Papers
Topics
Authors
Recent
Search
2000 character limit reached

Panic-Reachability Gating

Updated 5 July 2026
  • Panic-Reachability Gating is a mechanism that preconditions access to panic-relevant states by computing a reachability variable from the system’s current state.
  • It is applied in areas such as concolic execution for Go, risk-aware LLM tool gating, and cognitive pathway management to focus resources on critical branches.
  • Empirical evaluations show that this gating approach reduces computational overhead and minimizes dangerous actions by filtering out non-essential paths.

Searching arXiv for the specified papers to ground the article and confirm citation details. Panic-Reachability Gating, used here as an Editor’s term, denotes a family of mechanisms that make panic-relevant states, branches, or capabilities conditionally accessible rather than universally available. In current arXiv literature, the phrase appears explicitly in binary concolic execution for Go, where symbolic effort is restricted to branches that may reach known panic sites (Gorna et al., 11 Dec 2025). Closely related but differently named mechanisms appear in tool-using LLM agents, where dangerous tools are structurally removed from the visible action space unless they lie on a causally necessary path and satisfy authorization conditions (Iyer et al., 11 Jun 2026), and in contract hardening work showing that such structural guarantees depend on the integrity of the contracts used to compute reachability (Iyer et al., 17 Jun 2026). Other papers instantiate analogous thresholded entry conditions for panic arousal, crisis routing, or collective panic regimes rather than using the exact name (Liu et al., 13 Jun 2026, Liu et al., 22 May 2025, Lee et al., 24 Oct 2025, Kim et al., 2024, Borland et al., 2010).

1. Conceptual scope and formal intuition

The most technical commonality across these works is that panic handling is moved from post hoc classification to preconditioned accessibility. A branch, tool, cognitive pathway, or collective regime is treated as admissible only when a reachability condition is satisfied. In Zorya, the controlled object is symbolic exploration: only branches that may reach known panic locations are granted solver attention (Gorna et al., 11 Dec 2025). In Risk-Aware Causal Gating, the controlled object is the agent’s visible tool set: a dangerous tool is not merely discouraged, but absent from the callable interface unless it is causally on-path and authorized (Iyer et al., 11 Jun 2026). In PCP, the controlled object is entry into the panic-capable cognitive subgraph: agents whose unified risk VV does not exceed θrisk\theta_{\text{risk}} bypass the BDEI pathway and are assigned non-panic for that step (Liu et al., 13 Jun 2026).

This suggests a shared formal pattern. A system computes a gate variable from some abstraction of the current state—control-flow reachability, symbolic causal contracts, or fused risk perception—and uses that variable to suppress downstream computation or action. The suppression can be structural, as in action-space minimization, or computational, as in branch filtering. In the strongest cases, the gate is fail-closed: if the relevant object is outside the allowed set, it cannot be selected by the downstream model at all.

2. Program-analysis instantiation: panic-reachable paths in Zorya

Zorya makes Panic-Reachability Gating explicit as a scalability mechanism for concolic execution of Go and TinyGo binaries. The target event is a Go panic, represented operationally by a set of known panic locations P\mathcal{P} obtained from symbol analysis, including runtime.panic*, runtime.fatal*, and related abort sites. A static backward traversal over the CFG computes a conservative set R\mathcal{R} of panic-reachable basic blocks. During forward concolic execution, a branch is given symbolic attention only if

pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),

where tt is the CBranch target (Gorna et al., 11 Dec 2025).

This reachability test is only the first layer of a four-stage cascade. Zorya next removes internal P-Code artifacts with IsInternalPCodeAddr(t), then requires either that the branch predicate ϕ\phi references tracked symbolic arguments or that the solver already has non-empty constraints, and finally performs a bounded AST pre-check by speculatively exploring the negated path for up to 10 basic blocks. Only after all four filters pass does Zorya issue a single SMT query for the alternative path. The path predicate is accumulated concolically as

Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.

The paper is explicit that this is a target-directed strategy rather than exhaustive symbolic exploration. It is conservative at the coarse reachability stage but not fully complete overall, because lazy concretization, bounded slice/string modeling, pointer anchoring, and the depth-10 AST pre-check can miss feasible panic paths. The authors therefore characterize the system as boundedly complete rather than fully sound over all executions.

