diff --git a/chb/api/AppFunctionSignature.py b/chb/api/AppFunctionSignature.py
index 206f2cdf..90cd8838 100644
--- a/chb/api/AppFunctionSignature.py
+++ b/chb/api/AppFunctionSignature.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2023  Aarno Labs LLC
+# Copyright (c) 2023-2024  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -54,7 +54,9 @@ class AppFunctionSignature(InterfaceDictionaryRecord):
     args[6..]: indices of registers preserved (not normally preserved)
     """
 
-    def __init__(self, ixd: "InterfaceDictionary", ixval: IndexedTableValue) -> None:
+    def __init__(
+            self, ixd: "InterfaceDictionary", ixval: IndexedTableValue
+    ) -> None:
         InterfaceDictionaryRecord.__init__(self, ixd, ixval)
 
     @property
@@ -69,16 +71,22 @@ def parameter_list(self) -> List["FtsParameter"]:
     def returntype(self) -> "BCTyp":
         return self.bcd.typ(self.args[3])
 
-    def index_of_register_parameter_location(self, r: "Register") -> Optional[int]:
+    def index_of_register_parameter_location(
+            self, r: "Register") -> Optional[int]:
         for p in self.parameter_list:
             if p.is_register_parameter_location(r):
                 return p.argindex
         return None
 
+    def index_of_stack_parameter_location(self, offset: int) -> Optional[int]:
+        for p in self.parameter_list:
+            if p.is_stack_parameter_location(offset):
+                return p.argindex
+        return None
+
     def __str__(self) -> str:
         return (
             str(self.returntype)
             + " ("
             + ", ".join(str(p) for p in self.parameter_list)
             + ")")
-        
diff --git a/chb/api/FtsParameter.py b/chb/api/FtsParameter.py
index 4c38dcf1..45f310f5 100644
--- a/chb/api/FtsParameter.py
+++ b/chb/api/FtsParameter.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2023  Aarno Labs LLC
+# Copyright (c) 2023-2024  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -80,5 +80,10 @@ def is_register_parameter_location(self, r: "Register") -> bool:
             return self.parameter_location_list[0].is_register_parameter_location_of(r)
         return False
 
+    def is_stack_parameter_location(self, offset: int) -> bool:
+        if len(self.parameter_location_list) == 1:
+            return self.parameter_location_list[0].is_stack_parameter_location_of(offset)
+        return False
+
     def __str__(self) -> str:
         return str(self.typ) + " " + str(self.name)
diff --git a/chb/api/FtsParameterLocation.py b/chb/api/FtsParameterLocation.py
index 9e4b3a25..44255588 100644
--- a/chb/api/FtsParameterLocation.py
+++ b/chb/api/FtsParameterLocation.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2023  Aarno Labs LLC
+# Copyright (c) 2023-2024  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -81,6 +81,9 @@ def is_unknown_location(self) -> bool:
     def is_register_parameter_location_of(self, r: "Register") -> bool:
         return False
 
+    def is_stack_parameter_location_of(self, offset: int) -> bool:
+        return False
+
 
 @apiregistry.register_tag("s", FtsParameterLocation)
 class FtsStackParameter(FtsParameterLocation):
@@ -98,9 +101,12 @@ def is_stack_parameter(self) -> bool:
         return True
 
     @property
-    def index(self) -> int:
+    def offset(self) -> int:
         return self.args[0]
 
+    def is_stack_parameter_location_of(self, offset: int) -> bool:
+        return offset == self.offset
+
     def __str__(self) -> str:
         return "stack-parameter " + str(self.index)
 
diff --git a/chb/app/AppAccess.py b/chb/app/AppAccess.py
index 5197ebeb..9f93b535 100644
--- a/chb/app/AppAccess.py
+++ b/chb/app/AppAccess.py
@@ -63,6 +63,7 @@
 from chb.app.Function import Function
 from chb.app.FunctionInfo import FunctionInfo
 from chb.app.FunctionsData import FunctionsData
+from chb.app.GlobalMemoryMap import GlobalMemoryMap
 from chb.app.JumpTables import JumpTables
 from chb.app.SystemInfo import SystemInfo
 from chb.app.StringXRefs import StringsXRefs
@@ -128,6 +129,7 @@ def __init__(
         self._bcfiles: Optional[BCFiles] = None
 
         self._typeconstraints = TypeConstraintStore(self)
+        self._globalmemorymap: Optional[GlobalMemoryMap] = None
         self._systeminfo: Optional[SystemInfo] = None
 
     @property
@@ -190,6 +192,16 @@ def tcdictionary(self) -> TypeConstraintDictionary:
                 self._tcdictionary = TypeConstraintDictionary(self, None)
         return self._tcdictionary
 
+    @property
+    def globalmemorymap(self) -> GlobalMemoryMap:
+        if self._globalmemorymap is None:
+            if UF.has_global_locations_file(self.path, self.filename):
+                x = UF.get_global_locations_xnode(self.path, self.filename)
+                self._globalmemorymap = GlobalMemoryMap(self, x)
+            else:
+                self._globalmemorymap = GlobalMemoryMap(self, None)
+        return self._globalmemorymap
+
     @property
     def bdictionary(self) -> BDictionary:
         if self._bdictionary is None:
diff --git a/chb/app/CHVersion.py b/chb/app/CHVersion.py
index 74e2d98f..34d0dc97 100644
--- a/chb/app/CHVersion.py
+++ b/chb/app/CHVersion.py
@@ -1 +1 @@
-chbversion: str = "0.3.0-20241111"
+chbversion: str = "0.3.0-20250203"
diff --git a/chb/app/Function.py b/chb/app/Function.py
index 26821970..77fc74ab 100644
--- a/chb/app/Function.py
+++ b/chb/app/Function.py
@@ -59,6 +59,8 @@
 from chb.app.FnProofObligations import FnProofObligations
 from chb.app.FnXPODictionary import FnXPODictionary
 from chb.app.FunctionInfo import FunctionInfo
+from chb.app.GlobalMemoryMap import (
+    GlobalLoad, GlobalStore, GlobalAddressArgument)
 from chb.app.Instruction import Instruction
 from chb.app.JumpTables import JumpTable
 from chb.app.StackLayout import StackLayout
@@ -84,9 +86,14 @@
 
 import chb.util.fileutil as UF
 from chb.util.graphutil import coalesce_lists
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
+    from chb.app.AppAccess import AppAccess
     from chb.app.FnStackFrame import FnStackFrame
+    from chb.app.GlobalMemoryMap import (
+        GlobalMemoryMap, GlobalLocation, GlobalReference)
     from chb.bctypes.BCTyp import BCTyp
 
 
@@ -119,6 +126,7 @@ def __init__(
         self._invariants: Dict[str, List[InvariantFact]] = {}
         self._varinvariants: Dict[str, List[VarInvariantFact]] = {}
         self._stacklayout: Optional[StackLayout] = None
+        self._globalrefs: Optional[Dict[str, List["GlobalReference"]]] = None
         self._proofobligations: Optional[FnProofObligations] = None
 
     @property
@@ -129,6 +137,10 @@ def path(self) -> str:
     def filename(self) -> str:
         return self._filename
 
+    @property
+    def app(self) -> "AppAccess":
+        return self.ixd.app
+
     @property
     def bd(self) -> BDictionary:
         return self._bd
@@ -544,6 +556,44 @@ def stacklayout(self) -> StackLayout:
             self._stacklayout = stacklayout
         return self._stacklayout
 
+    def globalrefs(self) -> Dict[str, List["GlobalReference"]]:
+        if self._globalrefs is None:
+            self._globalrefs = {}
+            gnode = self.xnode.find("global-references")
+            if gnode is not None:
+                glnode = gnode.find("location-references")
+                if glnode is not None:
+                    for rnode in glnode.findall("gref"):
+                        gaddr = rnode.get("g")
+                        if gaddr is None:
+                            chklogger.logger.error(
+                                "Global address is missing in xml gref")
+                            continue
+                        gloc = self.app.globalmemorymap.get_location(gaddr)
+                        if gloc is None:
+                            chklogger.logger.error(
+                                "Global location is missing for %s", gaddr)
+                            continue
+                        gt = rnode.get("t")
+                        if gt is None:
+                            chklogger.logger.error(
+                                "Global reference type is missing for %s", gaddr)
+                            continue
+                        if gt == "L":
+                            gref: "GlobalReference" = GlobalLoad(self, gloc, rnode)
+                        elif gt == "S":
+                            gref = GlobalStore(self, gloc, rnode)
+                        elif gt == "CA":
+                            gref = GlobalAddressArgument(self, gloc, rnode)
+                        else:
+                            chklogger.logger.error(
+                                "Global reference type %s not recognized for %s",
+                                gt, gaddr)
+                            continue
+                        self._globalrefs.setdefault(gaddr, [])
+                        self._globalrefs[gaddr].append(gref)
+        return self._globalrefs
+
     @abstractmethod
     def to_string(
             self,
diff --git a/chb/app/GlobalMemoryMap.py b/chb/app/GlobalMemoryMap.py
new file mode 100644
index 00000000..ebef1d2a
--- /dev/null
+++ b/chb/app/GlobalMemoryMap.py
@@ -0,0 +1,276 @@
+# ------------------------------------------------------------------------------
+# CodeHawk Binary Analyzer
+# Author: Henny Sipma
+# ------------------------------------------------------------------------------
+# The MIT License (MIT)
+#
+# Copyright (c) 2024-2025 Aarno Labs LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ------------------------------------------------------------------------------
+
+import xml.etree.ElementTree as ET
+
+from typing import Dict, List, Optional, Tuple, TYPE_CHECKING
+
+import chb.util.fileutil as UF
+from chb.util.loggingutil import chklogger
+
+if TYPE_CHECKING:
+    from chb.app.AppAccess import AppAccess
+    from chb.app.Function import Function
+    from chb.app.Instruction import Instruction
+    from chb.bctypes.BCDictionary import BCDictionary
+    from chb.bctypes.BCTyp import BCTyp
+    from chb.invariants.FnVarDictionary import FnVarDictionary
+    from chb.invariants.FnXprDictionary import FnXprDictionary
+    from chb.invariants.VMemoryOffset import VMemoryOffset
+    from chb.invariants.XXpr import XXpr
+
+
+class GlobalReference:
+
+    def __init__(self,
+                 function: "Function",
+                 gloc: "GlobalLocation",
+                 xnode: ET.Element) -> None:
+        self._function = function
+        self._gloc = gloc
+        self._xnode = xnode
+
+    @property
+    def xnode(self) -> ET.Element:
+        return self._xnode
+
+    @property
+    def mmap(self) -> "GlobalMemoryMap":
+        return self._gloc.mmap
+
+    @property
+    def app(self) -> "AppAccess":
+        return self.mmap.app
+
+    @property
+    def function(self) -> "Function":
+        return self._function
+
+    @property
+    def vardictionary(self) -> "FnVarDictionary":
+        return self.function.vardictionary
+
+    @property
+    def xprdictionary(self) -> "FnXprDictionary":
+        return self.vardictionary.xd
+
+    @property
+    def gloc(self) -> "GlobalLocation":
+        return self._gloc
+
+    @property
+    def gaddr(self) -> str:
+        return self.gloc.addr
+
+    @property
+    def faddr(self) -> str:
+        return self.function.faddr
+
+    @property
+    def iaddr(self) -> str:
+        iaddr = self._xnode.get("i")
+        if iaddr is None:
+            raise UF.CHBError("Attribute i is missing for " + self.gaddr)
+        return iaddr
+
+    @property
+    def grefvalue(self) -> "XXpr":
+        xix = self._xnode.get("xix")
+        if xix is None:
+            raise UF.CHBError("Attribute xix is missing for " + self.gaddr)
+        return self.xprdictionary.xpr(int(xix))
+
+    def __str__(self) -> str:
+        return "Ref: " + self.gaddr + ": " + str(self.grefvalue)
+
+
+class GlobalLoad(GlobalReference):
+
+    def __init__(
+            self,
+            function: "Function",
+            gloc: "GlobalLocation",
+            xnode: ET.Element) -> None:
+        GlobalReference.__init__(self, function, gloc, xnode)
+
+    @property
+    def size(self) -> int:
+        return int(self.xnode.get("s", "0"))
+
+    def __str__(self) -> str:
+        return "Load: " + str(self.grefvalue) + " (" + self.gaddr + ")"
+
+
+class GlobalStore(GlobalReference):
+
+    def __init__(
+            self,
+            function: "Function",
+            gloc: "GlobalLocation",
+            xnode: ET.Element) -> None:
+        GlobalReference.__init__(self, function, gloc, xnode)
+
+    @property
+    def size(self) -> int:
+        return int(self.xnode.get("s", "0"))
+
+    @property
+    def value(self) -> Optional[int]:
+        optval = self._xnode.get("v")
+        if optval is not None:
+            return int(optval)
+        else:
+            return None
+
+    def __str__(self) -> str:
+        return "Store: " + str(self.grefvalue) + " (" + self.gaddr + ")"
+
+
+class GlobalAddressArgument(GlobalReference):
+
+    def __init__(
+            self,
+            function: "Function",
+            gloc: "GlobalLocation",
+            xnode: ET.Element) -> None:
+        GlobalReference.__init__(self, function, gloc, xnode)
+
+    @property
+    def argindex(self) -> int:
+        return int(self.xnode.get("aix", "-1"))
+
+    @property
+    def memory_offset(self) -> Optional["VMemoryOffset"]:
+        mix = self.xnode.get("mix")
+        if mix is not None:
+            return self.vardictionary.memory_offset(int(mix))
+        return None
+
+    def __str__(self) -> str:
+        return (
+            "Argument: "
+            + str(self.grefvalue)
+            + " with offset "
+            + str(self.memory_offset)
+            + " ("
+            + self.gaddr
+            + ")")
+
+
+class GlobalLocation:
+
+    def __init__(self, mmap: "GlobalMemoryMap", xnode: ET.Element) -> None:
+        self._mmap = mmap
+        self._xnode = xnode
+
+    @property
+    def mmap(self) -> "GlobalMemoryMap":
+        return self._mmap
+
+    @property
+    def name(self) -> str:
+        return self._xnode.get("name", "?")
+
+    @property
+    def addr(self) -> str:
+        return self._xnode.get("a", "0x0")
+
+    @property
+    def gtype(self) -> Optional["BCTyp"]:
+        tix = self._xnode.get("tix", None)
+        if tix is not None:
+            return self.mmap.bcdictionary.typ(int(tix))
+        return None
+
+    @property
+    def size(self) -> Optional[int]:
+        s = self._xnode.get("size", None)
+        if s is not None:
+            return int(s)
+        else:
+            return None
+
+
+class GlobalMemoryMap:
+
+    def __init__(self, app: "AppAccess", xnode: Optional[ET.Element]) -> None:
+        self._app = app
+        self._xnode = xnode
+        self._locations: Optional[Dict[str, GlobalLocation]] = None
+
+    @property
+    def app(self) -> "AppAccess":
+        return self._app
+
+    @property
+    def bcdictionary(self) -> "BCDictionary":
+        return self.app.bcdictionary
+
+    @property
+    def deflocnode(self) -> Optional[ET.Element]:
+        if self._xnode is not None:
+            return self._xnode.find("locations")
+        return None
+
+    @property
+    def refaddrnode(self) -> Optional[ET.Element]:
+        if self._xnode is not None:
+            return self._xnode.find("no-locations")
+        return None
+
+    @property
+    def locations(self) -> Dict[str, GlobalLocation]:
+        if self._locations is None:
+            self._locations = {}
+            if self.deflocnode is not None:
+                for xgloc in self.deflocnode.findall("gloc"):
+                    addr = xgloc.get("a", "0x0")
+                    self._locations[addr] = GlobalLocation(self, xgloc)
+        return self._locations
+
+    def get_location_by_name(self, name: str) -> Optional[GlobalLocation]:
+        for gloc in self.locations.values():
+            if gloc.name == name:
+                return gloc
+        else:
+            return None
+
+    def get_location(self, addr: str) -> Optional[GlobalLocation]:
+        if addr in self.locations:
+            return self.locations[addr]
+        else:
+            return None
+
+    def coverage(self) -> Tuple[int, int]:
+        loccoverage: int = 0
+        loccount: int = 0
+        for gloc in self.locations.values():
+            size = gloc.size
+            if size is not None:
+                loccoverage += size
+                loccount += 1
+        return (loccount, loccoverage)
diff --git a/chb/app/InstrXData.py b/chb/app/InstrXData.py
index deaeb8d4..06bee162 100644
--- a/chb/app/InstrXData.py
+++ b/chb/app/InstrXData.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -73,8 +73,10 @@ def __init__(
         self.expanded = False
         self._ssavals: List[XVariable] = []
         self._vars: List[XVariable] = []
+        self._vars_r: List[Optional[XVariable]] = []
         self._types: List["BCTyp"] = []
         self._xprs: List[XXpr] = []
+        self._xprs_r: List[Optional[XXpr]] = []
         self._intervals: List[XInterval] = []
         self._strs: List[str] = []
         self._ints: List[int] = []
@@ -121,6 +123,12 @@ def vars(self) -> List[XVariable]:
             self._expand()
         return self._vars
 
+    @property
+    def vars_r(self) -> List[Optional[XVariable]]:
+        if not self.expanded:
+            self._expand()
+        return self._vars_r
+
     @property
     def types(self) -> List["BCTyp"]:
         if not self.expanded:
@@ -161,12 +169,29 @@ def get_var(self, index: int) -> XVariable:
                 + str(len(self.vars))
                 + ")")
 
+    def get_var_x(self, index: int) -> Optional[XVariable]:
+        if index < len(self.vars_r):
+            return self.vars_r[index]
+        else:
+            raise UF.CHBError(
+                "xdata: var-index out-of-bound: "
+                + str(index)
+                + " (length is "
+                + str(len(self.vars))
+                + ")")
+
     @property
     def xprs(self) -> List[XXpr]:
         if not self.expanded:
             self._expand()
         return self._xprs
 
+    @property
+    def xprs_r(self) -> List[Optional[XXpr]]:
+        if not self.expanded:
+            self._expand()
+        return self._xprs_r
+
     @property
     def intervals(self) -> List[XInterval]:
         if not self.expanded:
@@ -223,6 +248,32 @@ def reachingdeflocs_for_s(self, var: str) -> Sequence[XSymbol]:
                     return rdef.deflocations
         return []
 
+    @property
+    def is_ok(self) -> bool:
+        """Returns false if the data key is ar: and one or more of the
+        variables and/or expressions are error values (None). Returns true
+        otherwise."""
+
+        key = self.tags[0]
+        if key.startswith("ar:"):
+            return all(self.vars_r) and all(self.xprs_r)
+        else:
+            return True
+
+    @property
+    def error_values(self) -> Tuple[List[int], List[int]]:
+
+        key = self.tags[0]
+        if key.startswith("ar:"):
+            vars_e: List[int] = [
+                i for i in range(0, len(self.vars_r)) if self.vars_r[i] is None]
+            xprs_e: List[int] = [
+                i for i in range(0, len(self.xprs_r)) if self.xprs_r[i] is None]
+            return (vars_e, xprs_e)
+        else:
+            return ([], [])
+
+
     def _expand(self) -> None:
         """Expand the arguments based on the argument string in the keys.
 
@@ -240,49 +291,72 @@ def _expand(self) -> None:
         key = self.tags[0]
         if key.startswith("a:"):
             keyletters = key[2:]
-            for (i, c) in enumerate(keyletters):
-                arg = self.args[i]
-                xd = self.xprdictionary
-                bd = self.bdictionary
-                bcd = self.bcdictionary
-                if c == "v":
+            use_result = False
+        elif key.startswith("ar:"):
+            keyletters = key[3:]
+            use_result = True
+        else:
+            chklogger.logger.error(
+                "InstrXData tag: %s not recognized", key)
+            return
+
+        for (i, c) in enumerate(keyletters):
+            arg = self.args[i]
+            xd = self.xprdictionary
+            bd = self.bdictionary
+            bcd = self.bcdictionary
+            if c == "v":
+                if use_result:
+                    if arg == -2:
+                        self._vars_r.append(None)
+                    else:
+                        self._vars_r.append(xd.variable(arg))
+                else:
                     self._vars.append(xd.variable(arg))
-                elif c == "x":
-                    self._xprs.append(xd.xpr(arg))
-                elif c == "a":
-                    self._xprs.append(xd.xpr(arg))
-                elif c == "s":
-                    self._strs.append(bd.string(arg))
-                elif c == "i":
-                    self._intervals.append(xd.interval(arg))
-                elif c == "l":
-                    self._ints.append(arg)
-                elif c == "t":
-                    self._types.append(bcd.typ(arg))
-                elif c == "r":
-                    varinvd = self.varinvdictionary
-                    rdef = varinvd.var_invariant_fact(arg) if arg >= 0 else None
-                    rdef = cast(Optional[ReachingDefFact], rdef)
-                    self._reachingdefs.append(rdef)
-                elif c == "d":
-                    varinvd = self.varinvdictionary
-                    use = varinvd.var_invariant_fact(arg) if arg >= 0 else None
-                    use = cast(Optional[DefUse], use)
-                    self._defuses.append(use)
-                elif c == "h":
-                    varinvd = self.varinvdictionary
-                    usehigh = varinvd.var_invariant_fact(arg) if arg > 0 else None
-                    usehigh = cast(Optional[DefUseHigh], usehigh)
-                    self._defuseshigh.append(usehigh)
-                elif c == "f":
-                    varinvd = self.varinvdictionary
-                    flagrdef = varinvd.var_invariant_fact(arg) if arg >= 0 else None
-                    flagrdef = cast(Optional[FlagReachingDefFact], flagrdef)
-                    self._flagreachingdefs.append(flagrdef)
-                elif c == "c":
-                    self._ssavals.append(xd.variable(arg))
+
+            elif c == "x":
+                if use_result:
+                    if arg == -2:
+                        self._xprs_r.append(None)
+                    else:
+                        self._xprs_r.append(xd.xpr(arg))
                 else:
-                    raise UF.CHBError("Key letter not recognized: " + c)
+                    self._xprs.append(xd.xpr(arg))
+
+            elif c == "a":
+                self._xprs.append(xd.xpr(arg))
+            elif c == "s":
+                self._strs.append(bd.string(arg))
+            elif c == "i":
+                self._intervals.append(xd.interval(arg))
+            elif c == "l":
+                self._ints.append(arg)
+            elif c == "t":
+                self._types.append(bcd.typ(arg))
+            elif c == "r":
+                varinvd = self.varinvdictionary
+                rdef = varinvd.var_invariant_fact(arg) if arg >= 0 else None
+                rdef = cast(Optional[ReachingDefFact], rdef)
+                self._reachingdefs.append(rdef)
+            elif c == "d":
+                varinvd = self.varinvdictionary
+                use = varinvd.var_invariant_fact(arg) if arg >= 0 else None
+                use = cast(Optional[DefUse], use)
+                self._defuses.append(use)
+            elif c == "h":
+                varinvd = self.varinvdictionary
+                usehigh = varinvd.var_invariant_fact(arg) if arg > 0 else None
+                usehigh = cast(Optional[DefUseHigh], usehigh)
+                self._defuseshigh.append(usehigh)
+            elif c == "f":
+                varinvd = self.varinvdictionary
+                flagrdef = varinvd.var_invariant_fact(arg) if arg >= 0 else None
+                flagrdef = cast(Optional[FlagReachingDefFact], flagrdef)
+                self._flagreachingdefs.append(flagrdef)
+            elif c == "c":
+                self._ssavals.append(xd.variable(arg))
+            else:
+                raise UF.CHBError("Key letter not recognized: " + c)
 
