro-F1 per value category (VA, BVA, NVA):

• $precision_c = \frac{TP_c}{TP_c + FP_c}$
• $recall_c = \frac{TP_c}{TP_c + FN_c}$
• $$F1_c = 2 \cdot \frac{precision_c \cdot recall_c}{precision_c + recall_c}$$
• $$F1_\text{macro} = \frac{1}{3}(F1_\text{VA} + F1_\text{BVA} + F1_\text{NVA})$$

In business process analysis (Michele et al., 9 Apr 2025), structured role- and guideline-based prompting improves macro-F1 from 0.53 (zero-shot) to 0.72 (SME-detailed prompt), and waste-detection F1 (for NVA) from 0.23 to 0.50 (LEAN Analyst prompt).

Prompt Variant	F1₍macro₎	F1₍NVA₎
Zero-shot Baseline	0.53	0.23
SME (Detailed)	0.72	0.20
LEAN Analyst	0.61	0.50

7. Limitations, Adaptations, and Extensions

BPA's over-approximation manifests as large predicted value sets (high AICT) in static pointer analysis and as potentially subjective classifications in activity-level business process analysis. Hybrid strategies address these issues:

• In binary analysis, machine-learning and interprocedural refinement layers (as in iResolveX) can prune the initial, conservative BPA superset while retaining recall above 97.8% (Santra et al., 25 Jan 2026).
• In process analysis, hybrid human-in-the-loop validation, adaptive/reinforcement learning for prompt adaptation, and integration with event logs or BPM toolchains address the challenge of context-specific semantics and scale (Michele et al., 9 Apr 2025).

A plausible implication is that the core soundness properties of block-based value-set models make them robust bases for conservative analysis, with subsequent refinement layers necessary for precision in high-stakes or large-scale scenarios.