Empirically, this gating policy is the primary scalability lever. On five TinyGo vulnerabilities, Zorya detected all 5/5 panics, whereas existing tools detected at most two. When panic-reachability gating filtered 33–70% of branches, runtime improved by 1.83.9×1.8\text{–}3.9\times; representative results include panic-index in function mode, where 8/17 branches were gated and runtime fell from 148.3s to 38.3s, and omni-vuln in function mode, where 12/32 branches were gated and runtime fell from 273.1s to 83.1s (Gorna et al., 11 Dec 2025). The mechanism therefore serves as a solver-front-end that concentrates symbolic reasoning on panic-relevant alternatives.

3. Reachability-first action-space gating in tool-using LLM agents

In tool-using LLM agents, the closest formal analogue to Panic-Reachability Gating is Risk-Aware Causal Gating. The tool library is modeled contractually as

ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),

with symbolic state θrisk\theta_{\text{risk}}0 and goal θrisk\theta_{\text{risk}}1. A tool is executable when θrisk\theta_{\text{risk}}2, and risk-bearing tools are admissible only when their authorization variables are already satisfied. RACG first searches for a minimal risk-penalized causal path,

θrisk\theta_{\text{risk}}3

with θrisk\theta_{\text{risk}}4, θrisk\theta_{\text{risk}}5, and θrisk\theta_{\text{risk}}6, then exposes only the frontier tools that are low-risk or already authorized (Iyer et al., 11 Jun 2026).

The visible set is

θrisk\theta_{\text{risk}}7

If this empties the frontier, RACG exposes the lowest-risk causally useful tool that can establish a missing authorization variable; if no trusted establisher exists, it fails closed and requests external intervention. The operational distinction is therefore not between “allowed” and “forbidden” tool use after selection, but between tools that are currently reachable in the agent’s action interface and tools that are absent.

The paper’s structural guarantee is correspondingly strong: if the targeted high-risk tool is absent from the enforced visible set θrisk\theta_{\text{risk}}8, then the agent cannot call it, regardless of prompt-injection phrasing. On the deterministic RiskGate benchmark, the ungated “All tools” condition had Success θrisk\theta_{\text{risk}}9, AS P\mathcal{P}0, WAS P\mathcal{P}1, UE P\mathcal{P}2, and Inj. P\mathcal{P}3. RACG with P\mathcal{P}4 preserved Success P\mathcal{P}5 while reducing AS to P\mathcal{P}6, WAS to P\mathcal{P}7, UE to P\mathcal{P}8, and Inj. to P\mathcal{P}9, with GTE R\mathcal{R}0 and OvB R\mathcal{R}1 (Iyer et al., 11 Jun 2026). Across seven hosted models, CMTF yielded HR-call R\mathcal{R}2 and Exp.@atk R\mathcal{R}3, whereas RACG yielded R\mathcal{R}4 for both while maintaining Auth R\mathcal{R}5. This is a reachability guarantee over capabilities rather than a confidence-based refusal policy.

4. Contract integrity as the load-bearing assumption: ContractGuard

The follow-on contract-layer paper sharpens the central caveat of reachability-first gating: the gate trusts the contracts it reads. RACG’s structural guarantee is therefore not eliminated by architectural gating; it is relocated into the integrity of R\mathcal{R}6, R\mathcal{R}7, R\mathcal{R}8, and R\mathcal{R}9. The paper’s key technical claim is that effect forgery is strictly more dangerous than risk-label tampering because the causal gate precedes the admissibility gate. A tool that is off the cheapest causal path is never the frontier and is never tested for admissibility, so merely setting pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),0 does not surface it; forging preconditions or effects can route the dangerous tool onto the causal path and thereby defeat the gate (Iyer et al., 17 Jun 2026).

ContractGuard is inserted between the registry and the gate and returns a sanitized registry. Its cumulative levels are signed provenance (pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),1), typed contract attestation (pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),2), and runtime effect verification (pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),3). Under trusted attestation, the paper states the field-integrity invariant

pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),4

and the authorization typing corollary

pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),5

For pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),6, realized effects entering symbolic state are restricted to attested declared effects, so undeclared authorization variables cannot poison later admissibility.

The empirical result is deliberately exhaustive. The white-box adaptive attacker searches a 256-point perturbation space per target, totaling 2048 perturbation configurations across 8 high-risk targets, each over 3 phrasings. Worst-case attack-induced ISR is pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),7 at pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),8, pcR    t(RP),pc \in \mathcal{R} \;\lor\; t \in (\mathcal{R} \cup \mathcal{P}),9, and tt0, and tt1 at tt2. The rung-by-rung scenarios likewise separate provenance failures, signed over-scope, and runtime effect divergence. Hosted-model validation over six models confirms the structural prediction: for A1 shortcut forgery, tt3 and tt4 on every model; for A4 effect divergence, tt5 and tt6 on every model (Iyer et al., 17 Jun 2026). In this formulation, Panic-Reachability Gating is only as sound as the reachability graph’s contract source.