     @property
     def is_function_argument(self) -> bool:
@@ -313,6 +387,11 @@ def is_bx_call(self) -> bool:
         return "bx-call" in self.tags
 
     def call_target_argument_count(self) -> Optional[int]:
+        if any(s.startswith("argcount:") for s in self.tags):
+            tag = next(s for s in self.tags if s.startswith("argcount:"))
+            argcount = int(tag[9:])
+            return argcount
+
         if len(self.tags) >= 3:
             if self.tags[1] == "call":
                 try:
@@ -325,7 +404,6 @@ def call_target_argument_count(self) -> Optional[int]:
 
         return None
 
-
     def has_inlined_call_target(self) -> bool:
         return len(self.tags) >= 3 and self.tags[2] == "inlined"
 
@@ -378,7 +456,19 @@ def get_branch_conditions(self) -> Sequence[XXpr]:
                 "XData does not have branch conditions: " + str(self))
 
     def has_instruction_condition(self) -> bool:
-        return "ic" in self.tags
+        return any(s.startswith("ic:") for s in self.tags)
+
+    def get_instruction_condition(self) -> XXpr:
+        for t in self.tags:
+            if t.startswith("ic:"):
+                index = int(t[3:])
+                argval = self.args[index]
+                if argval == -2:
+                    raise UF.CHBError(
+                        "Unexpected error value in instruction condition")
+                return self.xprdictionary.xpr(argval)
+        else:
+            raise UF.CHBError("No instruction condition index found")
 
     def has_condition_block_condition(self) -> bool:
         return "TF" in self.tags
@@ -387,7 +477,44 @@ def has_unknown_instruction_condition(self) -> bool:
         return "uc" in self.tags
 
     def has_base_update(self) -> bool:
-        return "bu" in self.tags
+        return any(s.startswith("vbu:") for s in self.tags)
+
+    def get_base_update_var(self) -> XVariable:
+        vbutag = next(t for t in self.tags if t.startswith("vbu:"))
+        vix = int(vbutag[4:])
+        vbuval = self.args[vix]
+        if vbuval == -2:
+            raise UF.CHBError(
+                "Unexpected error value in base-update variable")
+        return self.xprdictionary.variable(vbuval)
+
+    def get_base_update_xpr(self) -> XXpr:
+        xbutag = next(t for t in self.tags if t.startswith("xbu:"))
+        xix = int(xbutag[4:])
+        xbuval = self.args[xix]
+        if xbuval == -2:
+            raise UF.CHBError(
+                "Unexpected error value in base-update expression")
+        return self.xprdictionary.xpr(xbuval)
+
+    def has_return_xpr(self) -> bool:
+        return any(s.startswith("return:") for s in self.tags)
+
+    def get_return_xpr(self) -> XXpr:
+        rvtag = next(t for t in self.tags if t.startswith("return:"))
+        rvix = int(rvtag[7:])
+        rval = self.args[rvix]
+        if rval == -2:
+            raise UF.CHBError("Unexpected error in return value")
+        return self.xprdictionary.xpr(rval)
+
+    def get_return_xxpr(self) -> XXpr:
+        rvtag = next(t for t in self.tags if t.startswith("return:"))
+        rvix = int(rvtag[7:])
+        rval = self.args[rvix + 1]
+        if rval == -2:
+            raise UF.CHBError("Unexpected error in rewritten return value")
+        return self.xprdictionary.xpr(rval)
 
     @property
     def is_aggregate_jumptable(self) -> bool:
diff --git a/chb/arm/ARMCallOpcode.py b/chb/arm/ARMCallOpcode.py
index 11555499..ed4ccd09 100644
--- a/chb/arm/ARMCallOpcode.py
+++ b/chb/arm/ARMCallOpcode.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2022-2024  Aarno Labs LLC
+# Copyright (c) 2022-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -32,7 +32,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 from chb.arm.ARMOperandKind import ARMOperandKind, ARMAbsoluteOp
 
@@ -54,20 +54,18 @@
 
 if TYPE_CHECKING:
     from chb.api.CallTarget import CallTarget, AppTarget, StaticStubTarget
+    from chb.api.InterfaceDictionary import InterfaceDictionary
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.bctypes.BCTyp import BCTypFun
     from chb.invariants.VarInvariantFact import ReachingDefFact
     from chb.invariants.VAssemblyVariable import VRegisterVariable
     from chb.invariants.VConstantValueVariable import VFunctionReturnValue
-    from chb.invariants.XXpr import XprConstant, XprVariable
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr, XprConstant, XprVariable
 
 
-class ARMCallOpcode(ARMOpcode):
-    """Generic call functionality, covers BL and BLX.
-
-    tags[1]: <c>
-    args[0]: index of target operand in armdictionary
-
+class ARMCallOpcodeXData(ARMOpcodeXData):
+    """
     xdata format: a:x[2n]xr[n]dh, call   (n arguments)
     -------------------------------------------------
     xprs[0..2n-1]: (arg location expr, arg value expr) * n
@@ -75,8 +73,68 @@ class ARMCallOpcode(ARMOpcode):
     rdefs[0..n-1]: arg location reaching definitions
     uses[0]: lhs
     useshigh[0]: lhs
+    """
+
+    def __init__(
+            self,
+            xdata: InstrXData,
+            ixd: "InterfaceDictionary") -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+        self._ixd = ixd
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def argument_count(self) -> int:
+        argcount = self._xdata.call_target_argument_count()
+        if argcount is None:
+            chklogger.logger.error(
+                "No argument count found for call")
+            return 0
+        return argcount
+
+    @property
+    def arguments(self) -> List["XXpr"]:
+        argcount = self.argument_count
+        arguments: List["XXpr"] = []
+        for i in range(argcount):
+            x = self._xdata.xprs_r[i]
+            if x is None:
+                x = self._xdata.xprs_r[i + argcount]
+                if x is None:
+                    raise UF.CHBError(
+                        "Unexpected None-value call argument at index "
+                        + str(i))
+            arguments.append(x)
+        return arguments
+
+    @property
+    def argumentxvars(self) -> List["XXpr"]:
+        argcount = self.argument_count
+        return [x for x in self._xdata.xprs_r[argcount:2 * argcount]
+                if x is not None]
 
-    or (if call target is not known):
+    @property
+    def calltarget(self) -> "CallTarget":
+        return self._xdata.call_target(self._ixd)
+
+    @property
+    def annotation(self) -> str:
+        tgt = str(self.calltarget)
+        args = ", ".join(str(x) for x in self.arguments)
+        call = "call " + str(tgt) + "(" + args + ")"
+        return self.add_instruction_condition(call)
+
+
+class ARMCallOpcode(ARMOpcode):
+    """Generic call functionality, covers BL and BLX.
+
+    tags[1]: <c>
+    args[0]: index of target operand in armdictionary
+
+    (if call target is not known):
     xdata format: a:xxxxx
     ---------------------
     vars[0]: return value variable
@@ -85,10 +143,7 @@ class ARMCallOpcode(ARMOpcode):
     rdefs[0]: target reaching definition
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
 
     @property
@@ -100,19 +155,10 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(self.args[0])]
 
     def lhs(self, xdata: InstrXData) -> List[XVariable]:
-        if len(xdata.vars) > 0:
-            return [xdata.vars[0]]
-        else:
-            return []
+        return [ARMCallOpcodeXData(xdata, self.ixd).vrd]
 
     def argument_count(self, xdata: InstrXData) -> int:
-        if self.is_call_instruction(xdata):
-            argcount = xdata.call_target_argument_count()
-            if argcount is not None:
-                return argcount
-        chklogger.logger.warning(
-            "Call instruction does not have argument count")
-        return 0
+        return ARMCallOpcodeXData(xdata, self.ixd).argument_count
 
     def has_string_arguments(self, xdata: InstrXData) -> bool:
         return any([x.is_string_reference for x in self.arguments(xdata)])
@@ -125,7 +171,7 @@ def annotated_call_arguments(
         return [x.to_annotated_value() for x in self.arguments(xdata)]
 
     def arguments(self, xdata: InstrXData) -> Sequence[XXpr]:
-        return xdata.xprs[:self.argument_count(xdata)]
+        return ARMCallOpcodeXData(xdata, self.ixd).arguments
 
     def is_call(self, xdata: InstrXData) -> bool:
         return len(xdata.tags) >= 2 and xdata.tags[1] == "call"
@@ -134,13 +180,8 @@ def is_call_instruction(self, xdata: InstrXData) -> bool:
         return xdata.has_call_target()
 
     def annotation(self, xdata: InstrXData) -> str:
-        if self.is_call(xdata) and xdata.has_call_target():
-            tgt = xdata.call_target(self.ixd)
-            args = ", ".join(str(x) for x in self.arguments(xdata))
-            return "call " + str(tgt) + "(" + args + ")"
-
-        ctgt = str(xdata.xprs[0])
-        return "call " + ctgt
+        xd = ARMCallOpcodeXData(xdata, self.ixd)
+        return xd.annotation
 
     def call_target(self, xdata: InstrXData) -> "CallTarget":
         if self.is_call(xdata):
@@ -161,11 +202,13 @@ def ast_call_prov(
             chklogger.logger.info("Inlined call omitted at %s", iaddr)
             return ([], [])
 
+        xd = ARMCallOpcodeXData(xdata, self.ixd)
+
         annotations: List[str] = [iaddr, "BL"]
 
         # low-level call data
 
-        lhs = xdata.vars[0]
+        lhs = xd.vrd
         tgt = self.opargs[0]
 
         if not lhs.is_register_variable:
@@ -179,7 +222,7 @@ def ast_call_prov(
         ll_lhs = astree.mk_register_variable_lval(str(lhsreg))
         (ll_tgt, _, _) = tgt.ast_rvalue(astree)
 
-        xprs = xdata.xprs
+        xprs = xd.arguments
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
@@ -239,7 +282,7 @@ def ast_call_prov(
 
         # argument data
 
-        argcount = self.argument_count(xdata)
+        argcount = xd.argument_count
 
         ll_args: List[AST.ASTExpr] = []
         hl_args: List[AST.ASTExpr] = []
@@ -259,8 +302,8 @@ def ast_call_prov(
                 if len(astargtypes) < argcount:
                     astargtypes += ([None] * (argcount - len(astargtypes)))
 
-            xargs = xdata.xprs[:argcount]
-            xvarargs = xdata.xprs[argcount:(2 * argcount)]
+            xargs = xd.arguments
+            xvarargs = xd.argumentxvars
             if len(rdefs) >= argcount:
                 llrdefs = rdefs[:argcount]
                 # x represents the (invariant-enhanced) argument value.
@@ -271,7 +314,8 @@ def ast_call_prov(
                 #  in bytes (note: not the stackpointer at function entry).
                 # rdef represents the reaching definition for the argument
                 #  location.
-                for (x, xv, rdef, argtype) in zip(xargs, xvarargs, llrdefs, astargtypes):
+                for (x, xv, rdef, argtype) in zip(
+                        xargs, xvarargs, llrdefs, astargtypes):
 
                     # low-level argument
 
@@ -351,20 +395,6 @@ def ast_call_prov(
                             argtype = cast(AST.ASTTypInt, argtype)
                             hl_arg = astree.mk_integer_constant(
                                 x.constant.value, argtype.ikind)
-
-                        elif (
-                                argtype is not None
-                                and (argtype.is_function
-                                     or (argtype.is_pointer
-                                         and cast(
-                                             AST.ASTTypPtr,
-                                             argtype).tgttyp.is_function))):
-                            hexaddr = hex(x.constant.value)
-                            argname = "sub_" + hexaddr[2:]
-                            hl_arg = astree.mk_global_variable_expr(
-                                argname,
-                                vtype=argtype,
-                                globaladdress=x.constant.value)
                         else:
                             hexgaddr = hex(x.constant.value)
                             if hexgaddr in astree.global_addresses:
@@ -377,6 +407,20 @@ def ast_call_prov(
                                     else:
                                         hl_arg = astree.mk_address_of(
                                             astree.mk_vinfo_lval(vinfo))
+                                elif (
+                                        argtype is not None
+                                        and (argtype.is_function
+                                             or (argtype.is_pointer
+                                                 and cast(
+                                                     AST.ASTTypPtr,
+                                                     argtype).tgttyp.is_function))):
+                                    hexaddr = hex(x.constant.value)
+                                    argname = "sub_" + hexaddr[2:]
+                                    hl_arg = astree.mk_global_variable_expr(
+                                        argname,
+                                        vtype=argtype,
+                                        globaladdress=x.constant.value)
+
                                 else:
                                     chklogger.logger.warning(
                                         ("Type of global address %s at instr. "
diff --git a/chb/arm/ARMInstruction.py b/chb/arm/ARMInstruction.py
index 1dc89e18..60806350 100644
--- a/chb/arm/ARMInstruction.py
+++ b/chb/arm/ARMInstruction.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -249,11 +249,7 @@ def has_condition_block_condition(self) -> bool:
         return self.xdata.has_condition_block_condition()
 
     def get_instruction_condition(self) -> XXpr:
-        if self.has_instruction_condition():
-            return self.xdata.xprs[2]
-        else:
-            raise UF.CHBError(
-                "Instruction does not have an instruction condition")
+        return self.xdata.get_instruction_condition()
 
     @property
     def memory_accesses(self) -> Sequence[MemoryAccess]:
@@ -313,17 +309,22 @@ def ast_switch_condition_prov(self, astree: ASTInterface) -> Tuple[
             jumptable = cast(
                 "ARMJumpTable", self.armfunction.get_jumptable(self.iaddr))
             indexop = jumptable.index_operand
-            condition = self.xdata.xprs[1]
-            (ll_cond, _, _) = indexop.ast_rvalue(astree)
-            hl_cond = XU.xxpr_to_ast_def_expr(
-                condition, self.xdata, self.iaddr, astree)
-
-            astree.add_expr_mapping(hl_cond, ll_cond)
-            astree.add_expr_reachingdefs(hl_cond, self.xdata.reachingdefs)
-            astree.add_condition_address(
-                ll_cond, (self.xdata.subsumes() + [self.iaddr]))
-
-            return (hl_cond, ll_cond)
+            condition = self.xdata.xprs_r[1]
+            if condition is not None:
+                (ll_cond, _, _) = indexop.ast_rvalue(astree)
+                hl_cond = XU.xxpr_to_ast_def_expr(
+                    condition, self.xdata, self.iaddr, astree)
+
+                astree.add_expr_mapping(hl_cond, ll_cond)
+                astree.add_expr_reachingdefs(hl_cond, self.xdata.reachingdefs)
+                astree.add_condition_address(
+                    ll_cond, (self.xdata.subsumes() + [self.iaddr]))
+
+                return (hl_cond, ll_cond)
+            else:
+                chklogger.logger.error(
+                    "Error value encountered at address %s", self.iaddr)
+                raise UF.CHBError("Jumptable without condition")
 
         else:
             return self.opcode.ast_switch_condition_prov(
@@ -392,7 +393,7 @@ def rdef_locations(self) -> Dict[str, List[List[str]]]:
     def lhs_types(self) -> Dict[str, "BCTyp"]:
         result: Dict[str, "BCTyp"] = {}
 
-        vars = self.xdata.vars
+        vars = self.xdata.vars_r
         types = self.xdata.types
         if len(vars) == len(types):
             for (v, ty) in zip(vars, types):
diff --git a/chb/arm/ARMOpcode.py b/chb/arm/ARMOpcode.py
index dc683eb3..de93cd1e 100644
--- a/chb/arm/ARMOpcode.py
+++ b/chb/arm/ARMOpcode.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -26,6 +26,8 @@
 # ------------------------------------------------------------------------------
 """ARM opcodes."""
 
+import inspect
+
 from typing import List, Optional, Sequence, Tuple, TYPE_CHECKING
 
 from chb.api.CallTarget import CallTarget
@@ -55,6 +57,8 @@
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
     from chb.simulation.SimulationState import SimulationState
 
 
@@ -101,6 +105,77 @@ def get_extension(e: str) -> str:
         return e
 
 
+class ARMOpcodeXData:
+
+    def __init__(self, xdata: InstrXData) -> None:
+        self._xdata = xdata
+
+    @property
+    def xdata(self) -> InstrXData:
+        return self._xdata
+
+    @property
+    def is_ok(self) -> bool:
+        return self.xdata.is_ok
+
+    def var(self, index: int, name: str) -> "XVariable":
+        if index >= len(self.xdata.vars_r):
+            raise UF.CHBError(
+                self.__class__.__name__ + ":"
+                + name + " index out of bounds: " + str(index))
+        v = self.xdata.vars_r[index]
+        if v is None:
+            raise UF.CHBError(
+                self.__class__.__name__ + ":" + name + " has an error value")
+        return v
+
+    def xpr(self, index: int, name: str) -> "XXpr":
+        if index >= len(self.xdata.xprs_r):
+            raise UF.CHBError(
+                self.__class__.__name__ + ":"
+                + name + " index out of bounds: " + str(index))
+        x = self.xdata.xprs_r[index]
+        if x is None:
+            raise UF.CHBError(
+                self.__class__.__name__ + ":" + name + " has an error value")
+        return x
+
+    def add_instruction_condition(self, s: str) -> str:
+        if self.xdata.has_unknown_instruction_condition():
+            return "if ? then " + s
+        elif self.xdata.has_instruction_condition():
+            c = str(self.xdata.get_instruction_condition())
+            return "if " + c + " then " + s
+        else:
+            return s
+
+    @property
+    def is_writeback(self) -> bool:
+        return self.xdata.has_base_update()
+
+    def get_base_update_var(self) -> "XVariable":
+        if self.is_writeback:
+            return self.xdata.get_base_update_var()
+        else:
+            raise UF.CHBError(
+                self.__class__.__name__ + " does not have writeback")
+
+    def get_base_update_xpr(self) -> "XXpr":
+        if self.is_writeback:
+            return self.xdata.get_base_update_xpr()
+        else:
+            raise UF.CHBError(
+                self.__class__.__name__ + " does not have writeback")
+
+    def writeback_update(self) -> str:
+        if self.xdata.has_base_update():
+            vbu = self.get_base_update_var()
+            xbu = self.get_base_update_xpr()
+            return "; " + str(vbu) + " := " + str(xbu)
+        else:
+            return ""
+
+
 class ARMOpcode(ARMDictionaryRecord):
 
     def __init__(
diff --git a/chb/arm/opcodes/ARMAdd.py b/chb/arm/opcodes/ARMAdd.py
index c707cd4a..92d00e84 100644
--- a/chb/arm/opcodes/ARMAdd.py
+++ b/chb/arm/opcodes/ARMAdd.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -44,8 +44,88 @@
 
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
-    from chb.invariants.XXpr import XprCompound, XprConstant
+    from  chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.VarInvariantFact import ReachingDefFact
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XprCompound, XprConstant, XXpr
+
+
+class ARMAddXData(ARMOpcodeXData):
+    """Add <rd> <rn> <rm>  ==> result
+
+    xdata format: a:vxxxxxxrrdh
+    -------------------------
+    vars[0]: vrd (Rd)
+    xprs[0]: xrn (Rn)
+    xprs[1]: xrm (Rm)
+    xprs[2]: result: xrn + xrm
+    xprs[3]: rresult: xrn + xrm (rewritten)
+    xprs[4]: xxrn (xrn rewritten)
+    xprs[5]: xxrm (xrm rewritten)
+    xprs[6]: tcond (optional)
+    xprs[7]: fcond (optional)
+    rdefs[0]: xrn
+    rdefs[1]: xrm
+    rdefs[2:..]: reaching definitions for simplified result expression
+    uses[0]: vrd
+    useshigh[0]: vrd
+    """
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def jt_xxrn(self) -> "XXpr":
+        """Part of jumptable."""
+        return self.xpr(1, "xxrn")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def xxrn(self) -> "XXpr":
+        return self.xpr(4, "xxrn")
+
+    @property
+    def xxrm(self) -> "XXpr":
+        return self.xpr(5, "xxrm")
+
+    @property
+    def rn_rdef(self) -> Optional["ReachingDefFact"]:
+        return self._xdata.reachingdefs[0]
+
+    @property
+    def rm_rdef(self) -> Optional["ReachingDefFact"]:
+        return self._xdata.reachingdefs[1]
+
+    @property
+    def annotation(self) -> str:
+        if self.xdata.is_aggregate_jumptable:
+            return "jump-table: " + str(self.jt_xxrn)
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ADD", ARMOpcode)
@@ -69,26 +149,9 @@ class ARMAdd(ARMOpcode):
     args[3]: index of op3 in armdictionary
     args[4]: is-wide (thumb)
 
-    xdata format: a:vxxxxrrdh
-    -------------------------
-    vars[0]: lhs (Rd)
-    xprs[0]: rhs1 (Rn)
-    xprs[1]: rhs2 (Rm)
-    xprs[2]: rhs1 + rhs2
-    xprs[3]: rhs1 + rhs2 (simplified)
-    xprs[4]: rhs1 (simplified)
-    xprs[5]: rhs2 (simplified)
-    rdefs[0]: rhs1
-    rdefs[1]: rhs2
-    rdefs[2:..]: reaching definitions for simplified result expression
-    uses[0]: lhs
-    useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "Add")
 
@@ -111,18 +174,11 @@ def mnemonic_extension(self) -> str:
         return wb + cc + wide
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMAddXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error Value"
 
     # --------------------------------------------------------------------------
     # AddWithCarry()
@@ -181,12 +237,17 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs3 = xdata.xprs[3]
-        rrhs1 = xdata.xprs[4]
-        rrhs2 = xdata.xprs[5]
+        xd = ARMAddXData(xdata)
+        if not xdata.is_ok:
+            chklogger.logger.error("Error value encountered at %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
+        rrhs1 = xd.xxrn
+        rrhs2 = xd.xxrm
 
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
@@ -292,8 +353,15 @@ def pointer_arithmetic_expr() -> AST.ASTExpr:
 
             chklogger.logger.error(
                 "Second operand pointer variable not yet supported for %s at "
-                + "address %s",
-                str(rhs3), iaddr)
+                + "address %s; rrhs1: %s; hl_rhs1: %s; hl_rhs2: %s; hl_rhs1_type: %s;"
+                + " hl_rhs2_type: %s",
+                str(rhs3),
+                iaddr,
+                str(rrhs1),
+                str(hl_rhs1),
+                str(hl_rhs2),
+                str(hl_rhs1_type),
+                str(hl_rhs2_type))
             return astree.mk_temp_lval_expression()
 
 
@@ -331,8 +399,14 @@ def pointer_arithmetic_expr() -> AST.ASTExpr:
 
         elif (hl_lhs_type is not None and hl_lhs_type.is_pointer):
             hl_rhs = pointer_arithmetic_expr()
-            if rhs3.is_constant_expression:
-                astree.set_ssa_value(str(hl_lhs), hl_rhs)
+            if str(hl_rhs).startswith("astmem_tmp"):
+                chklogger.logger.error(
+                    "Unable to compute pointer arithmetic expression for %s "
+                    "at address %s",
+                    str(rhs3), iaddr)
+            else:
+                if rhs3.is_constant_expression:
+                    astree.set_ssa_value(str(hl_lhs), hl_rhs)
 
         else:
             hl_rhs = XU.xxpr_to_ast_def_expr(rhs3, xdata, iaddr, astree)
diff --git a/chb/arm/opcodes/ARMAddCarry.py b/chb/arm/opcodes/ARMAddCarry.py
index add0a16a..c6bcc010 100644
--- a/chb/arm/opcodes/ARMAddCarry.py
+++ b/chb/arm/opcodes/ARMAddCarry.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -40,11 +40,49 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMAddCarryXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ADC", ARMOpcode)
@@ -73,10 +111,7 @@ class ARMAddCarry(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "AddCarry")
 
