While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem. To efficiently solve the optimization problem, a three-stage process \textit{Ask, Attend, Attack}, called \textit{AAA}, is proposed to coordinate with the solver.

We thank all reviewers for their comments, and will incorporate suggestions in the final version. We compare the proposed algorithms with baseline algorithms on the U.S. 2000 Census Data All algorithms are implemented in Python 3.7. We also calculate the optimal solution to verify the approximation ratio. See Table 1 in our submission for definitions. We will add more discussion on this in the final version.

City streets, sidewalks, and public areas often serve as primary interaction points among diverse user groups, including residents, commuters, and visitors ( Gehl, 2011). These spaces carry social, economic, and cultural signifi - cance that influences navigation and user experience ( Mitra ˇ sinovi c & Mehta, 2021). Municipal governments and planning agencies recognize the importance of inclusive public spaces but face challenges in operation - alizing inclusivity ( Anttiroiko & De Jong, 2020). Traditional approaches may draw on universal design principles intended to accommodate a broad range of users, but these frameworks often take a one-size-fits-all approach that prioritizes physical accessibility over the social and cul - tural dimensions of public space use ( Low, 2020). In multicultural cities, where multiple languages, cultures, and religious practices converge, these complexities become particularly evident ( Fan et al., 2023; Lit - man, 2025; Salgado et al., 2021; Youngbloom et al., 2023). Research on inclusive design has provided valuable insights, but few methods combine qualitative depth with quantitative scale to under - stand inclusivity in urban contexts ( Anttiroiko & De Jong, 2020; Mehta, 2019; Zamanifard et al., 2019). Ethnographic research and interviews offer detailed perspectives on lived experience, while computer vision and machine learning enable assessments at larger scales ( Ibrahim et al., 2020). However, large-scale computational approaches often overlook intersectional dimensions ( Zhu et al., 2025). This gap calls for integrated models that merge qualitative and quantitative methodologies.

While large language model agents have advanced software engineering tasks, the unscalable nature of existing test-based supervision is limiting the potential improvement of data scaling. The reason is twofold: (1) building and running test sandbox is rather heavy and fragile, and (2) data with high-coverage tests is naturally rare and threatened by test hacking via edge cases. In this paper, we propose R4P, a patch verifier model to provide scalable rewards for training and testing SWE agents via reasoning. We consider that patch verification is fundamentally a reasoning task, mirroring how human repository maintainers review patches without writing and running new reproduction tests. To obtain sufficient reference and reduce the risk of reward hacking, R4P uses a group-wise objective for RL training, enabling it to verify multiple patches against each other's modification and gain a dense reward for stable training. R4P achieves 72.2% Acc. for verifying patches from SWE-bench-verified, surpassing OpenAI o3. To demonstrate R4P's practicality, we design and train a lite scaffold, Mini-SE, with pure reinforcement learning where all rewards are derived from R4P. As a result, Mini-SE achieves 26.2% Pass@1 on SWE-bench-verified, showing a 10.0% improvement over the original Qwen3-32B. This can be further improved to 32.8% with R4P for test-time scaling. Furthermore, R4P verifies patches within a second, 50x faster than testing on average. The stable scaling curves of rewards and accuracy along with high efficiency reflect R4P's practicality.

We address your questions/suggestions below. If the paper is accepted to NeurIPS 2020, we will have one extra page. There are three players, each with two strategies Head and Tail. We also run with Optimistic MWU. They will appear in the final version.

We would like to thank the reviewers for their time and helpful comments. We will clarify/fix the paper as suggested. Thank you for pointing that out. Also, the Batch-RL setup is constrained by samples and not computational complexity. There was a tradeoff in writing and explaining the ideas while satisfying the page limit constraints.

This paper analyzes the limitations of existing unlearning evaluation metrics in terms of practicality, exactness, and robustness in real-world LLM unlearning scenarios. To overcome these limitations, we propose a new metric called Distribution Correction-based Unlearning Evaluation (DCUE). It identifies core tokens and corrects distributional biases in their confidence scores using a validation set. The evaluation results are quantified using the Kolmogorov-Smirnov test. Experimental results demonstrate that DCUE overcomes the limitations of existing metrics, which also guides the design of more practical and reliable unlearning algorithms in the future.

While image-to-text models have demonstrated significant advancements in various vision-language tasks, they remain susceptible to adversarial attacks. Existing white-box attacks on image-to-text models require access to the architecture, gradients, and parameters of the target model, resulting in low practicality. Although the recently proposed gray-box attacks have improved practicality, they suffer from semantic loss during the training process, which limits their targeted attack performance. To advance adversarial attacks of image-to-text models, this paper focuses on a challenging scenario: decision-based black-box targeted attacks where the attackers only have access to the final output text and aim to perform targeted attacks. Specifically, we formulate the decision-based black-box targeted attack as a large-scale optimization problem.