5. Threshold-gated cognitive pathways and panic-specific conversational routing

The most explicit cognitive gate appears in PCP. The paper defines panic arousal timing by

tt7

but entry into the panic-capable BDEI pathway is controlled upstream by the Psychological Safety Distance score

tt8

with tt9. If ϕ\phi0, then ϕ\phi1; only if ϕ\phi2 does the agent enter BDEI reasoning. The paper fixes ϕ\phi3 and reports that PCP improves arousal timing accuracy by 10.68 percentage points over baselines, reduces peak count error to 7.07%, and is about ϕ\phi4 faster than a pure-LLM variant because low-risk users are filtered out before LLM invocation (Liu et al., 13 Jun 2026). This is threshold-mediated accessibility rather than formal reachability analysis, but it is an explicit gate on panic-path entry.

PsychoAgent uses a more layered but less formally specified gating chain. The predictive problem is posed as

ϕ\phi5

and the framework models disaster perception, risk cognition, panic emotion arousal, and posting behavior response. Risk perception is operationalized through PPDTS-style appraisal, then reduced to four arousal factors: awareness of danger, coping efficacy, uncertainty of risk, and novelty of risk. Generated posting behavior is shaped by an explicit prompt rule: if panic probability ϕ\phi6, the model generates more directly panic-expressive content; if ϕ\phi7, calmer content. User-level panic is then aggregated with a one-veto rule: at least one panic text is sufficient to label the user as panicked. On COPE, PsychoAgent reports Accuracy ϕ\phi8, AUC ϕ\phi9, and F1 Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.0 (Liu et al., 22 May 2025). This suggests a composite gate in which panic becomes reachable first as a latent appraisal state and then as an observable posting state.

PanicToCalm addresses routing in counseling rather than prediction. It frames active panic attacks as a low-cognitive-capacity regime marked by rapid heartbeat, shortness of breath, dizziness, chest tightness, shaking, numbness, derealization, fear of losing control, and similar cues, and organizes intervention by the PFA stages LOOK, LISTEN, and LINK. The dialogue state is represented as

Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.1

with Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.2. This is not a standalone panic detector, but it is a stage-gated routing policy: the model remains in LOOK or LISTEN until safety and stabilization conditions are sufficiently met, then advances. PACERΠ=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.3 attains Understanding Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.4, Empathy Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.5, Clarity Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.6, Directive Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.7, Stabilization Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.8, Closure Π=Π{ϕ}.\Pi'=\Pi \cup \{\phi\}.9, First Sign of Stable 1.83.9×1.8\text{–}3.9\times0 turns, and Intervention Turn Ratio 1.83.9×1.8\text{–}3.9\times1 (Lee et al., 24 Oct 2025). Here the gate controls transition from ordinary support to panic-specific first-aid dialogue.

6. Collective and phase-transition interpretations

Several papers treat panic reachability as a regime property of markets or crowds. In intraday market panic, the relevant gate variable is market volatility. The paper models the sign-synchronization order parameter 1.83.9×1.8\text{–}3.9\times2 by

1.83.9×1.8\text{–}3.9\times3

and defines sign-based instantaneous correlation through

1.83.9×1.8\text{–}3.9\times4

Below a critical market volatility 1.83.9×1.8\text{–}3.9\times5, correlations are low and the sign statistic 1.83.9×1.8\text{–}3.9\times6 is unimodal around zero; above it, a highly correlated state becomes accessible and 1.83.9×1.8\text{–}3.9\times7 becomes bimodal. The paper also reports a correlation-leverage effect,

1.83.9×1.8\text{–}3.9\times8

with 1.83.9×1.8\text{–}3.9\times9 and ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),0 on daily scales, and long memory in AIC with exponent ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),1 daily and ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),2 on 15-minute data (Borland et al., 2010). This is a thresholded collective-state gate rather than an intervention mechanism.

The earlier mimicry model likewise treats crisis accessibility as a latent-state transition. The fitted parameter ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),3 governs the distribution of the daily positive-return fraction ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),4, and the critical point

ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),5

marks a flat breadth distribution in which all fractions are equally likely. The paper interprets falling ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),6 as increasing mimicry, uncertainty, and vulnerability, and reports that a drop in ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),7 greater than twice the standard deviation from one year earlier defined four one-year warning windows containing eight of the largest DJIA drops in 1985–2010 (Harmon et al., 2011). In this reading, the gate indicates that crisis trajectories have become reachable, not that a crash is occurring immediately.