@@ -99,18 +134,11 @@ def mnemonic_extension(self) -> str:
         return wb + cc + wide
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMAddCarryXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -131,6 +159,8 @@ def ast_prov(
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
+        # low-level assignment
+
         (ll_lhs, _, _) = self.operands[0].ast_lvalue(astree)
         (ll_op1, _, _) = self.operands[1].ast_rvalue(astree)
         (ll_op2, _, _) = self.operands[2].ast_rvalue(astree)
@@ -143,27 +173,29 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        lhsasts = XU.xvariable_to_ast_lvals(lhs, xdata, astree)
-        if len(lhsasts) == 0:
-            raise UF.CHBError("Adc: no lval found")
+        rdefs = xdata.reachingdefs
+
+        astree.add_expr_reachingdefs(ll_op1, [rdefs[0]])
+        astree.add_expr_reachingdefs(ll_op2, [rdefs[1]])
 
-        if len(lhsasts) > 1:
-            raise UF.CHBError(
-                "Adc: multiple lvals in ast: "
-                + ", ".join(str(v) for v in lhsasts))
+        # high-level assignment
 
-        hl_lhs = lhsasts[0]
+        xd = ARMAddCarryXData(xdata)
+        if not xdata.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
 
-        rhsasts = XU.xxpr_to_ast_def_exprs(rhs3, xdata, iaddr, astree)
-        if len(rhsasts) == 0:
-            raise UF.CHBError("Adc: no rhs value found")
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
 
-        if len(rhsasts) > 1:
-            raise UF.CHBError(
-                "Multiple rhs values found for Adc: "
-                + ", ".join(str(v) for v in rhsasts))
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
 
-        hl_rhs = rhsasts[0]
+        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhs3, xdata, iaddr, astree)
 
         hl_assign = astree.mk_assign(
             hl_lhs,
@@ -172,14 +204,12 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        astree.add_reg_definition(iaddr, hl_lhs, hl_rhs)
         astree.add_instr_mapping(hl_assign, ll_assign)
         astree.add_instr_address(hl_assign, [iaddr])
         astree.add_expr_mapping(hl_rhs, ll_rhs)
         astree.add_lval_mapping(hl_lhs, ll_lhs)
-        astree.add_expr_reachingdefs(ll_rhs, [rdefs[0], rdefs[1]])
-        astree.add_expr_reachingdefs(ll_op1, [rdefs[0]])
-        astree.add_expr_reachingdefs(ll_op2, [rdefs[1]])
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[2:])
+        astree.add_expr_reachingdefs(ll_rhs, rdefs[:2])
         astree.add_lval_defuses(hl_lhs, defuses[0])
         astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
 
diff --git a/chb/arm/opcodes/ARMAdr.py b/chb/arm/opcodes/ARMAdr.py
index 46d78398..311d151f 100644
--- a/chb/arm/opcodes/ARMAdr.py
+++ b/chb/arm/opcodes/ARMAdr.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,32 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMAdrXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def ximm(self) -> "XXpr":
+        return self.xpr(0, "ximm")
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + str(self.ximm)
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ADR", ARMOpcode)
@@ -65,10 +86,7 @@ class ARMAdr(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "Adr")
 
@@ -81,16 +99,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = str(xdata.xprs[0])
-        assignment = lhs + " := " + result
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMAdrXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -116,8 +129,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[0]
+        xd = ARMAdrXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.ximm
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
diff --git a/chb/arm/opcodes/ARMArithmeticShiftRight.py b/chb/arm/opcodes/ARMArithmeticShiftRight.py
index cb0cf62f..70e5fbcb 100644
--- a/chb/arm/opcodes/ARMArithmeticShiftRight.py
+++ b/chb/arm/opcodes/ARMArithmeticShiftRight.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,49 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMArithmeticShiftRightXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ASR", ARMOpcode)
@@ -74,10 +112,7 @@ class ARMArithmeticShiftRight(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "ArithmeticShiftRight")
 
@@ -100,18 +135,11 @@ def mnemonic_extension(self) -> str:
         return wb + cc + wide
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[1]
-        rresult = xdata.xprs[2]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMArithmeticShiftRightXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -139,10 +167,16 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs3 = xdata.xprs[3]
+        xd = ARMArithmeticShiftRightXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMBitwiseAnd.py b/chb/arm/opcodes/ARMBitwiseAnd.py
index 595b2a12..16b94378 100644
--- a/chb/arm/opcodes/ARMBitwiseAnd.py
+++ b/chb/arm/opcodes/ARMBitwiseAnd.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,50 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseAndXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("AND", ARMOpcode)
@@ -96,18 +135,11 @@ def mnemonic_extension(self) -> str:
         return cc + wide
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseAndXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -140,8 +172,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
+        xd = ARMBitwiseAndXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
 
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMBitwiseBitClear.py b/chb/arm/opcodes/ARMBitwiseBitClear.py
index ee0b5038..027fd80a 100644
--- a/chb/arm/opcodes/ARMBitwiseBitClear.py
+++ b/chb/arm/opcodes/ARMBitwiseBitClear.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,45 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseBitClearXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(1, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(2, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("BIC", ARMOpcode)
@@ -73,10 +107,7 @@ class ARMBitwiseBitClear(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "BitwiseBitClear")
 
@@ -89,18 +120,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1: -1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseBitClearXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -134,8 +158,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
+        xd = ARMBitwiseBitClearXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
@@ -149,11 +179,12 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        astree.add_reg_definition(iaddr, hl_lhs, hl_rhs)
         astree.add_instr_mapping(hl_assign, ll_assign)
         astree.add_instr_address(hl_assign, [iaddr])
         astree.add_expr_mapping(hl_rhs, ll_rhs)
         astree.add_lval_mapping(hl_lhs, ll_lhs)
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[1:])
+        astree.add_expr_reachingdefs(ll_rhs, [rdefs[0]])
         astree.add_lval_defuses(hl_lhs, defuses[0])
         astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
 
diff --git a/chb/arm/opcodes/ARMBitwiseExclusiveOr.py b/chb/arm/opcodes/ARMBitwiseExclusiveOr.py
index b3235cfc..ef0a399e 100644
--- a/chb/arm/opcodes/ARMBitwiseExclusiveOr.py
+++ b/chb/arm/opcodes/ARMBitwiseExclusiveOr.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.util.fileutil as UF
@@ -39,11 +39,49 @@
 from chb.astinterface.ASTInterface import ASTInterface
 
 import chb.invariants.XXprUtil as XU
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseExclusiveOrXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("EOR", ARMOpcode)
@@ -74,10 +112,7 @@ class ARMBitwiseExclusiveOr(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "BitwiseExclusiveOr")
 
@@ -95,18 +130,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1: -1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseExclusiveOrXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -137,8 +165,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
+        xd = ARMBitwiseExclusiveOrXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
diff --git a/chb/arm/opcodes/ARMBitwiseNot.py b/chb/arm/opcodes/ARMBitwiseNot.py
index 2e4a3d0a..01aa3efd 100644
--- a/chb/arm/opcodes/ARMBitwiseNot.py
+++ b/chb/arm/opcodes/ARMBitwiseNot.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,15 +39,50 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseNotXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(1, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(2, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[2], self.xdata.args[3], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("MVN", ARMOpcode)
-class ARMBitwiseBitwiseNot(ARMOpcode):
+class ARMBitwiseNot(ARMOpcode):
     """Bitwise inverse of a register or immediate value.
 
     MVN{S}<c> <Rd>, <Rm> {, <shift>}
@@ -70,10 +105,7 @@ class ARMBitwiseBitwiseNot(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 4, "BitwiseNot")
 
@@ -96,18 +128,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[1]
-        rresult = xdata.xprs[2]
-        xresult = simplify_result(xdata.args[2], xdata.args[1], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseNotXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -134,8 +159,15 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[2]
+        xd = ARMBitwiseNotXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMBitwiseOr.py b/chb/arm/opcodes/ARMBitwiseOr.py
index 32395ab6..d493a08e 100644
--- a/chb/arm/opcodes/ARMBitwiseOr.py
+++ b/chb/arm/opcodes/ARMBitwiseOr.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,49 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseOrXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ORR", ARMOpcode)
@@ -74,10 +112,7 @@ class ARMBitwiseOr(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "BitwiseOr")
 
@@ -100,18 +135,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1:-1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[4])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseOrXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -144,24 +172,17 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs3 = xdata.xprs[3]
+        xd = ARMBitwiseOrXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
 
+        lhs = xd.vrd
+        rhs3 = xd.rresult
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
-        astree.add_expr_reachingdefs(ll_op1, [rdefs[0]])
-        astree.add_expr_reachingdefs(ll_op2, [rdefs[1]])
-
-        ll_assign = astree.mk_assign(
-            ll_lhs,
-            ll_rhs,
-            iaddr=iaddr,
-            bytestring=bytestring,
-            annotations=annotations)
-
         hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
         hl_rhs = XU.xxpr_to_ast_def_expr(rhs3, xdata, iaddr, astree)
 
diff --git a/chb/arm/opcodes/ARMBitwiseOrNot.py b/chb/arm/opcodes/ARMBitwiseOrNot.py
index a24793fb..10cec56c 100644
--- a/chb/arm/opcodes/ARMBitwiseOrNot.py
+++ b/chb/arm/opcodes/ARMBitwiseOrNot.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,54 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBitwiseOrNotXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xrmn(self) -> "XXpr":
+        return self.xpr(2, "xrmn")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(3, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(4, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[4], self.xdata.args[5], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("ORN", ARMOpcode)
@@ -74,10 +117,7 @@ class ARMBitwiseOrNot(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 4, "BitwiseOrNot")
 
@@ -99,18 +139,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[3]
-        rresult = xdata.xprs[4]
-        xresult = simplify_result(xdata.args[4], xdata.args[5], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMBitwiseOrNotXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -122,14 +155,6 @@ def ast_prov(
 
         annotations: List[str] = [iaddr, "ORN"]
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs4 = xdata.xprs[4]
-        rdefs = xdata.reachingdefs
-        defuses = xdata.defuses
-        defuseshigh = xdata.defuseshigh
-
         (ll_lhs, _, _) = self.opargs[0].ast_lvalue(astree)
         (ll_op1, _, _) = self.opargs[1].ast_rvalue(astree)
         (ll_op2, _, _) = self.opargs[2].ast_rvalue(astree)
@@ -143,27 +168,21 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        lhsasts = XU.xvariable_to_ast_lvals(lhs, xdata, astree)
-        if len(lhsasts) == 0:
-            raise UF.CHBError("BitwiseOrNot (ORN): no lval found")
-
-        if len(lhsasts) > 1:
-            raise UF.CHBError(
-                "BitwiseOrNot (ORN): multiple lvals found: "
-                + ", ".join(str(v) for v in lhsasts))
-
-        hl_lhs = lhsasts[0]
+        xd = ARMBitwiseOrNotXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
 
-        rhsasts = XU.xxpr_to_ast_def_exprs(rhs4, xdata, iaddr, astree)
-        if len(rhsasts) == 0:
-            raise UF.CHBError("BitwiseOrNot (ORN): no lval found")
+        lhs = xd.vrd
+        rhs = xd.rresult
 
-        if len(rhsasts) > 1:
-            raise UF.CHBError(
-                "BitwiseOrNot (ORN): multiple rhs values found: "
-                + ", ".join(str(v) for v in rhsasts))
+        rdefs = xdata.reachingdefs
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
 
-        hl_rhs = rhsasts[0]
+        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
 
         hl_assign = astree.mk_assign(
             hl_lhs,
diff --git a/chb/arm/opcodes/ARMBranch.py b/chb/arm/opcodes/ARMBranch.py
index f8a78aac..d218f492 100644
--- a/chb/arm/opcodes/ARMBranch.py
+++ b/chb/arm/opcodes/ARMBranch.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -32,7 +32,7 @@
 
 from chb.arm.ARMCallOpcode import ARMCallOpcode
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 from chb.arm.ARMOperandKind import ARMOperandKind, ARMAbsoluteOp
 
@@ -57,6 +57,47 @@
     from chb.api.CallTarget import CallTarget, AppTarget, StaticStubTarget
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.invariants.VConstantValueVariable import VFunctionReturnValue
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBranchXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def is_unconditional(self) -> bool:
+        return len(self._xdata.xprs_r) == 2
+
+    @property
+    def txpr(self) -> "XXpr":
+        return self.xpr(0, "txpr")
+
+    @property
+    def fxpr(self) -> "XXpr":
+        return self.xpr(1, "fxpr")
+
+    @property
+    def tcond(self) -> "XXpr":
+        return self.xpr(2, "tcond")
+
+    @property
+    def fcond(self) -> "XXpr":
+        return self.xpr(3, "fcond")
+
+    @property
+    def xtgt(self) -> "XXpr":
+        index = 1 if self.is_unconditional else 4
+        return self.xpr(index, "xtgt")
+
+    @property
+    def annotation(self) -> str:
+        if self._xdata.has_branch_conditions():
+            return "if " + str(self.tcond) + " then goto " + str(self.xtgt)
+        elif self.is_unconditional:
+            return "goto " + str(self.xtgt)
+        else:
+            return "?"
 
 
 @armregistry.register_tag("B", ARMOpcode)
@@ -84,10 +125,7 @@ class ARMBranch(ARMCallOpcode):
     xprs[0]: target address (absolute)
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMCallOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "Branch")
 
@@ -111,8 +149,9 @@ def ft_conditions_basic(self, xdata: InstrXData) -> Sequence[XXpr]:
             return []
 
     def ft_conditions(self, xdata: InstrXData) -> Sequence[XXpr]:
+        xd = ARMBranchXData(xdata)
         if xdata.has_branch_conditions():
-            return [xdata.xprs[3], xdata.xprs[2]]
+            return [xd.fcond, xd.tcond]
         else:
             return []
 
@@ -143,16 +182,16 @@ def jump_target(self, xdata: InstrXData) -> Optional["XXpr"]:
             return xdata.xprs[0]
 
     def annotation(self, xdata: InstrXData) -> str:
-        if self.is_call_instruction(xdata):
-            tgt = xdata.call_target(self.ixd)
-            args = ", ".join(str(x) for x in self.arguments(xdata))
-            return "call " + str(tgt) + "(" + args + ")"
-        elif xdata.has_branch_conditions():
-            return "if " + str(xdata.xprs[2]) + " then goto " + str(xdata.xprs[4])
-        elif self.tags[1] in ["a", "unc"]:
-            return "goto " + str(xdata.xprs[0])
+        xd = ARMBranchXData(xdata)
+        if xd.is_ok:
+            if self.is_call_instruction(xdata):
+                tgt = xdata.call_target(self.ixd)
+                args = ", ".join(str(x) for x in self.arguments(xdata))
+                return "call " + str(tgt) + "(" + args + ")"
+            else:
+                return xd.annotation
         else:
-            return "if ? goto " + str(xdata.xprs[0])
+            return "Error value"
 
     def target_expr_ast(
             self,
diff --git a/chb/arm/opcodes/ARMBranchExchange.py b/chb/arm/opcodes/ARMBranchExchange.py
index 830b4686..5149ede4 100644
--- a/chb/arm/opcodes/ARMBranchExchange.py
+++ b/chb/arm/opcodes/ARMBranchExchange.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -31,7 +31,7 @@
 
 from chb.arm.ARMCallOpcode import ARMCallOpcode
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -42,12 +42,47 @@
 
 import chb.util.fileutil as UF
 from chb.util.loggingutil import chklogger
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.api.CallTarget import CallTarget, AppTarget, StaticStubTarget
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMBranchExchangeXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xtgt(self) -> "XXpr":
+        return self.xpr(0, "xtgt")
+
+    @property
+    def xxtgt(self) -> "XXpr":
+        return self.xpr(1, "xxtgt")
+
+    def has_return_xpr(self) -> bool:
+        return self.xdata.has_return_xpr()
+
+    def returnval(self) -> "XXpr":
+        return self.xdata.get_return_xpr()
+
+    def rreturnval(self) -> "XXpr":
+        return self.xdata.get_return_xxpr()
+
+    @property
+    def annotation(self) -> str:
+        if self.xdata.is_bx_call:
+            return "bx-call"
+        if self.has_return_xpr():
+            return "return " + str(self.rreturnval())
+        else:
+            return "Not supported yet"
 
 
 @armregistry.register_tag("BX", ARMOpcode)
@@ -58,10 +93,7 @@ class ARMBranchExchange(ARMCallOpcode):
     args[0]: index of target operand in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 1, "BranchExchange")
 
@@ -83,8 +115,9 @@ def is_return_instruction(self, xdata: InstrXData) -> bool:
             return False
 
     def return_value(self, xdata: InstrXData) -> Optional[XXpr]:
-        if self.is_return_instruction(xdata):
-            return xdata.xprs[1]
+        xd = ARMBranchExchangeXData(xdata)
+        if xd.has_return_xpr():
+            return xd.rreturnval()
         else:
             return None
 
@@ -92,7 +125,8 @@ def is_call(self, xdata: InstrXData) -> bool:
         return len(xdata.tags) >= 2 and xdata.tags[1] == "call"
 
     def is_call_instruction(self, xdata: InstrXData) -> bool:
-        return xdata.has_call_target()
+        # return xdata.has_call_target()
+        return False
 
     def call_target(self, xdata: InstrXData) -> "CallTarget":
         if self.is_call_instruction(xdata):
@@ -124,11 +158,13 @@ def annotation(self, xdata: InstrXData) -> str:
             args = ", ".join(str(x) for x in self.arguments(xdata))
             return "call " + str(tgt) + "(" + args + ")"
 
-        tgtop = str(xdata.xprs[0])
-        if tgtop == "LR":
-            return "return"
+        xd = ARMBranchExchangeXData(xdata)
+        if xd.has_return_xpr and xd.is_ok:
+            return xd.annotation
+        elif xd.is_ok:
+            return "goto " + str(xd.xxtgt)
         else:
-            return "goto " + tgtop
+            return "Error value"
 
     def assembly_ast(
             self,
diff --git a/chb/arm/opcodes/ARMBranchLink.py b/chb/arm/opcodes/ARMBranchLink.py
index cc9c80df..435ed547 100644
--- a/chb/arm/opcodes/ARMBranchLink.py
+++ b/chb/arm/opcodes/ARMBranchLink.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
diff --git a/chb/arm/opcodes/ARMCompare.py b/chb/arm/opcodes/ARMCompare.py
index c384f1e8..eb1be2da 100644
--- a/chb/arm/opcodes/ARMCompare.py
+++ b/chb/arm/opcodes/ARMCompare.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,16 +39,52 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMCompareXData(ARMOpcodeXData):
+    """
+    xdata format: a:xxxrr
+    ---------------------
+    xprs[0]: xrn
+    xprs[1]: xrm
+    xprs[2]: xrn - xrm (simplified)
+    rdefs[0]: rn
+    rdefs[1]: rm
+    rdefs[2..]: xrn - xrm (simplified)
+    """
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def annotation(self) -> str:
+        ann = "compare " + str(self.xrn) + " and " + str(self.xrm)
+        ann += " (" + str(self.result) + ")"
+        return self.add_instruction_condition(ann)
 
 
 @armregistry.register_tag("CMP", ARMOpcode)
 class ARMCompare(ARMOpcode):
-    """Subtracts a register or immediate value from a register value and sets flags.
+    """Subtracts a register or imm. value from a register value and sets flags.
 
     CMP<c> <Rn>, #<imm8>
     CMP<c>.W <Rn>, #<const>
@@ -61,21 +97,9 @@ class ARMCompare(ARMOpcode):
     args[0]: index of rn in armdictionary
     args[1]: index of rm in armdictionary
     args[2]: is-wide (thumb)
-
-    xdata format: a:xxxrr
-    ---------------------
-    xprs[0]: xrn
-    xprs[1]: xrm
-    xprs[2]: xrn - xrm (simplified)
-    rdefs[0]: rn
-    rdefs[1]: rm
-    rdefs[2..]: xrn - xrm (simplified)
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 3, "Compare")
 
@@ -93,17 +117,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[:-1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        rhs1 = str(xdata.xprs[0])
-        rhs2 = str(xdata.xprs[1])
-        result = str(xdata.xprs[2])
-        ann = "compare " + str(rhs1) + " and " + str(rhs2) + " (" + result + ")"
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + ann
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + ann
+        xd = ARMCompareXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return ann
+            return "Error value"
 
     def ast_prov(
             self,
@@ -131,7 +149,13 @@ def ast_prov(
 
         # high-level assignment
 
-        rhs = xdata.xprs[2]
+        xd = ARMCompareXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Error value encountered at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.result
         rdefs = xdata.reachingdefs
 
         hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
diff --git a/chb/arm/opcodes/ARMCompareBranchNonzero.py b/chb/arm/opcodes/ARMCompareBranchNonzero.py
index 73abaf3f..5e678f60 100644
--- a/chb/arm/opcodes/ARMCompareBranchNonzero.py
+++ b/chb/arm/opcodes/ARMCompareBranchNonzero.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -48,10 +48,46 @@
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMCompareBranchNonZeroXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def txpr(self) -> "XXpr":
+        return self.xpr(1, "txpr")
+
+    @property
+    def fxpr(self) -> "XXpr":
+        return self.xpr(2, "fxpr")
+
+    @property
+    def tcond(self) -> "XXpr":
+        return self.xpr(3, "tcond")
+
+    @property
+    def fcond(self) -> "XXpr":
+        return self.xpr(4, "fcond")
+
+    @property
+    def xtgt(self) -> "XXpr":
+        return self.xpr(5, "xtgt")
+
+    @property
+    def annotation(self) -> str:
+        return "if " + str(self.tcond) + " goto " + str(self.xtgt)
+
 
 
 @armregistry.register_tag("CBNZ", ARMOpcode)
-class ARMCompareBranchZero(ARMOpcode):
+class ARMCompareBranchNonZero(ARMOpcode):
     """Compares the value in a register with zero and conditionally branches forward.
 
     CBNZ <Rn>, <label>
@@ -69,10 +105,7 @@ class ARMCompareBranchZero(ARMOpcode):
     xprs[5]: target
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(1, 2, "CompareBranchNonzero")
 
@@ -86,14 +119,21 @@ def opargs(self) -> List[ARMOperand]:
 
     def ft_conditions(self, xdata: InstrXData) -> Sequence[XXpr]:
         if xdata.has_branch_conditions():
-            return [xdata.xprs[4], xdata.xprs[3]]
+            xd = ARMCompareBranchNonZeroXData(xdata)
+            if xd.is_ok:
+                return [xd.fcond, xd.tcond]
+            else:
+                chklogger.logger.warning("CBNZ: Encountered error condition")
+                return []
         else:
             return []
 
     def annotation(self, xdata: InstrXData) -> str:
-        xpr = str(xdata.xprs[3])
-        tgt = str(xdata.xprs[5])
-        return "if " + xpr + " != 0 goto " + tgt
+        xd = ARMCompareBranchNonZeroXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
diff --git a/chb/arm/opcodes/ARMCompareBranchZero.py b/chb/arm/opcodes/ARMCompareBranchZero.py
index fc555b4e..b8bbc268 100644
--- a/chb/arm/opcodes/ARMCompareBranchZero.py
+++ b/chb/arm/opcodes/ARMCompareBranchZero.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -46,6 +46,41 @@
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMCompareBranchZeroXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def txpr(self) -> "XXpr":
+        return self.xpr(1, "txpr")
+
+    @property
+    def fxpr(self) -> "XXpr":
+        return self.xpr(2, "fxpr")
+
+    @property
+    def tcond(self) -> "XXpr":
+        return self.xpr(3, "tcond")
+
+    @property
+    def fcond(self) -> "XXpr":
+        return self.xpr(4, "fcond")
+
+    @property
+    def xtgt(self) -> "XXpr":
+        return self.xpr(5, "xtgt")
+
+    @property
+    def annotation(self) -> str:
+        return "if " + str(self.tcond) + " goto " + str(self.xtgt)
 
 
 @armregistry.register_tag("CBZ", ARMOpcode)
@@ -67,10 +102,7 @@ class ARMCompareBranchZero(ARMOpcode):
     xprs[5]: target
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(1, 2, "CompareBranchZero")
 
@@ -84,14 +116,21 @@ def opargs(self) -> List[ARMOperand]:
 
     def ft_conditions(self, xdata: InstrXData) -> Sequence[XXpr]:
         if xdata.has_branch_conditions():
-            return [xdata.xprs[4], xdata.xprs[3]]
+            xd = ARMCompareBranchZeroXData(xdata)
+            if xd.is_ok:
+                return [xd.fcond, xd.tcond]
+            else:
+                chklogger.logger.warning("CBZ: Encountered error condition")
+                return []
         else:
             return []
 
     def annotation(self, xdata: InstrXData) -> str:
-        xpr = str(xdata.xprs[3])
-        tgt = str(xdata.xprs[5])
-        return "if " + xpr + " goto " + tgt
+        xd = ARMCompareBranchZeroXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
diff --git a/chb/arm/opcodes/ARMCompareNegative.py b/chb/arm/opcodes/ARMCompareNegative.py
index 04843eff..cbd424ac 100644
--- a/chb/arm/opcodes/ARMCompareNegative.py
+++ b/chb/arm/opcodes/ARMCompareNegative.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,38 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMCompareNegativeXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def annotation(self) -> str:
+        ann = "compare-negative " + str(self.xrn) + " and " + str(self.xrm)
+        ann += " (" + str(self.result) + ")"
+        return self.add_instruction_condition(ann)
 
 
 @armregistry.register_tag("CMN", ARMOpcode)
@@ -65,10 +92,7 @@ class ARMCompareNegative(ARMOpcode):
     rdefs[1]: xrm
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "CompareNegative")
 
@@ -81,23 +105,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args]
 
     def annotation(self, xdata: InstrXData) -> str:
-        rhs1 = str(xdata.xprs[0])
-        rhs2 = str(xdata.xprs[1])
-        result = str(xdata.xprs[2])
-        ann = (
-            "compare-negative "
-            + str(rhs1)
-            + " and "
-            + str(rhs2)
-            + " ("
-            + str(result))
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + ann
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + ann
+        xd = ARMCompareNegativeXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return ann
+            return "Error value"
 
     def ast_prov(
             self,
@@ -124,7 +136,13 @@ def ast_prov(
 
         # high-level assignment
 
-        rhs = xdata.xprs[2]
+        xd = ARMCompareNegativeXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.result
         rdefs = xdata.reachingdefs
 
         hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
diff --git a/chb/arm/opcodes/ARMLoadMultipleIncrementAfter.py b/chb/arm/opcodes/ARMLoadMultipleIncrementAfter.py
index 9a93f380..2ccaaca7 100644
--- a/chb/arm/opcodes/ARMLoadMultipleIncrementAfter.py
+++ b/chb/arm/opcodes/ARMLoadMultipleIncrementAfter.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,51 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadMultipleIncrementAfterXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def regcount(self) -> int:
+        return len(self.xdata.vars_r) - 1
+
+    @property
+    def baselhs(self) -> "XVariable":
+        return self.var(0, "baselhs")
+
+    @property
+    def lhsvars(self) -> List["XVariable"]:
+        return [self.var(i, "lhsvar") for i in range(1, self.regcount + 1)]
+
+    @property
+    def baserhs(self) -> "XXpr":
+        return self.xpr(0, "baserhs")
+
+    @property
+    def rhsexprs(self) -> List["XXpr"]:
+        return [self.xpr(i, "rhsexpr") for i in range(1, self.regcount + 1)]
+
+    @property
+    def xaddrs(self) -> List["XXpr"]:
+        return [self.xpr(i, "xaddr")
+                for i in range(self.regcount + 1, (2 * self.regcount) + 3)]
+
+    @property
+    def annotation(self) -> str:
+        pairs = zip(self.lhsvars, self.rhsexprs)
+        assigns = "; ".join(str(v) + " := " + str(x) for (x, v) in pairs)
+        wbu = self.writeback_update()
+        return self.add_instruction_condition(assigns + wbu)
 
 
 @armregistry.register_tag("LDM", ARMOpcode)
@@ -74,10 +114,7 @@ class ARMLoadMultipleIncrementAfter(ARMOpcode):
     useshigh[1..n]: register lhss
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 4, "LoadMultipleIncrementAfter")
 
@@ -105,14 +142,11 @@ def is_load_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def annotation(self, xdata: InstrXData) -> str:
-        wb = ""
-        if self.writeback:
-            wb = "; " + str(xdata.vars[0]) + " := " + str(xdata.xprs[2])
-        return (
-            "; ".join(str(v)
-                      + " := "
-                      + str(x) for (v, x) in zip(xdata.vars[1:], xdata.xprs[3:]))
-            + wb)
+        xd = ARMLoadMultipleIncrementAfterXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     # -------------------------------------------------------------------------
     # address = R[n];
@@ -133,13 +167,17 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        regcount = len(xdata.reachingdefs) - 1
-        baselhs = xdata.vars[0]
-        reglhss = xdata.vars[1:]
-        baserhs = xdata.xprs[0]
-        baseresult = xdata.xprs[1]
-        baseresultr = xdata.xprs[2]
-        memrhss = xdata.xprs[3:3 + regcount]
+        xd = ARMLoadMultipleIncrementAfterXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Error value encountered at address %s", iaddr)
+            return ([], [])
+
+        baselhs = xd.baselhs
+        lhsvars = xd.lhsvars
+        baserhs = xd.baserhs
+        rhsexprs = xd.rhsexprs
+
         baserdef = xdata.reachingdefs[0]
         memrdefs = xdata.reachingdefs[1:]
         baseuses = xdata.defuses[0]
@@ -178,8 +216,8 @@ def ast_prov(
 
             # high-level assignments
 
-            lhs = reglhss[i]
-            rhs = memrhss[i]
+            lhs = lhsvars[i]
+            rhs = rhsexprs[i]
             hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
             hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
             hl_assign = astree.mk_assign(
@@ -204,7 +242,7 @@ def ast_prov(
 
             # low-level base assignment
 
-            baseincr = 4 * regcount
+            baseincr = 4 * xd.regcount
             baseincr_c = astree.mk_integer_constant(baseincr)
 
             ll_base_lhs = baselval
@@ -219,9 +257,10 @@ def ast_prov(
 
             # high-level base assignment
 
+            baseresult = xd.get_base_update_xpr()
             hl_base_lhs = XU.xvariable_to_ast_lval(baselhs, xdata, iaddr, astree)
             hl_base_rhs = XU.xxpr_to_ast_def_expr(
-                baseresultr, xdata, iaddr, astree)
+                baseresult, xdata, iaddr, astree)
             hl_base_assign = astree.mk_assign(
                 hl_base_lhs,
                 hl_base_rhs,
diff --git a/chb/arm/opcodes/ARMLoadRegister.py b/chb/arm/opcodes/ARMLoadRegister.py
index f2f853cf..4ebe741e 100644
--- a/chb/arm/opcodes/ARMLoadRegister.py
+++ b/chb/arm/opcodes/ARMLoadRegister.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -48,6 +48,62 @@
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMOperandKind import ARMOffsetAddressOp
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadRegisterXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(1, "vmem")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_xrmem_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vrt) + " := " + str(self.xrmem)
+        elif self.is_xrmem_unknown and self.is_address_known:
+            assignment = str(self.vrt) + " := *(" + str(self.xaddr) + ")"
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment) + wbu
+
 
 @armregistry.register_tag("LDR", ARMOpcode)
 class ARMLoadRegister(ARMOpcode):
@@ -88,10 +144,7 @@ class ARMLoadRegister(ARMOpcode):
     useshigh[1]: use of updated base register
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "LoadRegister")
 
@@ -120,30 +173,7 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
     def annotation(self, xdata: InstrXData) -> str:
         """lhs, rhs, with optional instr condition and base update."""
 
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-
-        xctr = 5
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        vctr = 2
-        if xdata.has_base_update():
-            blhs = str(xdata.vars[vctr])
-            brhs = str(xdata.xprs[xctr])
-            pbupd = "; " + blhs + " := " + brhs
-        else:
-            pbupd = ""
-
-        if rhs == "??":
-            return pcond + lhs + " := *(" + str(xdata.xprs[4]) + ")"
-
-        return pcond + lhs + " := " + rhs + pbupd
+        return ARMLoadRegisterXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -153,7 +183,9 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        memaddr = xdata.xprs[4]
+        xd = ARMLoadRegisterXData(xdata)
+
+        memaddr = xd.xaddr
 
         annotations: List[str] = [iaddr, "LDR", "addr: " + str(memaddr)]
 
@@ -173,15 +205,40 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        xaddr = xdata.xprs[4]
+        lhs = xd.vrt
+
+        if xd.is_ok:
+            rhs = xd.xrmem
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
+            hl_rhs = XU.xxpr_to_ast_def_expr(
+                rhs, xdata, iaddr, astree, memaddr=xaddr)
+
+        elif xd.is_xrmem_unknown and xd.is_address_known:
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+            hl_rhs = XU.xmemory_dereference_lval_expr(
+                xaddr, xdata, iaddr, astree)
+
+        else:
+            chklogger.logger.error(
+                "LDR: both memory value and address values are error values "
+                + "at address %s: ", iaddr)
+            return ([], [])
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
-        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
-        hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree, memaddr=xaddr)
+        def has_cast() -> bool:
+            return (
+                astree.has_register_variable_intro(iaddr)
+                and astree.get_register_variable_intro(iaddr).has_cast())
+
+        if has_cast():
+            lhstype = hl_lhs.ctype(astree.ctyper)
+            if lhstype is not None:
+                hl_rhs = astree.mk_cast_expr(lhstype, hl_rhs)
 
         hl_assign = astree.mk_assign(
             hl_lhs,
@@ -190,6 +247,9 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
+        if has_cast():
+            astree.add_expose_instruction(hl_assign.instrid)
+
         astree.add_instr_mapping(hl_assign, ll_assign)
         astree.add_instr_address(hl_assign, [iaddr])
         astree.add_expr_mapping(hl_rhs, ll_rhs)
@@ -211,8 +271,8 @@ def ast_prov(
                 annotations=annotations)
             ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
 
-            basereg = xdata.vars[2]
-            newaddr = xdata.xprs[5]
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
             hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
 
             hl_addr_lhs_type = hl_addr_lhs.ctype(astree.ctyper)
@@ -269,6 +329,10 @@ def ast_prov(
             astree.add_lval_defuses(ll_addr_lhs, defuses[1])
             astree.add_lval_defuses_high(ll_addr_lhs, defuseshigh[1])
         else:
+            if astree.has_register_variable_intro(iaddr):
+                rvintro = astree.get_register_variable_intro(iaddr)
+                if rvintro.has_cast():
+                    astree.add_expose_instruction(hl_assign.instrid)
             ll_assigns = [ll_assign]
             hl_assigns = [hl_assign]
 
diff --git a/chb/arm/opcodes/ARMLoadRegisterByte.py b/chb/arm/opcodes/ARMLoadRegisterByte.py
index faea996b..e383c8a4 100644
--- a/chb/arm/opcodes/ARMLoadRegisterByte.py
+++ b/chb/arm/opcodes/ARMLoadRegisterByte.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -41,14 +41,68 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMOperandKind import ARMOffsetAddressOp
-    from chb.invariants.XXpr import XprCompound
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr, XprCompound
+
+
+class ARMLoadRegisterByteXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
 
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(1, "vmem")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def is_xrmem_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vrt) + " := " + str(self.xrmem)
+        elif self.is_xrmem_unknown and self.is_address_known:
+            assignment = str(self.vrt) + " := *(" + str(self.xaddr) + ")"
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment) + wbu
 
 
 @armregistry.register_tag("LDRB", ARMOpcode)
@@ -122,27 +176,7 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
     def annotation(self, xdata: InstrXData) -> str:
         """lhs, rhs, with optional instr condition and base update."""
 
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-
-        xctr = 4
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        vctr = 2
-        if xdata.has_base_update():
-            blhs = str(xdata.vars[vctr])
-            brhs = str(xdata.xprs[xctr])
-            pbupd = "; " + blhs + " := " + brhs
-        else:
-            pbupd = ""
-
-        return pcond + lhs + " := " + rhs + pbupd
+        return ARMLoadRegisterByteXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -152,7 +186,9 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        memaddr = xdata.xprs[4]
+        xd = ARMLoadRegisterByteXData(xdata)
+
+        memaddr = xd.xaddr
 
         annotations: List[str] = [iaddr, "LDRB", "addr:" + str(memaddr)]
 
@@ -172,16 +208,36 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        xaddr = xdata.xprs[4]
+        lhs = xd.vrt
+
+        if xd.is_ok:
+            rhs = xd.xrmem
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
+            hl_rhs = XU.xxpr_to_ast_def_expr(
+                rhs, xdata, iaddr, astree, size=1, memaddr=xaddr)
+
+        elif xd.is_xrmem_unknown and xd.is_address_known:
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+            hl_rhs = XU.xmemory_dereference_lval_expr(
+                xaddr, xdata, iaddr, astree, size=1)
+
+        else:
+            chklogger.logger.error(
+                "LDRB: both memory value and address values are error values "
+                + "at address %s: ", iaddr)
+            return ([], [])
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
+        '''
         hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
         hl_rhs = XU.xxpr_to_ast_def_expr(
             rhs, xdata, iaddr, astree, size=1, memaddr=xaddr)
+        '''
 
         hl_assign = astree.mk_assign(
             hl_lhs,
@@ -226,6 +282,8 @@ def ast_prov(
                 annotations=annotations)
             hl_assigns: List[AST.ASTInstruction] = [hl_assign, hl_addr_assign]
 
+            # TODO: add writeback update
+
             astree.add_instr_mapping(hl_addr_assign, ll_addr_assign)
             astree.add_instr_address(hl_addr_assign, [iaddr])
             astree.add_expr_mapping(hl_addr_rhs, ll_addr_rhs)
diff --git a/chb/arm/opcodes/ARMLoadRegisterDual.py b/chb/arm/opcodes/ARMLoadRegisterDual.py
index 9bd348b5..55a1224f 100644
--- a/chb/arm/opcodes/ARMLoadRegisterDual.py
+++ b/chb/arm/opcodes/ARMLoadRegisterDual.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -31,7 +31,7 @@
 from chb.app.MemoryAccess import MemoryAccess, RegisterRestore
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -41,16 +41,80 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMRegister import ARMRegister
     from chb.invariants.VAssemblyVariable import (
         VAuxiliaryVariable, VRegisterVariable)
-
     from chb.invariants.VConstantValueVariable import VInitialRegisterValue
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadRegisterDualXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vrt2(self) -> "XVariable":
+        return self.var(1, "vrt2")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(2, "vmem")
+
+    @property
+    def vmem2(self) -> "XVariable":
+        return self.var(3, "vmem2")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def xmem2(self) -> "XXpr":
+        return self.xpr(4, "xmem2")
+
+    @property
+    def xrmem2(self) -> "XXpr":
+        return self.xpr(5, "xrmem2")
+
+    @property
+    def xaddr1(self) -> "XXpr":
+        return self.xpr(6, "xaddr1")
+
+    @property
+    def xaddr2(self) -> "XXpr":
+        return self.xpr(7, "xaddr2")
+
+    @property
+    def annotation(self) -> str:
+        assignment = (
+            str(self.vrt) + " := " + str(self.xrmem) + "; "
+            + str(self.vrt2) + " := " + str(self.xrmem2) )
+        wbu = self.writeback_update()
+        return self.add_instruction_condition(assignment + wbu)
 
 
 @armregistry.register_tag("LDRD", ARMOpcode)
@@ -108,32 +172,36 @@ def opargs(self) -> List[ARMOperand]:
 
     def memory_accesses(self, xdata: InstrXData) -> Sequence[MemoryAccess]:
         restores = self.register_restores(xdata)
+        xd = ARMLoadRegisterDualXData(xdata)
         if len(restores) == 2:
             return [
-                RegisterRestore(xdata.xprs[6], restores[0]),
-                RegisterRestore(xdata.xprs[7], restores[1])]
+                RegisterRestore(xd.xaddr1, restores[0]),
+                RegisterRestore(xd.xaddr2, restores[1])]
         else:
             return [
-                MemoryAccess(xdata.xprs[6], "R", size=4),
-                MemoryAccess(xdata.xprs[7], "R", size=4)]
+                MemoryAccess(xd.xaddr1, "R", size=4),
+                MemoryAccess(xd.xaddr2, "R", size=4)]
 
     def register_restores(self, xdata: InstrXData) -> List[str]:
         result: List[str] = []
+        xd = ARMLoadRegisterDualXData(xdata)
         if (self.operands[0].is_register):
             r1 = cast(
                 "ARMRegister",
-                cast("VRegisterVariable", xdata.vars[0].denotation).register)
+                cast("VRegisterVariable", xd.vrt.denotation).register)
             if r1.is_arm_callee_saved_register:
-                rhs1 = xdata.xprs[3]
+                # rhs1 = xdata.xprs[3]
+                rhs1 = xd.xrmem
                 if rhs1.is_initial_register_value:
                     rr1 = rhs1.initial_register_value_register()
                     if str(rr1) == str(r1):
                         result.append(str(rr1))
             r2 = cast(
                 "ARMRegister",
-                cast("VRegisterVariable", xdata.vars[1].denotation).register)
+                cast("VRegisterVariable", xd.vrt2.denotation).register)
             if r2.is_arm_callee_saved_register:
-                rhs2 = xdata.xprs[5]
+                # rhs2 = xdata.xprs[5]
+                rhs2 = xd.xrmem2
                 if rhs2.is_initial_register_value:
                     rr2 = rhs2.initial_register_value_register()
                     if str(rr2) == str(r2):
@@ -147,12 +215,11 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
         return [xdata.xprs[1], xdata.xprs[3]]
 
     def annotation(self, xdata: InstrXData) -> str:
-
-        lhs1 = str(xdata.vars[0])
-        lhs2 = str(xdata.vars[1])
-        rhs = str(xdata.xprs[3])
-        rhs2 = str(xdata.xprs[5])
-        return lhs1 + " := " + rhs + "; " + lhs2 + " := " + rhs2
+        xd = ARMLoadRegisterDualXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
@@ -162,7 +229,8 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        memaddr = xdata.xprs[6]
+        xd = ARMLoadRegisterDualXData(xdata)
+        memaddr = xd.xaddr1
 
         annotations: List[str] = [iaddr, "LDRD", "addr: " + str(memaddr)]
 
@@ -190,10 +258,16 @@ def ast_prov(
 
         # high-level assignments
 
-        lhs1 = xdata.vars[0]
-        lhs2 = xdata.vars[1]
-        rhs1 = xdata.xprs[3]
-        rhs2 = xdata.xprs[5]
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs1 = xd.vrt
+        lhs2 = xd.vrt2
+        rhs1 = xd.xrmem
+        rhs2 = xd.xrmem2
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMLoadRegisterHalfword.py b/chb/arm/opcodes/ARMLoadRegisterHalfword.py
index f4e719b1..71a0fbc1 100644
--- a/chb/arm/opcodes/ARMLoadRegisterHalfword.py
+++ b/chb/arm/opcodes/ARMLoadRegisterHalfword.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -41,12 +41,59 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMOperandKind import ARMOffsetAddressOp
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadRegisterHalfwordXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(1, "vmem")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_xrmem_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vrt) + " := " + str(self.xrmem)
+        elif self.is_xrmem_unknown and self.is_address_known:
+            assignment = str(self.vrt) + " := *(" + str(self.xaddr) + ")"
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment) + wbu
 
 
 @armregistry.register_tag("LDRH", ARMOpcode)
@@ -85,10 +132,7 @@ class ARMLoadRegisterHalfword(ARMOpcode):
     xprs[.]: new address for base register
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
 
     def mnemonic_extension(self) -> str:
@@ -114,27 +158,7 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
         return [xdata.xprs[1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-
-        xctr = 4
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        vctr = 2
-        if xdata.has_base_update():
-            blhs = str(xdata.vars[vctr])
-            brhs = str(xdata.xprs[xctr])
-            pbupd = "; " + blhs + " := " + brhs
-        else:
-            pbupd = ""
-
-        return pcond + lhs + " := " + rhs + pbupd
+        return ARMLoadRegisterHalfwordXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -144,7 +168,8 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        memaddr = xdata.xprs[4]
+        xd = ARMLoadRegisterHalfwordXData(xdata)
+        memaddr = xd.xaddr
 
         annotations: List[str] = [iaddr, "LDRH", "addr:" + str(memaddr)]
 
@@ -164,20 +189,31 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
+        if xd.is_ok:
+            lhs = xd.vrt
+            rhs = xd.xrmem
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
+            hl_rhs = XU.xxpr_to_ast_def_expr(
+                rhs, xdata, iaddr, astree, memaddr=xaddr, size=2)
+
+        elif xd.is_xrmem_unknown and xd.is_address_known:
+            xaddr = xd.xaddr
+            lhs = xd.vrt
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+            hl_rhs = XU.xmemory_dereference_lval_expr(
+                xaddr, xdata, iaddr, astree, size=2)
+
+        else:
+            chklogger.logger.error(
+                "LDRH: both memory value and address values are error values "
+                + "at address %s: ", iaddr)
+            return ([], [])
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
-        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
-
-        if rhs.is_tmp_variable or rhs.has_unknown_memory_base():
-            hl_rhs = XU.xmemory_dereference_to_ast_def_expr(
-                memaddr, xdata, iaddr, astree)
-        else:
-            hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree, size=2)
-
         hl_assign = astree.mk_assign(
             hl_lhs,
             hl_rhs,
@@ -208,8 +244,8 @@ def ast_prov(
                 annotations=annotations)
             ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
 
-            basereg = xdata.vars[1]
-            newaddr = xdata.xprs[4]
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
             hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
             hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
 
diff --git a/chb/arm/opcodes/ARMLoadRegisterSignedByte.py b/chb/arm/opcodes/ARMLoadRegisterSignedByte.py
index 8d1908b8..5e2939cf 100644
--- a/chb/arm/opcodes/ARMLoadRegisterSignedByte.py
+++ b/chb/arm/opcodes/ARMLoadRegisterSignedByte.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,22 +25,83 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import cast, List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+from chb.invariants.XVariable import XVariable
 from chb.invariants.XXpr import XXpr
+import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.arm.ARMOperandKind import ARMOffsetAddressOp
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadRegisterSignedByteXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(1, "vmem")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def is_xrmem_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vrt) + " := " + str(self.xrmem)
+        elif self.is_xrmem_unknown and self.is_address_known:
+            assignment = str(self.vrt) + " := *(" + str(self.xaddr) + ")"
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment) + wbu
 
 
 @armregistry.register_tag("LDRSB", ARMOpcode)
@@ -57,10 +118,7 @@ class ARMLoadRegisterSignedByte(ARMOpcode):
     args[4]: is-wide (thumb)
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "LoadRegisterSignedByte")
 
@@ -75,13 +133,121 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
         return [xdata.xprs[1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxx .
-
-        vars[0]: lhs
-        xprs[0]: value in memory location
-        xprs[1]: value in memory location (simplified)
-        """
+        return ARMLoadRegisterSignedByteXData(xdata).annotation
 