Crowd models use analogous bifurcation variables. In the spontaneous-symmetry-breaking formulation, the potential

ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),8

yields symmetric escape for ti=(di,Ri,Ei,ci,ρi,αi),t_i = (d_i, R_i, E_i, c_i, \rho_i, \alpha_i),9 and broken-symmetry escape for θrisk\theta_{\text{risk}}00, with

θrisk\theta_{\text{risk}}01

when θrisk\theta_{\text{risk}}02 (Kim et al., 2024). In the lattice-gas evacuation model, panic level θrisk\theta_{\text{risk}}03 deforms the payoff matrix via θrisk\theta_{\text{risk}}04 and θrisk\theta_{\text{risk}}05, movement occurs with

θrisk\theta_{\text{risk}}06

and average velocity θrisk\theta_{\text{risk}}07 diagnoses free flow versus congestion. The paper reports a single-cooperator phase for θrisk\theta_{\text{risk}}08, a mixed phase for θrisk\theta_{\text{risk}}09, and a single-defector phase for θrisk\theta_{\text{risk}}10, with escape time increasing for θrisk\theta_{\text{risk}}11 and θrisk\theta_{\text{risk}}12 corresponding to free flow (Dongmei et al., 2017). These models treat reachability as dynamical traversability of the exit or panic regime.

7. Guarantees, limitations, and recurring design principles

The literature converges on a sharp distinction between structural guarantees and heuristic filters. Zorya’s panic-reachability set θrisk\theta_{\text{risk}}13 is conservative, but the full pipeline is boundedly complete rather than fully sound because AST pre-check depth, lazy concretization, pointer anchoring, and bounded data modeling can miss bugs (Gorna et al., 11 Dec 2025). RACG’s guarantee is architectural rather than statistical: if tool visibility is enforced and authorization provenance is trusted, a hidden tool cannot be called; but if attacker-controlled content can forge authorization variables, ISR rises to θrisk\theta_{\text{risk}}14, matching CMTF (Iyer et al., 11 Jun 2026). ContractGuard’s θrisk\theta_{\text{risk}}15 result is conditional on trusted attestation, unforgeable signatures, and immutable reference contracts; if the root of trust is compromised, the paper states that the defense degrades to no defense. It also notes that runtime effect verification protects the symbolic state, not irreversible external side effects already committed in the world (Iyer et al., 17 Jun 2026).

Threshold-gated cognitive systems are more weakly specified. PCP is explicit that its gate is a practical threshold condition, not formal reachability analysis, and its weights θrisk\theta_{\text{risk}}16 and threshold θrisk\theta_{\text{risk}}17 are hand-specified rather than learned (Liu et al., 13 Jun 2026). PsychoAgent provides staged psychological intermediates and clear operational rules such as the one-veto user label, but the exact arithmetic mapping from the four arousal factors to panic probability is not fully specified in the paper (Liu et al., 22 May 2025). PanicToCalm contributes a strong routing protocol but no standalone panic detector, and its synthetic dialogues, simulated clients, and underdeveloped medical triage boundary limit direct deployment as a crisis gate (Lee et al., 24 Oct 2025).

A final caution comes from crowd-dynamics critique. The retrospective on escape panic argues that bottleneck congestion, arching, and jams are not uniquely diagnostic of panic and are often better grounded in density, capacity, contact, and geometry; it also finds that “panic” and “herding” have been terminologically influential beyond their empirical support (Haghani et al., 2023). This suggests that Panic-Reachability Gating is most precise when the gate variable is explicit and operational—such as θrisk\theta_{\text{risk}}18, θrisk\theta_{\text{risk}}19, θrisk\theta_{\text{risk}}20, θrisk\theta_{\text{risk}}21, or θrisk\theta_{\text{risk}}22—rather than when “panic” is used as a generic explanatory label.

Taken together, the literature supports a unified technical interpretation: panic-reachability mechanisms are strongest when they (i) compute a clearly defined gate variable from a trusted abstraction, (ii) suppress downstream branches or capabilities structurally rather than exhortatively, (iii) distinguish entry into a panic-capable regime from later behavior within that regime, and (iv) make their trust assumptions explicit. In program analysis this yields tractable panic discovery; in LLM agents it yields least-privilege capability control; in cognitive systems it yields guarded entry into expensive arousal pathways; and in market or crowd models it yields thresholded descriptions of when collective panic states become dynamically accessible.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Panic-Reachability Gating.