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[1])
-        return lhs + " := " + rhs
+    def ast_prov(
+            self,
+            astree: ASTInterface,
+            iaddr: str,
+            bytestring: str,
+            xdata: InstrXData) -> Tuple[
+                List[AST.ASTInstruction], List[AST.ASTInstruction]]:
+
+        xd = ARMLoadRegisterSignedByteXData(xdata)
+
+        memaddr = xd.xaddr
+
+        annotations: List[str] = [iaddr, "LDRSB", "addr:" + str(memaddr)]
+
+        # low-level assignment
+
+        (ll_rhs, ll_pre, ll_post) = self.opargs[3].ast_rvalue(astree)
+        (ll_op1, _, _) = self.opargs[1].ast_rvalue(astree)
+        (ll_op2, _, _) = self.opargs[2].ast_rvalue(astree)
+        (ll_lhs, _, _) = self.opargs[0].ast_lvalue(astree)
+
+        ll_assign = astree.mk_assign(
+            ll_lhs,
+            ll_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        # high-level assignment
+
+        lhs = xd.vrt
+
+        if xd.is_ok:
+            rhs = xd.xrmem
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
+            hl_rhs = XU.xxpr_to_ast_def_expr(
+                rhs, xdata, iaddr, astree, size=1, memaddr=xaddr)
+
+        elif xd.is_xrmem_unknown and xd.is_address_known:
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+            hl_rhs = XU.xmemory_dereference_lval_expr(
+                xaddr, xdata, iaddr, astree, size=1)
+
+        else:
+            chklogger.logger.error(
+                "LDRSB: both memory value and address values are error values "
+                + "at address %s: ", iaddr)
+            return ([], [])
+
+        rdefs = xdata.reachingdefs
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
+
+        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+        hl_rhs = XU.xxpr_to_ast_def_expr(
+            rhs, xdata, iaddr, astree, size=1, memaddr=xaddr)
+
+        hl_assign = astree.mk_assign(
+            hl_lhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign, ll_assign)
+        astree.add_instr_address(hl_assign, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_lval_mapping(hl_lhs, ll_lhs)
+        astree.add_expr_reachingdefs(ll_rhs, rdefs)
+        astree.add_lval_defuses(hl_lhs, defuses[0])
+        astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
+
+        # write-back semantics
+
+        if self.opargs[3].is_indirect_register and self.opargs[3].is_write_back:
+            addrop = cast("ARMOffsetAddressOp", self.opargs[3].opkind)
+            (ll_addr_lhs, _, _) = self.opargs[1].ast_lvalue(astree)
+            ll_addr_rhs = addrop.ast_addr_rvalue(astree)
+
+            ll_addr_assign = astree.mk_assign(
+                ll_addr_lhs,
+                ll_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
+
+            basereg = xdata.vars[1]
+            newaddr = xdata.xprs[4]
+            hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
+            hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
+
+            hl_addr_assign = astree.mk_assign(
+                hl_addr_lhs,
+                hl_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            hl_assigns: List[AST.ASTInstruction] = [hl_assign, hl_addr_assign]
+
+            # TODO: add writeback update
+
+            astree.add_instr_mapping(hl_addr_assign, ll_addr_assign)
+            astree.add_instr_address(hl_addr_assign, [iaddr])
+            astree.add_expr_mapping(hl_addr_rhs, ll_addr_rhs)
+            astree.add_lval_mapping(hl_addr_lhs, ll_addr_lhs)
+            astree.add_expr_reachingdefs(ll_addr_rhs, [rdefs[0]])
+            astree.add_lval_defuses(ll_addr_lhs, defuses[1])
+            astree.add_lval_defuses_high(ll_addr_lhs, defuseshigh[1])
+        else:
+            ll_assigns = [ll_assign]
+            hl_assigns = [hl_assign]
+
+        return (hl_assigns, (ll_pre + ll_assigns + ll_post))
diff --git a/chb/arm/opcodes/ARMLoadRegisterSignedHalfword.py b/chb/arm/opcodes/ARMLoadRegisterSignedHalfword.py
index 73ee3d0f..fb4d4b5d 100644
--- a/chb/arm/opcodes/ARMLoadRegisterSignedHalfword.py
+++ b/chb/arm/opcodes/ARMLoadRegisterSignedHalfword.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -40,11 +40,59 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.arm.ARMOperandKind import ARMOffsetAddressOp
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLoadRegisterSignedHalfwordXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(1, "vmem")
+
+    @property
+    def xmem(self) -> "XXpr":
+        return self.xpr(2, "xmem")
+
+    @property
+    def xrmem(self) -> "XXpr":
+        return self.xpr(3, "xrmem")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_xrmem_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vrt) + " := " + str(self.xrmem)
+        elif self.is_xrmem_unknown and self.is_address_known:
+            assignment = str(self.vrt) + " := *(" + str(self.xaddr) + ")"
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment) + wbu
 
 
 @armregistry.register_tag("LDRSH", ARMOpcode)
@@ -81,10 +129,7 @@ class ARMLoadRegisterSignedHalfword(ARMOpcode):
     xprs[.]: new address for base register
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "LoadRegisterSignedHalfword")
 
@@ -103,35 +148,7 @@ def rhs(self, xdata: InstrXData) -> List[XXpr]:
         return [xdata.xprs[1]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxx .
-
-        vars[0]: lhs
-        vars[1]: rhs memory location
-        xprs[0]: value in memory location
-        xprs[1]: value in memory location (simplified)
-        """
-
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-
-        xctr = 4
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        vctr = 2
-        if xdata.has_base_update():
-            blhs = str(xdata.vars[vctr])
-            brhs = str(xdata.xprs[xctr])
-            pbupd = "; " + blhs + " := " + brhs
-        else:
-            pbupd = ""
-
-        return pcond + lhs + " := " + rhs + pbupd
+        return ARMLoadRegisterSignedHalfwordXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -154,76 +171,85 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        memaddr = xdata.xprs[4]
+        # high-level assignment
+
+        xd = ARMLoadRegisterSignedHalfwordXData(xdata)
+        if xd.is_ok:
+            lhs = xd.vrt
+            rhs = xd.xrmem
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree, rhs=rhs)
+            hl_rhs = XU.xxpr_to_ast_def_expr(
+                rhs, xdata, iaddr, astree, memaddr=xaddr, size=2)
+
+        elif xd.is_xrmem_unknown and xd.is_address_known:
+            xaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+            hl_rhs = XU.xmemory_dereference_lval_expr(
+                xaddr, xdata, iaddr, astree, size=2)
+
+        else:
+            chklogger.logger.error(
+                "LDRSH: both memory value and address values are error values "
+                + "at address %s: ", iaddr)
+            return ([], [])
+
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
-        hl_preinstrs: List[AST.ASTInstruction] = []
-        hl_postinstrs: List[AST.ASTInstruction] = []
-        rhsexprs = XU.xxpr_to_ast_exprs(rhs, xdata, iaddr, astree)
-        if len(rhsexprs) == 1:
-            hl_rhs = rhsexprs[0]
-
-            if rhs.is_tmp_variable or rhs.has_unknown_memory_base():
-                addrlval = XU.xmemory_dereference_lval(memaddr, xdata, iaddr, astree)
-                hl_rhs = astree.mk_lval_expression(addrlval)
-
-            if astree.has_variable_intro(iaddr):
-                vname = astree.get_variable_intro(iaddr)
-                vdescr = "intro"
-            else:
-                vname = str(lhs) + "_" + iaddr[2:]
-                vdescr = "LDRSH"
-
-            vinfo = astree.mk_vinfo(
-                vname,
-                vtype=astree.astree.short_type,
-                vdescr=vdescr)
-            vinfolval = astree.mk_vinfo_lval(vinfo)
-            vinfolvalexpr = astree.mk_lval_expr(vinfolval)
-
-            hl_lhs = astree.mk_register_variable_lval(str(lhs))
-            if str(hl_rhs).startswith("temp"):
-                (hl_rhs,
-                 hl_preinstrs,
-                 hl_postinstrs) = self.opargs[1].ast_rvalue(astree)
-
-            hl_assign_name = astree.mk_assign(
-                vinfolval,
-                hl_rhs,
+        hl_assign = astree.mk_assign(
+            hl_lhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign, ll_assign)
+        astree.add_instr_address(hl_assign, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_lval_mapping(hl_lhs, ll_lhs)
+        astree.add_expr_reachingdefs(ll_rhs, rdefs)
+        astree.add_lval_defuses(hl_lhs, defuses[0])
+        astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
+
+        # write-back semantics
+
+        if self.opargs[3].is_indirect_register and self.opargs[3].is_write_back:
+            addrop = cast("ARMOffsetAddressOp", self.opargs[3].opkind)
+            (ll_addr_lhs, _, _) = self.opargs[1].ast_lvalue(astree)
+            ll_addr_rhs = addrop.ast_addr_rvalue(astree)
+
+            ll_addr_assign = astree.mk_assign(
+                ll_addr_lhs,
+                ll_addr_rhs,
                 iaddr=iaddr,
                 bytestring=bytestring,
                 annotations=annotations)
+            ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
+
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
+            hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
+            hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
 
-            hl_assign = astree.mk_assign(
-                hl_lhs,
-                vinfolvalexpr,
+            hl_addr_assign = astree.mk_assign(
+                hl_addr_lhs,
+                hl_addr_rhs,
                 iaddr=iaddr,
                 bytestring=bytestring,
                 annotations=annotations)
-
-            astree.add_reg_definition(iaddr, hl_lhs, vinfolvalexpr)
-            astree.add_instr_mapping(hl_assign_name, ll_assign)
-            astree.add_instr_mapping(hl_assign, ll_assign)
-            astree.add_instr_address(hl_assign, [iaddr])
-            astree.add_expr_mapping(hl_rhs, ll_rhs)
-            astree.add_lval_mapping(hl_lhs, ll_lhs)
-            astree.add_expr_reachingdefs(hl_rhs, [rdefs[2]])
-            astree.add_lval_defuses(hl_lhs, defuses[0])
-            astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
-            astree.add_lval_store(vinfolval)
-
-            if ll_rhs.is_ast_lval_expr:
-                lvalexpr = cast(AST.ASTLvalExpr, ll_rhs)
-                if lvalexpr.lval.lhost.is_memref:
-                    memexp = cast(AST.ASTMemRef, lvalexpr.lval.lhost).memexp
-                    astree.add_expr_reachingdefs(memexp, [rdefs[0], rdefs[1]])
-
-            return ([hl_assign_name, hl_assign], [ll_assign])
-
+            hl_assigns: List[AST.ASTInstruction] = [hl_assign, hl_addr_assign]
+
+            astree.add_instr_mapping(hl_addr_assign, ll_addr_assign)
+            astree.add_instr_address(hl_addr_assign, [iaddr])
+            astree.add_expr_mapping(hl_addr_rhs, ll_addr_rhs)
+            astree.add_lval_mapping(hl_addr_lhs, ll_addr_lhs)
+            astree.add_expr_reachingdefs(ll_addr_rhs, [rdefs[0]])
+            astree.add_lval_defuses(ll_addr_lhs, defuses[1])
+            astree.add_lval_defuses_high(ll_addr_lhs, defuseshigh[1])
         else:
-            raise UF.CHBError(
-                "ARMLoadRegisterSignedHalfword: multiple expressions/lvals in ast")
+            ll_assigns = [ll_assign]
+            hl_assigns = [hl_assign]
+
+        return (hl_assigns, (ll_preinstrs + ll_assigns + ll_postinstrs))
diff --git a/chb/arm/opcodes/ARMLogicalShiftLeft.py b/chb/arm/opcodes/ARMLogicalShiftLeft.py
index d8201ef5..397f3777 100644
--- a/chb/arm/opcodes/ARMLogicalShiftLeft.py
+++ b/chb/arm/opcodes/ARMLogicalShiftLeft.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,49 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLogicalShiftLeftXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("LSL", ARMOpcode)
@@ -110,18 +148,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMLogicalShiftLeftXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -149,10 +180,16 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rresult = xdata.xprs[3]
+        xd = ARMLogicalShiftLeftXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rresult = xd.rresult
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMLogicalShiftRight.py b/chb/arm/opcodes/ARMLogicalShiftRight.py
index 5fe442ed..5295bd30 100644
--- a/chb/arm/opcodes/ARMLogicalShiftRight.py
+++ b/chb/arm/opcodes/ARMLogicalShiftRight.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,49 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMLogicalShiftRightXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("LSR", ARMOpcode)
@@ -73,10 +111,7 @@ class ARMLogicalShiftRight(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
 
     def mnemonic_extension(self) -> str:
@@ -105,18 +140,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMLogicalShiftRightXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error Value"
 
     def ast_prov(
             self,
@@ -144,10 +172,16 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rresult = xdata.xprs[3]
+        xd = ARMLogicalShiftRightXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rresult = xd.rresult
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMMove.py b/chb/arm/opcodes/ARMMove.py
index 3fe9a974..9b17be12 100644
--- a/chb/arm/opcodes/ARMMove.py
+++ b/chb/arm/opcodes/ARMMove.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -40,11 +40,37 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMMoveXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(1, "result")
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + str(self.result)
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("MOV", ARMOpcode)
@@ -72,10 +98,7 @@ class ARMMove(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "Move")
 
@@ -102,19 +125,19 @@ def is_nop_instruction(self, xdata: InstrXData) -> bool:
         return xdata.is_nop
 
     def annotation(self, xdata: InstrXData) -> str:
+        if len(xdata.tags) == 0:
+            # This happens when this instruction is part of an aggregate
+            # conditional assignment, but the condition cannot be determined
+            return "insufficient information"
+
         if xdata.is_nop:
             return "NOP"
 
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[1])
-        assignment = lhs + " := " + rhs
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[2])
-            return "if " + c + " then " + assignment
+        xd = ARMMoveXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov_subsumed(
             self,
@@ -155,6 +178,7 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
+        xd = ARMMoveXData(xdata)
         annotations: List[str] = [iaddr, "MOV"]
 
         if xdata.is_nop:
@@ -184,8 +208,12 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[1]
+        if not xd.is_ok:
+            chklogger.logger.error("Error value encountered at %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.result
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMMoveRegisterCoprocessor.py b/chb/arm/opcodes/ARMMoveRegisterCoprocessor.py
index 9a1effc5..6395381d 100644
--- a/chb/arm/opcodes/ARMMoveRegisterCoprocessor.py
+++ b/chb/arm/opcodes/ARMMoveRegisterCoprocessor.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,15 +30,30 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+
+
+class ARMMoveRegisterCoprocessorXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrt(self) -> "XVariable":
+        return self.var(0, "vrt")
+
+    @property
+    def annotation(self) -> str:
+        return str(self.vrt) + " := ?"
 
 
 @armregistry.register_tag("MRC", ARMOpcode)
@@ -88,10 +103,8 @@ def operandstring(self) -> str:
             + opc2)
 
     def annotation(self, xdata: InstrXData) -> str:
-        """format a:v
-
-        vars[0]: lhs; destination register (Rt)
-        """
-
-        lhs = str(xdata.vars[0])
-        return lhs + " := ?"
+        xd = ARMMoveRegisterCoprocessorXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
diff --git a/chb/arm/opcodes/ARMMoveToCoprocessor.py b/chb/arm/opcodes/ARMMoveToCoprocessor.py
index 2ff23148..14b4dd63 100644
--- a/chb/arm/opcodes/ARMMoveToCoprocessor.py
+++ b/chb/arm/opcodes/ARMMoveToCoprocessor.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,15 +30,35 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMMoveToCoprocessorXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrt(self) -> "XXpr":
+        return self.xpr(0, "xrt")
+
+    @property
+    def xxrt(self) -> "XXpr":
+        return self.xpr(1, "xxrt")
+
+    @property
+    def annotation(self) -> str:
+        return "? := " + str(self.xxrt)
+
 
 
 @armregistry.register_tag("MCR", ARMOpcode)
@@ -56,10 +76,7 @@ class ARMMoveToCoprocessor(ARMOpcode):
     args[5]: opc2
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 6, "MoveToCoprocessor")
 
@@ -88,11 +105,8 @@ def operandstring(self) -> str:
             + opc2)
 
     def annotation(self, xdata: InstrXData) -> str:
-        """format a:v
-
-        xprs[0]: rhs: source register (Rt)
-        xprs[1]: rrhs: source register rewritten
-        """
-
-        rrhs = str(xdata.xprs[1])
-        return "? := " + str(rrhs)
+        xd = ARMMoveToCoprocessorXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
diff --git a/chb/arm/opcodes/ARMMoveTop.py b/chb/arm/opcodes/ARMMoveTop.py
index 28309c32..4636670c 100644
--- a/chb/arm/opcodes/ARMMoveTop.py
+++ b/chb/arm/opcodes/ARMMoveTop.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,64 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMMoveTopXData(ARMOpcodeXData):
+    """
+    xdata format: a:vxxxxxrdh
+    -------------------------
+    vars[0]: lhs
+    xprs[0]: immediate value
+    xprs[1]: rhs
+    xprs[2]: rhs shifted by 16 bits
+    xprs[3]: result
+    xprs[4]: result (simplified)
+    """
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def ximm(self) -> "XXpr":
+        return self.xpr(0, "ximm")
+
+    @property
+    def xrd(self) -> "XXpr":
+        return self.xpr(1, "xrd")
+
+    @property
+    def xrdm16(self) -> "XXpr":
+        return self.xpr(2, "xrdm16")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(3, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(4, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[4], self.xdata.args[5], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("MOVT", ARMOpcode)
@@ -55,21 +108,9 @@ class ARMMoveTop(ARMOpcode):
     tags[1]: <c>
     args[0]: index of Rd in arm dictionary
     args[1]: index of imm16 in arm dictionary
-
-    xdata format: a:vxxxxxrdh
-    -------------------------
-    vars[0]: lhs
-    xprs[0]: immediate value
-    xprs[1]: rhs
-    xprs[2]: rhs shifted by 16 bits
-    xprs[3]: result
-    xprs[4]: result (simplified)
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "MoveTop")
 
@@ -82,18 +123,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[3]
-        rresult = xdata.xprs[4]
-        xresult = simplify_result(xdata.args[4], xdata.args[5], result, rresult)
-        assignment = lhs + " := " + xresult
-        if xdata.has_unknown_instruction_condition():
-            return "if ? then " + assignment
-        elif xdata.has_instruction_condition():
-            c = str(xdata.xprs[1])
-            return "if " + c + " then " + assignment
+        xd = ARMMoveTopXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            return assignment
+            return "Error value"
 
     def ast_prov(
             self,
@@ -125,8 +159,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[4]
+        xd = ARMMoveTopXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMMultiply.py b/chb/arm/opcodes/ARMMultiply.py
index 1fdbb3cf..cce36cb9 100644
--- a/chb/arm/opcodes/ARMMultiply.py
+++ b/chb/arm/opcodes/ARMMultiply.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,15 +30,54 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMMultiplyXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "result")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("MUL", ARMOpcode)
@@ -54,10 +93,7 @@ class ARMMultiply(ARMOpcode):
     args[3]: index of rm in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 4, "Multiply")
 
@@ -66,17 +102,8 @@ def operands(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1:]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxxxx .
-
-        vars[0]: lhs
-        xprs[0]: rhs1
-        xprs[1]: rhs2
-        xprs[2]: rhs1 * rhs2 (syntactic)
-        xprs[3]: rhs1 * rhs2 (simplified)
-        """
-
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMMultiplyXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
diff --git a/chb/arm/opcodes/ARMMultiplyAccumulate.py b/chb/arm/opcodes/ARMMultiplyAccumulate.py
index 5c6c5fe0..226fa449 100644
--- a/chb/arm/opcodes/ARMMultiplyAccumulate.py
+++ b/chb/arm/opcodes/ARMMultiplyAccumulate.py
@@ -25,20 +25,80 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
-import chb.util.fileutil as UF
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+import chb.invariants.XXprUtil as XU
 
+import chb.util.fileutil as UF
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMMultiplyAccumulateXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xra(self) -> "XXpr":
+        return self.xpr(2, "xra")
+
+    @property
+    def xprd(self) -> "XXpr":
+        return self.xpr(3, "xprd")
+
+    @property
+    def xrprd(self) -> "XXpr":
+        return self.xpr(4, "xrprd")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(4, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(5, "rresult")
+
+    @property
+    def result_simplified_p(self) -> str:
+        return simplify_result(
+            self.xdata.args[4], self.xdata.args[5], self.xprd, self.xrprd)
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[6], self.xdata.args[7], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("MLA", ARMOpcode)
@@ -55,10 +115,7 @@ class ARMMultiplyAccumulate(ARMOpcode):
     args[4]: index of Ra in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "MultiplyAccumulate")
 
@@ -67,23 +124,8 @@ def operands(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1:]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxxxxxxx
-
-        vars[0]: lhs1 (Rd)
-        xprs[0]: rhs1 (Rn)
-        xprs[1]: rhs2 (Rm)
-        xprs[2]: rhsra (Ra)
-        xprs[3]: (rhs1 * rhs2)
-        xprs[4]: (rhs1 * rhs2) (simplified)
-        xprs[5]: (rhsra + (rhs1 * rhs2))
-        xprs[6]: (rhsra + (rhs1 * rhs2)) (simplified)
-        """
-
-        lhs = str(xdata.vars[0])
-        prod = xdata.xprs[3]
-        rprod = xdata.xprs[4]
-        xprod = simplify_result(xdata.args[4], xdata.args[5], prod, rprod)
-        xsum = xdata.xprs[5]
-        rxsum = xdata.xprs[6]
-        xxsum = simplify_result(xdata.args[6], xdata.args[7], xsum, rxsum)
-        return (lhs + " := " + xxsum)
+        xd = ARMMultiplyAccumulateXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
diff --git a/chb/arm/opcodes/ARMPop.py b/chb/arm/opcodes/ARMPop.py
index fabf6151..0ebbf44d 100644
--- a/chb/arm/opcodes/ARMPop.py
+++ b/chb/arm/opcodes/ARMPop.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -41,11 +41,78 @@
 
 import chb.util.fileutil as UF
 from chb.util.loggingutil import chklogger
-
 from chb.util.IndexedTable import IndexedTableValue
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMPopXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def regcount(self) -> int:
+        return len(self.xdata.vars_r) - 1
+
+    @property
+    def splhs(self) -> "XVariable":
+        return self.var(0, "splhs")
+
+    @property
+    def lhsvars(self) -> List["XVariable"]:
+        return [self.var(i, "lhsvar") for i in range(1, self.regcount + 1)]
+
+    @property
+    def sprhs(self) -> "XXpr":
+        return self.xpr(0, "sprhs")
+
+    @property
+    def spresult(self) -> "XXpr":
+        return self.xpr(1, "spresult")
+
+    @property
+    def rspresult(self) -> "XXpr":
+        return self.xpr(2, "rspresult")
+
+    @property
+    def rrhsexprs(self) -> List["XXpr"]:
+        return [self.xpr(i, "rhsexpr") for i in range(3, self.regcount + 3)]
+
+    @property
+    def xaddrs(self) -> List["XXpr"]:
+        return [self.xpr(i, "xaddr")
+                for i in range(self.regcount + 3, (2 * self.regcount) + 3)]
+
+    def has_return_xpr(self) -> bool:
+        return self.xdata.has_return_xpr()
+
+    def returnval(self) -> "XXpr":
+        return self.xdata.get_return_xpr()
+
+    def rreturnval(self) -> "XXpr":
+        return self.xdata.get_return_xxpr()
+
+    @property
+    def r0(self) -> Optional["XXpr"]:
+        if "return" in self._xdata.tags:
+            return self.xpr((2 * self.regcount) + 3, "r0")
+        return None
+
+    @property
+    def annotation(self) -> str:
+        pairs = zip(self.lhsvars, self.rrhsexprs)
+        spassign = str(self.splhs) + " := " + str(self.rspresult)
+        assigns = "; ".join(str(v) + " := " + str(x) for (v, x) in pairs)
+        assigns = spassign + "; " + assigns
+        if self.has_return_xpr():
+            rxpr = "; return " + str(self.rreturnval())
+        else:
+            rxpr = ""
+        return self.add_instruction_condition(assigns + rxpr)
 
 
 @armregistry.register_tag("POP", ARMOpcode)
@@ -78,10 +145,7 @@ class ARMPop(ARMOpcode):
     useshigh[1..n]: useshigh(r): for r: register popped used at high level
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 3, "Pop")
 
@@ -103,41 +167,21 @@ def operandstring(self) -> str:
         return str(self.operands[1])
 
     def is_return_instruction(self, xdata: InstrXData) -> bool:
-        vars = xdata.vars[1:]
-        xprs = xdata.xprs[3:]
-        xctr = len(vars)
-        pairs = list(zip(vars, xprs[:xctr]))
-        for (v, x) in pairs:
-            if str(v) == "PC" and str(x) == "LR_in":
-                return True
-        else:
-            return False
+        return ARMPopXData(xdata).has_return_xpr()
 
     def return_value(self, xdata: InstrXData) -> Optional[XXpr]:
-        nvars = len(xdata.vars[1:])
-        # this condition is fragile, should be made more robust
-        if len(xdata.xprs) == (2 * nvars) + 4:
-            return xdata.xprs[-1]
+        xd = ARMPopXData(xdata)
+        if xd.has_return_xpr():
+            return xd.rreturnval()
         else:
             return None
 
     def annotation(self, xdata: InstrXData) -> str:
-        vars = xdata.vars
-        xprs = xdata.xprs
-
-        xctr = len(vars) + 1
-        pairs = zip(vars, xprs[2:])
-        assigns = "; ".join(str(v) + " := " + str(x) for (v, x) in pairs)
-
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xprs[2 * xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
+        xd = ARMPopXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
         else:
-            pcond = ""
-
-        return pcond + assigns
+            return "Error value"
 
     def ast_condition_prov(
             self,
@@ -178,12 +222,18 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        splhs = xdata.vars[0]
-        reglhss = xdata.vars[1:]
-        sprrhs = xdata.xprs[0]
-        spresult = xdata.xprs[1]
-        sprresult = xdata.xprs[2]
-        memrhss = xdata.xprs[3:]
+        xd = ARMPopXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        splhs = xd.splhs
+        reglhss = xd.lhsvars
+        spresult = xd.spresult
+        sprresult = xd.rspresult
+        memrhss = xd.rrhsexprs
+
         sprdef = xdata.reachingdefs[0]
         memrdefs = xdata.reachingdefs[1:]
         spuses = xdata.defuses[0]
diff --git a/chb/arm/opcodes/ARMPush.py b/chb/arm/opcodes/ARMPush.py
index 5863d8f0..3d91caab 100644
--- a/chb/arm/opcodes/ARMPush.py
+++ b/chb/arm/opcodes/ARMPush.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -31,7 +31,7 @@
 from chb.app.MemoryAccess import MemoryAccess, RegisterSpill
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -42,13 +42,62 @@
 
 import chb.util.fileutil as UF
 from chb.util.loggingutil import chklogger
-
 from chb.util.IndexedTable import IndexedTableValue
 
+
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMOperandKind import ARMRegListOp
     from chb.arm.ARMRegister import ARMRegister
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMPushXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def regcount(self) -> int:
+        return len(self._xdata.vars_r) - 1
+
+    @property
+    def splhs(self) -> "XVariable":
+        return self.var(0, "splhs")
+
+    @property
+    def lhsvars(self) -> List["XVariable"]:
+        return [self.var(i, "lhsvar") for i in range(1, self.regcount + 1)]
+
+    @property
+    def sprhs(self) -> "XXpr":
+        return self.xpr(0, "sprhs")
+
+    @property
+    def spresult(self) -> "XXpr":
+        return self.xpr(1, "spresult")
+
+    @property
+    def rspresult(self) -> "XXpr":
+        return self.xpr(2, "rspresult")
+
+    @property
+    def rrhsexprs(self) -> List["XXpr"]:
+        return [self.xpr(i, "rhsvar") for i in range(3, self.regcount + 3)]
+
+    @property
+    def xaddrs(self) -> List["XXpr"]:
+        return [self.xpr(i, "xaddr")
+                for i in range(self.regcount + 3, (2 * self.regcount) + 3)]
+
+    @property
+    def annotation(self) -> str:
+        pairs = zip(self.lhsvars, self.rrhsexprs)
+        spassign = str(self.splhs) + " := " + str(self.rspresult)
+        assigns = "; ".join(str(v) + " := " + str(x) for (v, x) in pairs)
+        assigns = spassign + "; " + assigns
+        return self.add_instruction_condition(assigns)
 
 
 @armregistry.register_tag("PUSH", ARMOpcode)
@@ -79,10 +128,7 @@ class ARMPush(ARMOpcode):
     useshigh[1..n]: useshigh(m): for m: memory location variable used at high level
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 3, "Push")
 
@@ -104,22 +150,23 @@ def register_count(self) -> int:
         return cast("ARMRegListOp", self.opargs[1].opkind).count
 
     def memory_accesses(self, xdata: InstrXData) -> Sequence[MemoryAccess]:
+        xd = ARMPushXData(xdata)
         spills = self.register_spills(xdata)
         regcount = self.register_count
         if len(spills) > 0:
             result: List[RegisterSpill] = []
             for (i, spill) in enumerate(spills):
-                result.append(RegisterSpill(xdata.xprs[regcount+3+i], spill))
+                result.append(RegisterSpill(xd.rrhsexprs[i], spill))
             return result
         else:
             return [MemoryAccess(xdata.xprs[2], "W", size=4)]
 
     def register_spills(self, xdata: InstrXData) -> List[str]:
-        swaddr = xdata.xprs[2]
+        xd = ARMPushXData(xdata)
         result: List[str] = []
         regcount = self.register_count
         # rhs = xdata.xprs[3]
-        for rhs in xdata.xprs[3:3+regcount]:
+        for rhs in xd.rrhsexprs:
             if rhs.is_initial_register_value:
                 r = cast("ARMRegister", rhs.initial_register_value_register())
                 if r.is_arm_callee_saved_register:
@@ -127,17 +174,11 @@ def register_spills(self, xdata: InstrXData) -> List[str]:
         return result
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:v...x...
-
-        vars[0..n]: stack locations
-        xprs[0..n]: register values
-        """
-
-        vars = xdata.vars
-        xprs = xdata.xprs
-        assigns = '; '.join(
-            str(v) + " := " + str(x) for (v, x) in zip(vars, xprs[2:]))
-        return assigns
+        xd = ARMPushXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
@@ -147,12 +188,17 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
-        splhs = xdata.vars[0]
-        memlhss = xdata.vars[1:]
-        sprrhs = xdata.xprs[0]
-        spresult = xdata.xprs[1]
-        sprresult = xdata.xprs[2]
-        regrhss = xdata.xprs[3:]
+        xd = ARMPushXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+
+        splhs = xd.splhs
+        memlhss = xd.lhsvars
+        sprrhs = xd.spresult
+        sprresult = xd.rspresult
+        regrhss = xd.rrhsexprs
+
         sprdef = xdata.reachingdefs[0]
         regrdefs = xdata.reachingdefs[1:]
         spuses = xdata.defuses[0]
diff --git a/chb/arm/opcodes/ARMReverseSubtract.py b/chb/arm/opcodes/ARMReverseSubtract.py
index 2c1b2480..d29002ea 100644
--- a/chb/arm/opcodes/ARMReverseSubtract.py
+++ b/chb/arm/opcodes/ARMReverseSubtract.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,12 +39,50 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.arm.ARMOperandKind import ARMShiftedRegisterOp
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMReverseSubtractXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("RSB", ARMOpcode)
@@ -102,11 +140,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMReverseSubtractXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
@@ -139,10 +177,16 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs3 = xdata.xprs[3]
+        xd = ARMReverseSubtractXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
 
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMSignedMultiplyLong.py b/chb/arm/opcodes/ARMSignedMultiplyLong.py
index d1f95d49..84b73603 100644
--- a/chb/arm/opcodes/ARMSignedMultiplyLong.py
+++ b/chb/arm/opcodes/ARMSignedMultiplyLong.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021 Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,20 +25,81 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
-import chb.util.fileutil as UF
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+import chb.invariants.XXprUtil as XU
 
+import chb.util.fileutil as UF
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMSignedMultiplyLongXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vlo(self) -> "XVariable":
+        return self.var(0, "vlo")
+
+    @property
+    def vhi(self) -> "XVariable":
+        return self.var(1, "vhi")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def loresult(self) -> "XXpr":
+        return self.xpr(2, "loresult")
+
+    @property
+    def hiresult(self) -> "XXpr":
+        return self.xpr(3, "hiresult")
+
+    @property
+    def loresultr(self) -> "XXpr":
+        return self.xpr(4, "loresultr")
+
+    @property
+    def hiresultr(self) -> "XXpr":
+        return self.xpr(5, "hiresultr")
+
+    @property
+    def resultlo_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[2], self.xdata.args[4], self.loresult, self.loresultr)
+
+    @property
+    def resulthi_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[5], self.xdata.args[7], self.hiresult, self.hiresultr)
+
+    @property
+    def annotation(self) -> str:
+        assignment1 = str(self.vlo) + " := " + self.resultlo_simplified
+        assignment2 = str(self.vhi) + " := " + self.resulthi_simplified
+        return self.add_instruction_condition(assignment1 + "; " + assignment2)
 
 
 @armregistry.register_tag("SMULL", ARMOpcode)
@@ -55,10 +116,7 @@ class ARMSignedMultiplyLong(ARMOpcode):
     args[4]: index of Rm in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "SignedMultiplyLong")
 
@@ -66,20 +124,105 @@ def __init__(
     def operands(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1:]]
 
+    @property
+    def opargs(self) -> List[ARMOperand]:
+        return [self.armd.arm_operand(i) for i in self.args[1:]]
+
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxxxx
-
-        vars[0]: lhslo
-        vars[1]: lhshi
-        xprs[0]: rhs1
-        xprs[1]: rhs2
-        xprs[2]: (rhs1 * rhs2)
-        xprs[3]: (rhs1 * rhs2)
-        """
-
-        lhslo = str(xdata.vars[0])
-        lhshi = str(xdata.vars[1])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[4], xdata.args[5], result, rresult)
-        return "(" + lhslo + "," + lhshi + ")" + " := " + xresult
+        xd = ARMSignedMultiplyLongXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
+
+    def ast_prov(
+            self,
+            astree: ASTInterface,
+            iaddr: str,
+            bytestring: str,
+            xdata: InstrXData) -> Tuple[
+                List[AST.ASTInstruction], List[AST.ASTInstruction]]:
+
+        annotations: List[str] = [iaddr, "SMULL"]
+
+        # low-level assignment
+
+        (ll_lhs, _, _) = self.opargs[0].ast_lvalue(astree)
+        (ll_lhs2, _, _) = self.opargs[1].ast_lvalue(astree)
+        (ll_op1, _, _) = self.opargs[2].ast_rvalue(astree)
+        (ll_op2, _, _) = self.opargs[3].ast_rvalue(astree)
+        ll_rhs = astree.mk_binary_op("mult", ll_op1, ll_op2)
+        e32 = astree.mk_integer_constant(0x10000000)
+        ll_rhs = astree.mk_binary_op("div", ll_rhs, e32)
+        ll_rhs2 = astree.mk_binary_op("mod", ll_rhs, e32)
+
+        ll_assign1 = astree.mk_assign(
+            ll_lhs,
+            ll_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+        ll_assign2 = astree.mk_assign(
+            ll_lhs2,
+            ll_rhs2,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        rdefs = xdata.reachingdefs
+
+        astree.add_expr_reachingdefs(ll_op1, [rdefs[0]])
+        astree.add_expr_reachingdefs(ll_op2, [rdefs[1]])
+
+        # high-level assignment
+
+        xd = ARMSignedMultiplyLongXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vlo
+        lhs2 = xd.vhi
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhslo = xd.loresult
+        rhshi = xd.hiresult
+
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
+
+        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+        hl_lhs2 = XU.xvariable_to_ast_lval(lhs2, xdata, iaddr, astree)
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhslo, xdata, iaddr, astree)
+        hl_rhs2 = XU.xxpr_to_ast_def_expr(rhshi, xdata, iaddr, astree)
+
+        hl_assign1 = astree.mk_assign(
+            hl_lhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+        hl_assign2 = astree.mk_assign(
+            hl_lhs2,
+            hl_rhs2,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign1, ll_assign1)
+        astree.add_instr_mapping(hl_assign2, ll_assign2)
+        astree.add_instr_address(hl_assign1, [iaddr])
+        astree.add_instr_address(hl_assign2, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_expr_mapping(hl_rhs2, ll_rhs2)
+        astree.add_lval_mapping(hl_lhs, ll_lhs)
+        astree.add_lval_mapping(hl_lhs2, ll_lhs2)
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[2:])
+        astree.add_expr_reachingdefs(ll_rhs, rdefs[:2])
+        astree.add_lval_defuses(hl_lhs, defuses[0])
+        astree.add_lval_defuses(hl_lhs2, defuses[1])
+        astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
+        astree.add_lval_defuses_high(hl_lhs2, defuseshigh[1])
+
+        return ([hl_assign1, hl_assign2], [ll_assign1, ll_assign2])
diff --git a/chb/arm/opcodes/ARMStoreMultipleDecrementBefore.py b/chb/arm/opcodes/ARMStoreMultipleDecrementBefore.py
index d6d991d3..6216fc5f 100644
--- a/chb/arm/opcodes/ARMStoreMultipleDecrementBefore.py
+++ b/chb/arm/opcodes/ARMStoreMultipleDecrementBefore.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 from chb.ast.AbstractSyntaxTree import nooffset
@@ -48,6 +48,49 @@
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.bctypes.BCTyp import BCTypComp, BCTypArray
     from chb.invariants.VAssemblyVariable import VMemoryVariable
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMStoreMultipleDecrementBeforeXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def regcount(self) -> int:
+        return len(self._xdata.vars_r) - 1
+
+    @property
+    def baselhs(self) -> "XVariable":
+        return self.var(0, "baselhs")
+
+    @property
+    def memlhss(self) -> List["XVariable"]:
+        return [self.var(i, "memlhs") for i in range(1, self.regcount + 1)]
+
+    @property
+    def baserhs(self) -> "XXpr":
+        return self.xpr(0, "baserhs")
+
+    @property
+    def baseresult(self) -> "XXpr":
+        return self.xpr(1, "baseresult")
+
+    @property
+    def rbaseresult(self) -> "XXpr":
+        return self.xpr(2, "rbaseresult")
+
+    @property
+    def rrhss(self) -> List["XXpr"]:
+        return [self.xpr(i, "rhs") for i in range(3, self.regcount + 3)]
+
+    @property
+    def annotation(self) -> str:
+        # TODO add writeback
+        pairs = zip(self.memlhss, self.rrhss)
+        assigns = "; ".join(str(v) + " := " + str(x) for (v, x) in pairs)
+        return self.add_instruction_condition(assigns)
 
 
 @armregistry.register_tag("STMDB", ARMOpcode)
@@ -79,10 +122,7 @@ class ARMStoreMultipleDecrementBefore(ARMOpcode):
     defusehigh[1..n]: use-high of memory variables
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 4, "StoreMultipleDecrementBefore")
 
@@ -102,19 +142,11 @@ def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def annotation(self, xdata: InstrXData) -> str:
-        # regcount = len(xdata.vars) - 1
-        regcount = len(xdata.reachingdefs) - 1
-
-        wb = ""
-        if self.writeback:
-            wb = "; " + str(xdata.vars[0]) + " := " + str(xdata.xprs[2])
-        return (
-            "; ".join(
-                str(v)
-                + " := "
-                + str(x) for (v, x) in
-                zip(xdata.vars[1:], xdata.xprs[regcount+3:(2 * regcount)+3]))
-            + wb)
+        xd = ARMStoreMultipleDecrementBeforeXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def assembly_ast(
             self,
diff --git a/chb/arm/opcodes/ARMStoreMultipleIncrementAfter.py b/chb/arm/opcodes/ARMStoreMultipleIncrementAfter.py
index 405aad95..19fdcd9d 100644
--- a/chb/arm/opcodes/ARMStoreMultipleIncrementAfter.py
+++ b/chb/arm/opcodes/ARMStoreMultipleIncrementAfter.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,7 +39,6 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
 from chb.util.loggingutil import chklogger
 
@@ -47,7 +46,100 @@
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
     from chb.invariants.VAssemblyVariable import VRegisterVariable
-    from chb.invariants.XXpr import XprConstant, XprVariable
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr, XprConstant, XprVariable
+
+
+class ARMStoreMultipleIncrementAfterXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def is_ldmstm_aggregate(self) -> bool:
+        return "agg-ldmstm" in self.xdata.tags
+
+    def ldmstm_xpr(self, index: int, msg: str) -> "XXpr":
+        if self.is_ldmstm_aggregate:
+            return self.xpr(index, msg)
+        else:
+            raise UF.CHBError("Not an ldmstm aggregate: " + msg)
+
+    @property
+    def xdst(self) -> "XXpr":
+        return self.ldmstm_xpr(0, "xdst")
+
+    @property
+    def is_xdst_unknown(self) -> bool:
+        return self.xdata.xprs_r[0] is None
+
+    @property
+    def xsrc(self) -> "XXpr":
+        return self.ldmstm_xpr(1, "xsrc")
+
+    @property
+    def is_xsrc_unknowns(self) -> bool:
+        return self.xdata.xprs_r[1] is None
+
+    @property
+    def xxdst(self) -> "XXpr":
+        return self.ldmstm_xpr(2, "xxdst")
+
+    @property
+    def is_xxdst_unknown(self) -> bool:
+        return self.xdata.xprs_r[2] is None
+
+    @property
+    def xxsrc(self) -> "XXpr":
+        return self.ldmstm_xpr(3, "xxsrc")
+
+    @property
+    def is_xxsrc_unknown(self) -> bool:
+        return self.xdata.xprs_r[3] is None
+
+    @property
+    def copysize(self) -> int:
+        if self.is_ldmstm_aggregate:
+            return self.xdata.ints[0]
+        else:
+            raise UF.CHBError("Not an ldmstm aggregate")
+
+    @property
+    def annotation(self) -> str:
+        if self.is_ok:
+            if self.is_ldmstm_aggregate:
+                return (
+                    "memcpy(" +
+                    str(self.xxdst)
+                    + ", "
+                    + str(self.xxsrc)
+                    + ", "
+                    + str(self.copysize)
+                    + ")")
+            else:
+                return "not yet supported"
+        else:
+            if self.is_ldmstm_aggregate:
+                if self.is_xxdst_unknown and self.is_xxsrc_unknown:
+                    dst = str(self.xdst)
+                    src = str(self.xsrc)
+                elif self.is_xxdst_unknown:
+                    dst = str(self.xdst)
+                    src = str(self.xxsrc)
+                else:
+                    dst = str(self.xxdst)
+                    src = str(self.xsrc)
+                return (
+                        "memcpy("
+                        + dst
+                        + ", "
+                        + src
+                        + ", "
+                        + str(self.copysize)
+                        + ")")
+            else:
+                return "not yet supported"
+
 
 
 @armregistry.register_tag("STM", ARMOpcode)
@@ -78,10 +170,7 @@ class ARMStoreMultipleIncrementAfter(ARMOpcode):
     useshigh[1..n]: use-high of memory variables
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "StoreMultipleIncrementAfter")
 
@@ -114,15 +203,8 @@ def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxx .
-
-        vars[0..n]: lhs variables
-        xprs[0..n]: rhs expressions
-        """
-
-        # TODO: Consider self.writeback like in the load case
-        return '; '.join(
-            str(lhs) + " := " + str(x) for (lhs, x) in zip(xdata.vars, xdata.xprs))
+        xd = ARMStoreMultipleIncrementAfterXData(xdata)
+        return xd.annotation
 
     def ast_prov_ldmstmcopy(
             self,
@@ -183,11 +265,22 @@ def ast_prov_ldmstmcopy(
 
         # high-level call
 
-        xdst = xdata.xprs[0]
-        xsrc = xdata.xprs[1]
-        xxdst = xdata.xprs[2]
-        xxsrc = xdata.xprs[3]
-        xsize = xdata.ints[0]
+        xd = ARMStoreMultipleIncrementAfterXData(xdata)
+        if not xd.is_ok:
+            if xd.is_xxsrc_unknown and xd.is_xxdst_unknown:
+                chklogger.logger.error(
+                    "LDM-STM-memcpy: (%s): src and dst unknown", iaddr)
+            elif xd.is_xxsrc_unknown:
+                chklogger.logger.error("LDM-STM-memcpy: (%s): src unknown", iaddr)
+            else:
+                chklogger.logger.error("LDM-STM-memcpy: (%s): dst unknown", iaddr)
+            return ([], [])
+
+        xdst = xd.xdst
+        xsrc = xd.xsrc
+        xxdst = xd.xxdst
+        xxsrc = xd.xxsrc
+        xsize = xd.copysize
 
         # low-level arguments
 
diff --git a/chb/arm/opcodes/ARMStoreRegister.py b/chb/arm/opcodes/ARMStoreRegister.py
index 537e4d28..35654d19 100644
--- a/chb/arm/opcodes/ARMStoreRegister.py
+++ b/chb/arm/opcodes/ARMStoreRegister.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -31,7 +31,7 @@
 from chb.app.MemoryAccess import MemoryAccess, RegisterSpill
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -41,8 +41,9 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
@@ -51,9 +52,67 @@
     from chb.invariants.VAssemblyVariable import (
         VAuxiliaryVariable, VMemoryVariable)
     from chb.invariants.VConstantValueVariable import VInitialRegisterValue
+    from chb.invariants.XVariable import XVariable
     from chb.invariants.XXpr import XprVariable
 
 
+class ARMStoreRegisterXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(0, "vmem")
+
+    @property
+    def is_vmem_unknown(self) -> bool:
+        return self.xdata.vars_r[0] is None
+
+    @property
+    def vrn(self) -> "XVariable":
+        return self.var(1, "vrn")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xrt(self) -> "XXpr":
+        return self.xpr(2, "xrt")
+
+    @property
+    def xxrt(self) -> "XXpr":
+        return self.xpr(3, "xxrt")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def xaddr_updated(self) -> "XXpr":
+        return self.xpr(5, "xaddr_updated")
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vmem) + " := " + str(self.xxrt)
+        elif self.is_vmem_unknown and self.is_address_known:
+            assignment = "*(" + str(self.xaddr) + ") := " + str(self.xxrt)
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment + wbu)
+
+
 @armregistry.register_tag("STR", ARMOpcode)
 class ARMStoreRegister(ARMOpcode):
     """Stores a word from a register into memory.
@@ -109,10 +168,11 @@ def is_write_back(self) -> bool:
 
     def memory_accesses(self, xdata: InstrXData) -> Sequence[MemoryAccess]:
         spill = self.register_spill(xdata)
+        xd = ARMStoreRegisterXData(xdata)
         if spill is not None:
-            return [RegisterSpill(xdata.xprs[4], spill)]
+            return [RegisterSpill(xd.xaddr, spill)]
         else:
-            return [MemoryAccess(xdata.xprs[4], "W", size=4)]
+            return [MemoryAccess(xd.xaddr, "W", size=4)]
 
     @property
     def membase_operand(self) -> ARMOperand:
@@ -126,9 +186,10 @@ def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def register_spill(self, xdata: InstrXData) -> Optional[str]:
-        swaddr = xdata.xprs[4]
+        xd = ARMStoreRegisterXData(xdata)
+        swaddr = xd.xaddr
         if swaddr.is_stack_address:
-            rhs = xdata.xprs[3]
+            rhs = xd.xxrt
             if rhs.is_var:
                 rhsv = cast("XprVariable", rhs).variable
                 if rhsv.denotation.is_auxiliary_variable:
@@ -141,24 +202,7 @@ def register_spill(self, xdata: InstrXData) -> Optional[str]:
         return None
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        if rhs.is_function_return_value:
-            rhsp = str(rhs.variable.denotation)
-        else:
-            rhsp = str(rhs)
-        assign = str(lhs) + " := " + rhsp
-
-        xctr = 5
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        return pcond + assign
+        return ARMStoreRegisterXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -168,6 +212,7 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
+        xd = ARMStoreRegisterXData(xdata)
         annotations: List[str] = [iaddr, "STR"]
 
         # low-level assignment
@@ -183,9 +228,21 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        memaddr = xdata.xprs[4]
+        if xd.is_ok:
+            lhs = xd.vmem
+            memaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(
+                lhs, xdata, iaddr, astree, memaddr=memaddr)
+
+        elif xd.is_vmem_unknown and xd.is_address_known:
+            memaddr = xd.xaddr
+            hl_lhs = XU.xmemory_dereference_lval(memaddr, xdata, iaddr, astree)
+
+        else:
+            chklogger.logger.error("Error value encountered at %s", iaddr)
+            return ([], [])
+
+        rhs = xd.xxrt
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
@@ -198,9 +255,6 @@ def ast_prov(
             cstr = rhs.constant.string_reference()
             hl_rhs = astree.mk_string_constant(hl_rhs, cstr, saddr)
 
-        hl_lhs = XU.xvariable_to_ast_lval(
-            lhs, xdata, iaddr, astree, memaddr=memaddr)
-
         hl_assign = astree.mk_assign(
             hl_lhs,
             hl_rhs,
@@ -212,7 +266,7 @@ def ast_prov(
         # to variables that are part of a struct or array variable, so these
         # assignments must be explicitly forced to appear in the lifting
         if (
-                lhs.is_tmp
+                xd.is_vmem_unknown
                 or hl_lhs.offset.is_index_offset
                 or hl_lhs.offset.is_field_offset):
             astree.add_expose_instruction(hl_assign.instrid)
@@ -240,8 +294,8 @@ def ast_prov(
                 annotations=annotations)
             ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
 
-            basereg = xdata.vars[1]
-            newaddr = xdata.xprs[4]
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
             hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
             hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
 
diff --git a/chb/arm/opcodes/ARMStoreRegisterByte.py b/chb/arm/opcodes/ARMStoreRegisterByte.py
index 7a7f9526..2c093cd9 100644
--- a/chb/arm/opcodes/ARMStoreRegisterByte.py
+++ b/chb/arm/opcodes/ARMStoreRegisterByte.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,12 +39,65 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.arm.ARMOperandKind import ARMOffsetAddressOp
     from chb.invariants.VAssemblyVariable import VMemoryVariable
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMStoreRegisterByteXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(0, "vmem")
+
+    @property
+    def is_vmem_unknown(self) -> bool:
+        return self.xdata.vars_r[0] is None
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xrt(self) -> "XXpr":
+        return self.xpr(2, "xrt")
+
+    @property
+    def xxrt(self) -> "XXpr":
+        return self.xpr(3, "xxrt")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vmem) + " := " + str(self.xxrt)
+        elif self.is_vmem_unknown and self.is_address_known:
+            assignment = "*(" + str(self.xaddr) + ") := " + str(self.xxrt)
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment + wbu)
 
 
 @armregistry.register_tag("STRB", ARMOpcode)
@@ -78,10 +131,7 @@ class ARMStoreRegisterByte(ARMOpcode):
     useshigh[1]: vrn (base register, only if writeback)
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "StoreRegisterByte")
 
@@ -110,20 +160,7 @@ def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-        assign = lhs + " := " + rhs
-
-        xctr = 5
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        return pcond + assign
+        return ARMStoreRegisterByteXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -148,10 +185,25 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
-        rhs_basic = xdata.xprs[2]
-        memaddr = xdata.xprs[4]
+        xd = ARMStoreRegisterByteXData(xdata)
+
+        if xd.is_ok:
+            lhs = xd.vmem
+            memaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(
+                lhs, xdata, iaddr, astree, memaddr=memaddr)
+
+        elif xd.is_vmem_unknown and xd.is_address_known:
+            memaddr = xd.xaddr
+            hl_lhs = XU.xmemory_dereference_lval(memaddr, xdata, iaddr, astree)
+
+        else:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.xxrt
+        rhs_basic = xd.xrt
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
@@ -163,9 +215,6 @@ def ast_prov(
         else:
             hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
 
-        hl_lhs = XU.xvariable_to_ast_lval(
-            lhs, xdata, iaddr, astree, memaddr=memaddr)
-
         hl_assign = astree.mk_assign(
             hl_lhs,
             hl_rhs,
@@ -175,7 +224,7 @@ def ast_prov(
 
         # to highlight missing info, expose in the lifting store instructions
         # that are unresolved
-        if lhs.is_tmp:
+        if xd.is_vmem_unknown:
             astree.add_expose_instruction(hl_assign.instrid)
 
         astree.add_instr_mapping(hl_assign, ll_assign)
@@ -186,6 +235,45 @@ def ast_prov(
         astree.add_lval_defuses(hl_lhs, defuses[0])
         astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
 
+        # add optional write-back
+
+        if self.opargs[3].is_indirect_register and self.opargs[3].is_write_back:
+            addrop = cast("ARMOffsetAddressOp", self.opargs[3].opkind)
+            (ll_addr_lhs, _, _) = self.opargs[1].ast_lvalue(astree)
+            ll_addr_rhs = addrop.ast_addr_rvalue(astree)
+
+            ll_addr_assign = astree.mk_assign(
+                ll_addr_lhs,
+                ll_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
+
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
+            hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
+            hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
+
+            hl_addr_assign = astree.mk_assign(
+                hl_addr_lhs,
+                hl_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            hl_assigns: List[AST.ASTInstruction] = [hl_assign, hl_addr_assign]
+
+            astree.add_instr_mapping(hl_addr_assign, ll_addr_assign)
+            astree.add_instr_address(hl_addr_assign, [iaddr])
+            astree.add_expr_mapping(hl_addr_rhs, ll_addr_rhs)
+            astree.add_lval_mapping(hl_addr_lhs, ll_addr_lhs)
+            astree.add_expr_reachingdefs(ll_addr_rhs, [rdefs[0]])
+            astree.add_lval_defuses(ll_addr_lhs, defuses[1])
+            astree.add_lval_defuses_high(ll_addr_lhs, defuseshigh[1])
+        else:
+            ll_assigns = [ll_assign]
+            hl_assigns = [hl_assign]
+
         if ll_lhs.lhost.is_memref:
             memexp = cast(AST.ASTMemRef, ll_lhs.lhost).memexp
             astree.add_expr_reachingdefs(memexp, [rdefs[0], rdefs[1]])
diff --git a/chb/arm/opcodes/ARMStoreRegisterDual.py b/chb/arm/opcodes/ARMStoreRegisterDual.py
index 41991cf7..a85f4830 100644
--- a/chb/arm/opcodes/ARMStoreRegisterDual.py
+++ b/chb/arm/opcodes/ARMStoreRegisterDual.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,13 +25,13 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import cast, List, Sequence, Tuple, TYPE_CHECKING
+from typing import cast, List, Optional, Sequence, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 from chb.app.MemoryAccess import MemoryAccess, RegisterSpill
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 from chb.arm.ARMRegister import ARMRegister
 
@@ -41,11 +41,77 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.VarInvariantFact import ReachingDefFact
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMStoreRegisterDualXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vmem1(self) -> "XVariable":
+        return self.var(0, "vmem1")
+
+    @property
+    def vmem2(self) -> "XVariable":
+        return self.var(1, "vmem2")
+
+    @property
+    def vrn(self) -> "XVariable":
+        return self.var(2, "vrn")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xrt(self) -> "XXpr":
+        return self.xpr(2, "xrt")
+
+    @property
+    def xxrt(self) -> "XXpr":
+        return self.xpr(3, "xxrt")
+
+    @property
+    def xrt2(self) -> "XXpr":
+        return self.xpr(4, "xrt2")
+
+    @property
+    def xxrt2(self) -> "XXpr":
+        return self.xpr(5, "xxrt2")
+
+    @property
+    def xaddr1(self) -> "XXpr":
+        return self.xpr(6, "xaddr1")
+
+    @property
+    def xaddr2(self) -> "XXpr":
+        return self.xpr(7, "xaddr2")
+
+    @property
+    def xaddr_updated(self) -> "XXpr":
+        return self.xpr(8, "xaddr_updated")
+
+    @property
+    def annotation(self) -> str:
+        assignment = (
+            str(self.vmem1) + " := " + str(self.xxrt) + "; "
+                + str(self.vmem2) + " := " + str(self.xxrt2))
+        wbu = self.writeback_update()
+        return self.add_instruction_condition(assignment + wbu)
 
 
 @armregistry.register_tag("STRD", ARMOpcode)
@@ -82,10 +148,7 @@ class ARMStoreRegisterDual(ARMOpcode):
     rdef[5]: xxrt2 (rhs2, simplified)
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 6, "StoreRegisterDual")
 
@@ -99,24 +162,26 @@ def opargs(self) -> List[ARMOperand]:
 
     def memory_accesses(self, xdata: InstrXData) -> Sequence[MemoryAccess]:
         spills = self.register_spills(xdata)
+        xd = ARMStoreRegisterDualXData(xdata)
         if len(spills) == 2:
             return [
-                RegisterSpill(xdata.xprs[6], spills[0]),
-                RegisterSpill(xdata.xprs[7], spills[1])]
+                RegisterSpill(xd.xaddr1, spills[0]),
+                RegisterSpill(xd.xaddr2, spills[1])]
         else:
             return [
-                MemoryAccess(xdata.xprs[6], "W", size=4),
-                MemoryAccess(xdata.xprs[7], "W", size=4)]
+                MemoryAccess(xd.xaddr1, "W", size=4),
+                MemoryAccess(xd.xaddr2, "W", size=4)]
 
     def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def register_spills(self, xdata: InstrXData) -> List[str]:
-        swaddr = xdata.xprs[6]
+        xd = ARMStoreRegisterDualXData(xdata)
+        swaddr = xd.xaddr1
         result: List[str] = []
         if swaddr.is_stack_address:
-            rhs1 = xdata.xprs[3]
-            rhs2 = xdata.xprs[5]
+            rhs1 = xd.xxrt
+            rhs2 = xd.xxrt2
             if rhs1.is_initial_register_value:
                 r1 = cast("ARMRegister", rhs1.initial_register_value_register())
                 if r1.is_arm_callee_saved_register:
@@ -128,11 +193,11 @@ def register_spills(self, xdata: InstrXData) -> List[str]:
         return result
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs1 = str(xdata.vars[0])
-        lhs2 = str(xdata.vars[1])
-        rhs = str(xdata.xprs[3])
-        rhs2 = str(xdata.xprs[5])
-        return lhs1 + " := " + rhs + "; " + lhs2 + " := " + rhs2
+        xd = ARMStoreRegisterDualXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def assembly_ast(
             self,
@@ -161,6 +226,8 @@ def ast_prov(
             xdata: InstrXData) -> Tuple[
                 List[AST.ASTInstruction], List[AST.ASTInstruction]]:
 
+        xd = ARMStoreRegisterDualXData(xdata)
+
         annotations: List[str] = [iaddr, "STRD"]
 
         # low-level assignments
@@ -183,16 +250,21 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
-        # high-level assignments
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Error value encountered at address %s", iaddr)
+            return ([], [])
 
-        lhs1 = xdata.vars[0]
-        lhs2 = xdata.vars[1]
-        rhs1 = xdata.xprs[3]
-        rhs2 = xdata.xprs[5]
+        # high-level assignments
         rdefs = xdata.reachingdefs
         deful = xdata.defuses
         defuh = xdata.defuseshigh
 
+        lhs1 = xd.vmem1
+        lhs2 = xd.vmem2
+        rhs1 = xd.xxrt
+        rhs2 = xd.xxrt2
+
         hl_rhs1 = XU.xxpr_to_ast_def_expr(rhs1, xdata, iaddr, astree)
         hl_rhs2 = XU.xxpr_to_ast_def_expr(rhs2, xdata, iaddr, astree)
 
@@ -212,6 +284,8 @@ def ast_prov(
             bytestring=bytestring,
             annotations=annotations)
 
+        # TODO: add writeback update
+
         astree.add_instr_mapping(hl_assign1, ll_assign1)
         astree.add_instr_mapping(hl_assign2, ll_assign2)
         astree.add_instr_address(hl_assign1, [iaddr])
diff --git a/chb/arm/opcodes/ARMStoreRegisterHalfword.py b/chb/arm/opcodes/ARMStoreRegisterHalfword.py
index 7b1319e0..6d6cd45e 100644
--- a/chb/arm/opcodes/ARMStoreRegisterHalfword.py
+++ b/chb/arm/opcodes/ARMStoreRegisterHalfword.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,12 +39,64 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.arm.ARMOperandKind import ARMOffsetAddressOp
     from chb.invariants.VAssemblyVariable import VMemoryVariable
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMStoreRegisterHalfwordXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vmem(self) -> "XVariable":
+        return self.var(0, "vmem")
+
+    @property
+    def is_vmem_unknown(self) -> bool:
+        return self.xdata.vars_r[0] is None
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xrt(self) -> "XXpr":
+        return self.xpr(2, "xrt")
+
+    @property
+    def xxrt(self) -> "XXpr":
+        return self.xpr(3, "xxrt")
+
+    @property
+    def xaddr(self) -> "XXpr":
+        return self.xpr(4, "xaddr")
+
+    @property
+    def is_address_known(self) -> bool:
+        return self.xdata.xprs_r[4] is not None
+
+    @property
+    def annotation(self) -> str:
+        wbu = self.writeback_update()
+        if self.is_ok:
+            assignment = str(self.vmem) + " := " + str(self.xxrt)
+        elif self.is_vmem_unknown and self.is_address_known:
+            assignment = "*(" + str(self.xaddr) + ") := " + str(self.xxrt)
+        else:
+            assignment = "Error value"
+        return self.add_instruction_condition(assignment + wbu)
 
 
 @armregistry.register_tag("STRH", ARMOpcode)
@@ -108,21 +160,7 @@ def is_store_instruction(self, xdata: InstrXData) -> bool:
         return True
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        rhs = str(xdata.xprs[3])
-
-        assign = lhs + " := " + rhs
-
-        xctr = 4
-        if xdata.has_instruction_condition():
-            pcond = "if " + str(xdata.xprs[xctr]) + " then "
-            xctr += 1
-        elif xdata.has_unknown_instruction_condition():
-            pcond = "if ? then "
-        else:
-            pcond = ""
-
-        return pcond + assign
+        return ARMStoreRegisterHalfwordXData(xdata).annotation
 
     def ast_prov(
             self,
@@ -147,16 +185,29 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[3]
+        xd = ARMStoreRegisterHalfwordXData(xdata)
+
+        if xd.is_ok:
+            lhs = xd.vmem
+            memaddr = xd.xaddr
+            hl_lhs = XU.xvariable_to_ast_lval(
+                lhs, xdata, iaddr, astree, memaddr=memaddr)
+
+        elif xd.is_vmem_unknown and xd.is_address_known:
+            memaddr = xd.xaddr
+            hl_lhs = XU.xmemory_dereference_lval(memaddr, xdata, iaddr, astree)
+
+        else:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.xxrt
         rdefs = xdata.reachingdefs
-        memaddr = xdata.xprs[4]
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
         hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
-        hl_lhs = XU.xvariable_to_ast_lval(
-            lhs, xdata, iaddr, astree, memaddr=memaddr, size=2)
 
         hl_assign = astree.mk_assign(
             hl_lhs,
@@ -175,4 +226,43 @@ def ast_prov(
         astree.add_lval_defuses(hl_lhs, defuses[0])
         astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
 
+        # add optional write-back
+
+        if self.opargs[3].is_indirect_register and self.opargs[3].is_write_back:
+            addrop = cast("ARMOffsetAddressOp", self.opargs[3].opkind)
+            (ll_addr_lhs, _, _) = self.opargs[1].ast_lvalue(astree)
+            ll_addr_rhs = addrop.ast_addr_rvalue(astree)
+
+            ll_addr_assign = astree.mk_assign(
+                ll_addr_lhs,
+                ll_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            ll_assigns: List[AST.ASTInstruction] = [ll_assign, ll_addr_assign]
+
+            basereg = xd.get_base_update_var()
+            newaddr = xd.get_base_update_xpr()
+            hl_addr_lhs = XU.xvariable_to_ast_lval(basereg, xdata, iaddr, astree)
+            hl_addr_rhs = XU.xxpr_to_ast_def_expr(newaddr, xdata, iaddr, astree)
+
+            hl_addr_assign = astree.mk_assign(
+                hl_addr_lhs,
+                hl_addr_rhs,
+                iaddr=iaddr,
+                bytestring=bytestring,
+                annotations=annotations)
+            hl_assigns: List[AST.ASTInstruction] = [hl_assign, hl_addr_assign]
+
+            astree.add_instr_mapping(hl_addr_assign, ll_addr_assign)
+            astree.add_instr_address(hl_addr_assign, [iaddr])
+            astree.add_expr_mapping(hl_addr_rhs, ll_addr_rhs)
+            astree.add_lval_mapping(hl_addr_lhs, ll_addr_lhs)
+            astree.add_expr_reachingdefs(ll_addr_rhs, [rdefs[0]])
+            astree.add_lval_defuses(ll_addr_lhs, defuses[1])
+            astree.add_lval_defuses_high(ll_addr_lhs, defuseshigh[1])
+        else:
+            ll_assigns = [ll_assign]
+            hl_assigns = [hl_assign]
+
         return ([hl_assign], [ll_assign])
diff --git a/chb/arm/opcodes/ARMSubtract.py b/chb/arm/opcodes/ARMSubtract.py
index 3a54602f..0ba20cbb 100644
--- a/chb/arm/opcodes/ARMSubtract.py
+++ b/chb/arm/opcodes/ARMSubtract.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,12 +39,50 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
+
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
-    from chb.invariants.XXpr import XprCompound, XprConstant
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XprCompound, XprConstant, XXpr
+
+
+class ARMSubtractXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("SUBW", ARMOpcode)
@@ -76,10 +114,7 @@ class ARMSubtract(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 6, "Subtract")
 
@@ -110,11 +145,11 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMSubtractXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
@@ -147,10 +182,15 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        rhs3 = xdata.xprs[3]
+        xd = ARMSubtractXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error("Error value encountered at %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
 
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/arm/opcodes/ARMSubtractCarry.py b/chb/arm/opcodes/ARMSubtractCarry.py
index de809145..7f1171af 100644
--- a/chb/arm/opcodes/ARMSubtractCarry.py
+++ b/chb/arm/opcodes/ARMSubtractCarry.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,25 +25,65 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
-import chb.util.fileutil as UF
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+import chb.invariants.XXprUtil as XU
 
+import chb.util.fileutil as UF
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMSubtractCarryXData(ARMOpcodeXData):
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[3], self.xdata.args[4], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("SBC", ARMOpcode)
 class ARMSubtractCarry(ARMOpcode):
-    """Subtracts an immediate or register value from a register and the value of NOT carry.
+    """Subtracts an imm. or register value from a register and the value of NOT carry.
 
     SBC{S}<c> <Rd>, <Rn>, <Rm>{, <shift>}
 
@@ -55,10 +95,7 @@ class ARMSubtractCarry(ARMOpcode):
     args[4]: is-wide (thumb)
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "SubtractCarry")
 
@@ -77,17 +114,74 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxxxxx .
-
-        vars[0]: lhs
-        xprs[0]: rhs1
-        xprs[1]: rhs2
-        xprs[2]: rhs1 - rhs2 (syntactic)
-        xprs[3]: rhs1 - rhs2 (simplified)
-        """
-
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[3], xdata.args[4], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMSubtractCarryXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
+
+    def ast_prov(
+            self,
+            astree: ASTInterface,
+            iaddr: str,
+            bytestring: str,
+            xdata: InstrXData) -> Tuple[
+                List[AST.ASTInstruction], List[AST.ASTInstruction]]:
+
+        annotations: List[str] = [iaddr, "SBC"]
+
+        # low-level assignment
+
+        (ll_lhs, _, _) = self.opargs[0].ast_lvalue(astree)
+        (ll_op1, _, _) = self.opargs[1].ast_rvalue(astree)
+        (ll_op2, _, _) = self.opargs[2].ast_rvalue(astree)
+        ll_rhs = astree.mk_binary_op("minus", ll_op1, ll_op2)
+
+        ll_assign = astree.mk_assign(
+            ll_lhs,
+            ll_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        rdefs = xdata.reachingdefs
+
+        astree.add_expr_reachingdefs(ll_op1, [rdefs[0]])
+        astree.add_expr_reachingdefs(ll_op2, [rdefs[1]])
+
+        # high-level assignment
+
+        xd = ARMSubtractCarryXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        rhs3 = xd.rresult
+
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
+
+        hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhs3, xdata, iaddr, astree)
+
+        hl_assign = astree.mk_assign(
+            hl_lhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign, ll_assign)
+        astree.add_instr_address(hl_assign, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_lval_mapping(hl_lhs, ll_lhs)
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[2:])
+        astree.add_expr_reachingdefs(ll_rhs, rdefs[:2])
+        astree.add_lval_defuses(hl_lhs, defuses[0])
+        astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
+
+        return ([hl_assign], [ll_assign])
diff --git a/chb/arm/opcodes/ARMTest.py b/chb/arm/opcodes/ARMTest.py
index 96ba94cd..a3e3c449 100644
--- a/chb/arm/opcodes/ARMTest.py
+++ b/chb/arm/opcodes/ARMTest.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,20 +25,50 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
-import chb.util.fileutil as UF
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+import chb.invariants.XXprUtil as XU
 
+import chb.util.fileutil as UF
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMTestXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(1, "xrn")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def annotation(self) -> str:
+        ann = "compare " + str(self.xrm) + " and " + str(self.xrn)
+        ann += " (" + str(self.result) + ")"
+        return self.add_instruction_condition(ann)
 
 
 @armregistry.register_tag("TST", ARMOpcode)
@@ -53,10 +83,7 @@ class ARMTest(ARMOpcode):
     args[2]: thumb-wide
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 3, "Test")
 
@@ -70,12 +97,61 @@ def mnemonic_extension(self) -> str:
         return cc + wide
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:xx .
+        xd = ARMTestXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
-        xprs[0]: Rn
-        xprs[1]: Rm
-        """
-
-        rhs1 = str(xdata.xprs[0])
-        rhs2 = str(xdata.xprs[1])
-        return "compare " + str(rhs1) + " and " + str(rhs2)
+    def ast_prov(
+            self,
+            astree: ASTInterface,
+            iaddr: str,
+            bytestring: str,
+            xdata: InstrXData) -> Tuple[
+                List[AST.ASTInstruction], List[AST.ASTInstruction]]:
+        """Creates assignments of the bitwise and performed with lhs ignored."""
+
+        annotations: List[str] = [iaddr, "TST"]
+
+        # low-level assignment
+
+        (ll_rhs1, _, _) = self.opargs[0].ast_rvalue(astree)
+        (ll_rhs2, _, _) = self.opargs[1].ast_rvalue(astree)
+        ll_rhs = astree.mk_binary_op("band", ll_rhs1, ll_rhs2)
+
+        ll_assign = astree.mk_assign(
+            astree.ignoredlhs,
+            ll_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        # high-level assignment
+
+        xd = ARMTestXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Error value encountered at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.result
+        rdefs = xdata.reachingdefs
+
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
+
+        hl_assign = astree.mk_assign(
+            astree.ignoredlhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign, ll_assign)
+        astree.add_instr_address(hl_assign, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_expr_reachingdefs(ll_rhs1, [rdefs[0]])
+        astree.add_expr_reachingdefs(ll_rhs2, [rdefs[1]])
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[2:])
+
+        return ([hl_assign], [ll_assign])
diff --git a/chb/arm/opcodes/ARMTestEquivalence.py b/chb/arm/opcodes/ARMTestEquivalence.py
index a628b9ba..b917c0f0 100644
--- a/chb/arm/opcodes/ARMTestEquivalence.py
+++ b/chb/arm/opcodes/ARMTestEquivalence.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021 Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -25,20 +25,50 @@
 # SOFTWARE.
 # ------------------------------------------------------------------------------
 
-from typing import List, TYPE_CHECKING
+from typing import List, Tuple, TYPE_CHECKING
 
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
-import chb.util.fileutil as UF
+import chb.ast.ASTNode as AST
+from chb.astinterface.ASTInterface import ASTInterface
+
+import chb.invariants.XXprUtil as XU
 
+import chb.util.fileutil as UF
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMTestEquivalenceXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(1, "xrn")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def annotation(self) -> str:
+        ann = "compare " + str(self.xrm) + " and " + str(self.xrn)
+        ann += " (" + str(self.result) + ")"
+        return self.add_instruction_condition(ann)
 
 
 @armregistry.register_tag("TEQ", ARMOpcode)
@@ -52,10 +82,7 @@ class ARMTestEquivalence(ARMOpcode):
     args[1]: index of op2 in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "TestEquivalence")
 
@@ -64,4 +91,61 @@ def operands(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args]
 
     def annotation(self, xdata: InstrXData) -> str:
-        return "pending"
+        xd = ARMTestEquivalenceXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
+
+    def ast_prov(
+            self,
+            astree: ASTInterface,
+            iaddr: str,
+            bytestring: str,
+            xdata: InstrXData) -> Tuple[
+                List[AST.ASTInstruction], List[AST.ASTInstruction]]:
+        """Creates assignments of the bitwise xor performed with lhs ignored."""
+
+        annotations: List[str] = [iaddr, "TEQ"]
+
+        # low-level assignment
+
+        (ll_rhs1, _, _) = self.opargs[0].ast_rvalue(astree)
+        (ll_rhs2, _, _) = self.opargs[1].ast_rvalue(astree)
+        ll_rhs = astree.mk_binary_op("bxor", ll_rhs1, ll_rhs2)
+
+        ll_assign = astree.mk_assign(
+            astree.ignoredlhs,
+            ll_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        # high-level assignment
+
+        xd = ARMTestEquivalenceXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Error value encountered at address %s", iaddr)
+            return ([], [])
+
+        rhs = xd.result
+        rdefs = xdata.reachingdefs
+
+        hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
+
+        hl_assign = astree.mk_assign(
+            astree.ignoredlhs,
+            hl_rhs,
+            iaddr=iaddr,
+            bytestring=bytestring,
+            annotations=annotations)
+
+        astree.add_instr_mapping(hl_assign, ll_assign)
+        astree.add_instr_address(hl_assign, [iaddr])
+        astree.add_expr_mapping(hl_rhs, ll_rhs)
+        astree.add_expr_reachingdefs(ll_rhs1, [rdefs[0]])
+        astree.add_expr_reachingdefs(ll_rhs2, [rdefs[1]])
+        astree.add_expr_reachingdefs(hl_rhs, rdefs[2:])
+
+        return ([hl_assign], [ll_assign])
diff --git a/chb/arm/opcodes/ARMUnsignedBitFieldExtract.py b/chb/arm/opcodes/ARMUnsignedBitFieldExtract.py
index 58d56b1f..8e85eb9b 100644
--- a/chb/arm/opcodes/ARMUnsignedBitFieldExtract.py
+++ b/chb/arm/opcodes/ARMUnsignedBitFieldExtract.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -45,6 +45,36 @@
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMUnsignedBitFieldExtractXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xxrn(self) -> "XXpr":
+        return self.xpr(1, "xxrn")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[1], self.xdata.args[2], self.xrn, self.xxrn)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("UBFX", ARMOpcode)
@@ -67,10 +97,7 @@ class ARMUnsignedExtractBitField(ARMOpcode):
     useshigh: lhs
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 2, "UnsignedBitFieldExtract")
 
@@ -83,18 +110,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args]
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxx .
-
-        vars[0]: lhs
-        xprs[0]: rhs1
-        xprs[1]: value to be stored (syntactic)
-        """
-
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[0]
-        rresult = xdata.xprs[1]
-        xresult = simplify_result(xdata.args[1], xdata.args[2], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMUnsignedBitFieldExtractXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     # --------------------------------------------------------------------------
     # Operation
@@ -127,8 +147,14 @@ def ast_prov(
 
         # high-level assignment
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[1]
+        xd = ARMUnsignedBitFieldExtractXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.xxrn
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
diff --git a/chb/arm/opcodes/ARMUnsignedExtendByte.py b/chb/arm/opcodes/ARMUnsignedExtendByte.py
index 327cb866..5a3caf15 100644
--- a/chb/arm/opcodes/ARMUnsignedExtendByte.py
+++ b/chb/arm/opcodes/ARMUnsignedExtendByte.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,46 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMUnsignedExtendByteXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(1, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(2, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[2], self.xdata.args[3], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
+
 
 
 @armregistry.register_tag("UXTB", ARMOpcode)
@@ -69,10 +104,7 @@ class ARMUnsignedExtendByte(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 3, "UnsignedExtendByte")
 
@@ -90,11 +122,11 @@ def opargs(self) -> List[ARMOperand]:
         return self.operands
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[1]
-        rresult = xdata.xprs[2]
-        xresult = simplify_result(xdata.args[2], xdata.args[3], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMUnsignedExtendByteXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def ast_prov(
             self,
@@ -106,12 +138,6 @@ def ast_prov(
 
         annotations: List[str] = [iaddr, "UXTB"]
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[2]
-        rdefs = xdata.reachingdefs
-        defuses = xdata.defuses
-        defuseshigh = xdata.defuseshigh
-
         # low-level assignment
 
         (ll_rhs, _, _) = self.opargs[1].ast_rvalue(astree)
@@ -126,6 +152,18 @@ def ast_prov(
 
         # high-level assignment
 
+        xd = ARMUnsignedExtendByteXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
+        rdefs = xdata.reachingdefs
+        defuses = xdata.defuses
+        defuseshigh = xdata.defuseshigh
+
         hl_lhs = XU.xvariable_to_ast_lval(lhs, xdata, iaddr, astree)
         hl_rhs = XU.xxpr_to_ast_def_expr(rhs, xdata, iaddr, astree)
 
diff --git a/chb/arm/opcodes/ARMUnsignedExtendHalfword.py b/chb/arm/opcodes/ARMUnsignedExtendHalfword.py
index 139d0c0d..a891ed8b 100644
--- a/chb/arm/opcodes/ARMUnsignedExtendHalfword.py
+++ b/chb/arm/opcodes/ARMUnsignedExtendHalfword.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,45 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
-    import chb.arm.ARMDictionary
+    from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMUnsignedExtendHalfwordXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vrd(self) -> "XVariable":
+        return self.var(0, "vrd")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(0, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(1, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(2, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[2], self.xdata.args[3], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vrd) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("UXTH", ARMOpcode)
@@ -69,10 +103,7 @@ class ARMUnsignedExtendHalfword(ARMOpcode):
     useshigh[0]: lhs
     """
 
-    def __init__(
-            self,
-            d: "chb.arm.ARMDictionary.ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
 
     @property
@@ -89,11 +120,11 @@ def opargs(self) -> List[ARMOperand]:
         return self.operands
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhs = str(xdata.vars[0])
-        result = xdata.xprs[1]
-        rresult = xdata.xprs[2]
-        xresult = simplify_result(xdata.args[2], xdata.args[3], result, rresult)
-        return lhs + " := " + xresult
+        xd = ARMUnsignedExtendHalfwordXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def assembly_ast(
             self,
@@ -134,8 +165,16 @@ def ast_prov(
 
         astree.add_expr_reachingdefs(ll_rhs, [rdefs[0]])
 
-        lhs = xdata.vars[0]
-        rhs = xdata.xprs[2]
+        # high-level assignment
+
+        xd = ARMUnsignedExtendHalfwordXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs = xd.vrd
+        rhs = xd.rresult
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
 
@@ -158,4 +197,9 @@ def ast_prov(
         astree.add_lval_defuses(hl_lhs, defuses[0])
         astree.add_lval_defuses_high(hl_lhs, defuseshigh[0])
 
+        if astree.has_register_variable_intro(iaddr):
+            rvintro = astree.get_register_variable_intro(iaddr)
+            if rvintro.has_cast():
+                astree.add_expose_instruction(hl_assign.instrid)
+
         return ([hl_assign], [ll_assign])
diff --git a/chb/arm/opcodes/ARMUnsignedMultiplyAccumulateLong.py b/chb/arm/opcodes/ARMUnsignedMultiplyAccumulateLong.py
index 16dc23e0..9c8b8b41 100644
--- a/chb/arm/opcodes/ARMUnsignedMultiplyAccumulateLong.py
+++ b/chb/arm/opcodes/ARMUnsignedMultiplyAccumulateLong.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2023  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,15 +30,62 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMUnsignedMultiplyAccumulateLongXData(ARMOpcodeXData):
+
+    @property
+    def vlo(self) -> "XVariable":
+        return self.var(0, "vlo")
+
+    @property
+    def vhi(self) -> "XVariable":
+        return self.var(1, "vhi")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def xlo(self) -> "XXpr":
+        return self.xpr(2, "xlo")
+
+    @property
+    def xhi(self) -> "XXpr":
+        return self.xpr(3, "xhi")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(4, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(5, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[6], self.xdata.args[7], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vlo) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("UMLAL", ARMOpcode)
@@ -55,10 +102,7 @@ class ARMUnsignedMultiplyAccumulateLong(ARMOpcode):
     args[4]: index of Rm in armdictionary
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "UnsignedMultiplyAccumulateLong")
 
@@ -76,19 +120,8 @@ def is_writeback(self) -> bool:
         return self.args[0] == 1
 
     def annotation(self, xdata: InstrXData) -> str:
-        """xdata format: a:vxxxx
-
-        vars[0]: lhslo
-        vars[1]: lhshi
-        xprs[0]: rhs1
-        xprs[1]: rhs2
-        xprs[2]: (rhs1 * rhs2)
-        xprs[3]: (rhs1 * rhs2)
-        """
-
-        lhslo = str(xdata.vars[0])
-        lhshi = str(xdata.vars[1])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[4], xdata.args[5], result, rresult)
-        return "(" + lhslo + "," + lhshi + ")" + " := " + xresult
+        xd = ARMUnsignedMultiplyAccumulateLongXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
diff --git a/chb/arm/opcodes/ARMUnsignedMultiplyLong.py b/chb/arm/opcodes/ARMUnsignedMultiplyLong.py
index f461d899..72e783b5 100644
--- a/chb/arm/opcodes/ARMUnsignedMultiplyLong.py
+++ b/chb/arm/opcodes/ARMUnsignedMultiplyLong.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -30,7 +30,7 @@
 from chb.app.InstrXData import InstrXData
 
 from chb.arm.ARMDictionaryRecord import armregistry
-from chb.arm.ARMOpcode import ARMOpcode, simplify_result
+from chb.arm.ARMOpcode import ARMOpcode, ARMOpcodeXData, simplify_result
 from chb.arm.ARMOperand import ARMOperand
 
 import chb.ast.ASTNode as AST
@@ -39,11 +39,53 @@
 import chb.invariants.XXprUtil as XU
 
 import chb.util.fileutil as UF
-
 from chb.util.IndexedTable import IndexedTableValue
+from chb.util.loggingutil import chklogger
 
 if TYPE_CHECKING:
     from chb.arm.ARMDictionary import ARMDictionary
+    from chb.invariants.XVariable import XVariable
+    from chb.invariants.XXpr import XXpr
+
+
+class ARMUnsignedMultiplyLongXData(ARMOpcodeXData):
+
+    def __init__(self, xdata: InstrXData) -> None:
+        ARMOpcodeXData.__init__(self, xdata)
+
+    @property
+    def vlo(self) -> "XVariable":
+        return self.var(0, "vlo")
+
+    @property
+    def vhi(self) -> "XVariable":
+        return self.var(1, "vhi")
+
+    @property
+    def xrn(self) -> "XXpr":
+        return self.xpr(0, "xrn")
+
+    @property
+    def xrm(self) -> "XXpr":
+        return self.xpr(1, "xrm")
+
+    @property
+    def result(self) -> "XXpr":
+        return self.xpr(2, "result")
+
+    @property
+    def rresult(self) -> "XXpr":
+        return self.xpr(3, "rresult")
+
+    @property
+    def result_simplified(self) -> str:
+        return simplify_result(
+            self.xdata.args[4], self.xdata.args[5], self.result, self.rresult)
+
+    @property
+    def annotation(self) -> str:
+        assignment = str(self.vlo) + " := " + self.result_simplified
+        return self.add_instruction_condition(assignment)
 
 
 @armregistry.register_tag("UMULL", ARMOpcode)
@@ -75,10 +117,7 @@ class ARMUnsignedMultiplyLong(ARMOpcode):
     useshigh[1]: lhs2 (RdHi)
     """
 
-    def __init__(
-            self,
-            d: "ARMDictionary",
-            ixval: IndexedTableValue) -> None:
+    def __init__(self, d: "ARMDictionary", ixval: IndexedTableValue) -> None:
         ARMOpcode.__init__(self, d, ixval)
         self.check_key(2, 5, "UnsignedMultiplyLong")
 
@@ -91,12 +130,11 @@ def opargs(self) -> List[ARMOperand]:
         return [self.armd.arm_operand(i) for i in self.args[1:]]
 
     def annotation(self, xdata: InstrXData) -> str:
-        lhslo = str(xdata.vars[0])
-        lhshi = str(xdata.vars[1])
-        result = xdata.xprs[2]
-        rresult = xdata.xprs[3]
-        xresult = simplify_result(xdata.args[4], xdata.args[5], result, rresult)
-        return "(" + lhslo + "," + lhshi + ")" + " := " + xresult
+        xd = ARMUnsignedMultiplyLongXData(xdata)
+        if xd.is_ok:
+            return xd.annotation
+        else:
+            return "Error value"
 
     def assembly_ast(
             self,
@@ -173,11 +211,17 @@ def ast_prov(
 
         # high-level assignments
 
-        lhs1 = xdata.vars[0]
-        lhs2 = xdata.vars[1]
-        rhs1 = xdata.xprs[0]
-        rhs2 = xdata.xprs[1]
-        result = xdata.xprs[3]
+        xd = ARMUnsignedMultiplyLongXData(xdata)
+        if not xd.is_ok:
+            chklogger.logger.error(
+                "Encountered error value at address %s", iaddr)
+            return ([], [])
+
+        lhs1 = xd.vlo
+        lhs2 = xd.vhi
+        rhs1 = xd.xrn
+        rhs2 = xd.xrm
+        result = xd.rresult
         rdefs = xdata.reachingdefs
         defuses = xdata.defuses
         defuseshigh = xdata.defuseshigh
diff --git a/chb/ast/ASTNode.py b/chb/ast/ASTNode.py
index 2563abd4..ddfc4185 100644
--- a/chb/ast/ASTNode.py
+++ b/chb/ast/ASTNode.py
@@ -2238,6 +2238,10 @@ def is_float(self) -> bool:
     def is_pointer(self) -> bool:
         return False
 
+    @property
+    def is_void_pointer(self) -> bool:
+        return False
+
     @property
     def is_scalar(self) -> bool:
         return (
@@ -2386,6 +2390,10 @@ def tgttyp(self) -> "ASTTyp":
     def is_pointer(self) -> bool:
         return True
 
+    @property
+    def is_void_pointer(self) -> bool:
+        return self.tgttyp.is_void
+
     def accept(self, visitor: "ASTVisitor") -> None:
         return visitor.visit_pointer_typ(self)
 
@@ -2759,6 +2767,9 @@ def is_compinfo(self) -> bool:
     def has_field_offsets(self) -> bool:
         return all(finfo.has_byteoffset() for finfo in self.fieldinfos)
 
+    def has_field_offset(self, offset: int) -> bool:
+        return offset in self.field_offsets
+
     @property
     def field_offsets(self) -> Dict[int, str]:
         result: Dict[int, str] = {}
diff --git a/chb/astinterface/ASTICodeTransformer.py b/chb/astinterface/ASTICodeTransformer.py
index 3727e079..827582da 100644
--- a/chb/astinterface/ASTICodeTransformer.py
+++ b/chb/astinterface/ASTICodeTransformer.py
@@ -80,7 +80,9 @@ def transform_instruction_sequence_stmt(
         for instr in stmt.instructions:
             if instr.is_ast_assign:
                 instr = cast(AST.ASTAssign, instr)
-                if self.astinterface.has_ssa_value(str(instr.lhs)):
+                if (
+                        self.astinterface.has_ssa_value(str(instr.lhs))
+                        and not self.provenance.has_expose_instruction(instr.instrid)):
                     chklogger.logger.info(
                         "Remove [%s]: has ssa value", str(instr))
                     continue
@@ -103,7 +105,7 @@ def transform_instruction_sequence_stmt(
                         "Transfor [%s]: global lhs", str(instr))
                     instrs.append(instr)
                 else:
-                    chklogger.logger.debug("Transform [%s]: remove", str(instr))
+                    chklogger.logger.info("Transform [%s]: remove", str(instr))
             else:
                 instrs.append(instr)
         return self.astinterface.mk_instr_sequence(
diff --git a/chb/astinterface/ASTInterface.py b/chb/astinterface/ASTInterface.py
index 748ddd35..a84b2ebe 100644
--- a/chb/astinterface/ASTInterface.py
+++ b/chb/astinterface/ASTInterface.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -62,6 +62,9 @@
 from chb.astinterface.ASTIProvenance import ASTIProvenance
 import chb.astinterface.ASTIUtil as AU
 
+from chb.userdata.UserHints import (
+    FunctionAnnotation, RegisterVarIntro, StackVarIntro)
+
 import chb.util.fileutil as UF
 from chb.util.loggingutil import chklogger
 
@@ -98,6 +101,7 @@ def __init__(
             appsignature: Optional["AppFunctionSignature"] = None,
             rdeflocs: Dict[str, List[List[str]]] = {},
             varintros: Dict[str, str] = {},
+            functionannotation: Optional[FunctionAnnotation] = None,
             stackvarintros: Dict[int, str] = {},
             patchevents: Dict[str, "PatchEvent"] = {},
             verbose: bool = False) -> None:
@@ -106,6 +110,7 @@ def __init__(
         self._astprototype = astprototype
         self._appsignature = appsignature
         self._rdeflocs = rdeflocs
+        self._functionannotation = functionannotation
         self._varintros = varintros
         self._stackvarintros = stackvarintros
         self._patchevents = patchevents
@@ -152,10 +157,19 @@ def appsignature(self) -> Optional["AppFunctionSignature"]:
     def rdeflocs(self) -> Dict[str, List[List[str]]]:
         return self._rdeflocs
 
+    @property
+    def function_annotation(self) -> Optional[FunctionAnnotation]:
+        return self._functionannotation
+
+    def has_function_annotation(self) -> bool:
+        return self.function_annotation is not None
+
+    # deprecated
     @property
     def varintros(self) -> Dict[str, str]:
         return self._varintros
 
+    # deprecated
     @property
     def stackvarintros(self) -> Dict[int, str]:
         return self._stackvarintros
@@ -265,23 +279,40 @@ def add_local_vardefinition(
         self._localvardefinitions.setdefault(iaddr, {})
         self._localvardefinitions[iaddr][var] = expr
 
+    # deprecated
     def has_variable_intro(self, iaddr: str) -> bool:
         return iaddr in self.varintros
 
+    # deprecated
     def get_variable_intro(self, iaddr: str) -> str:
         if self.has_variable_intro(iaddr):
             return self.varintros[iaddr]
         else:
             raise UF.CHBError("No variable intro found for " + iaddr)
 
+    def has_register_variable_intro(self, iaddr: str) -> bool:
+        fnannotation = self.function_annotation
+        if fnannotation is not None:
+            return fnannotation.has_register_variable_introduction(iaddr)
+        return False
+
+    def get_register_variable_intro(self, iaddr: str) -> RegisterVarIntro:
+        fnannotation = self.function_annotation
+        if fnannotation is not None:
+            return fnannotation.get_register_variable_introduction(iaddr)
+        raise UF.CHBError("No function annotation found")
+
     def has_stack_variable_intro(self, offset: int) -> bool:
-        return offset in self.stackvarintros
+        fnannotation = self.function_annotation
+        if fnannotation is not None:
+            return fnannotation.has_stack_variable_introduction(offset)
+        return False
 
-    def get_stack_variable_intro(self, offset: int) -> str:
-        if self.has_stack_variable_intro(offset):
-            return self.stackvarintros[offset]
-        else:
-            raise UF.CHBError("No stack-variable intro found for " + str(offset))
+    def get_stack_variable_intro(self, offset: int) -> StackVarIntro:
+        fnannotation = self.function_annotation
+        if fnannotation is not None:
+            return fnannotation.get_stack_variable_introduction(offset)
+        raise UF.CHBError("No function annotation found")
 
     def set_available_expressions(
             self, aexprs: Dict[str, Dict[str, Tuple[int, int, str]]]) -> None:
@@ -1014,8 +1045,8 @@ def mk_ssa_register_varinfo(
             return vinfo
 
         # create a new ssa variable
-        if iaddr in self.varintros:
-            vname = self.varintros[iaddr]
+        if self.has_register_variable_intro(iaddr):
+            vname = self.get_register_variable_intro(iaddr).name
         elif prefix is not None:
             self._ssa_prefix_counters.setdefault(prefix, 0)
             ssaid = self._ssa_prefix_counters[prefix]
@@ -1068,13 +1099,15 @@ def mk_stack_variable_lval(
             return self.stack_variables[offset]
 
         # create a new stack variable
-        if offset in self.stackvarintros:
-            vname = self.stackvarintros[offset]
+        if self.has_stack_variable_intro(offset):
+            svintro = self.get_stack_variable_intro(offset)
+            vname = svintro.name
         else:
             if offset < 0:
                 vname = "localstackvar_" + str(-offset)
             else:
                 vname = "stack_" + str(offset)
+
         size: Optional[int] = None
         if vtype is not None:
             size = self.type_size_in_bytes(vtype)
@@ -1532,6 +1565,12 @@ def mk_function_with_arguments_type(
         return self.astree.mk_function_with_arguments_type(
             returntype, arguments, varargs=varargs)
 
+    def convert_void_pointer(self, t: AST.ASTTyp) -> AST.ASTTyp:
+        if t.is_void_pointer:
+            return self.astree.mk_pointer_type(self.astree.unsigned_char_type)
+        else:
+            return t
+
     def __str__(self) -> str:
         lines: List[str] = []
         for r in self.astree.spans:
diff --git a/chb/cmdline/astcmds.py b/chb/cmdline/astcmds.py
index e231b10d..bb6703dd 100644
--- a/chb/cmdline/astcmds.py
+++ b/chb/cmdline/astcmds.py
@@ -215,11 +215,14 @@ def buildast(args: argparse.Namespace) -> NoReturn:
     symbolicaddrs: Dict[str, str] = userhints.symbolic_addresses()
     revsymbolicaddrs = {v: k for (k, v) in symbolicaddrs.items()}
     revfunctionnames = userhints.rev_function_names()
-    varintros = userhints.variable_introductions()
-    stackvarintros = userhints.stack_variable_introductions()
+    varintros = userhints.variable_introductions()   # to be removed
+    stackvarintros = userhints.stack_variable_introductions()  # to be removed
 
     # library_targets = library_call_targets(app, functions)
 
+    globallocs: Dict[str, str] = {k: v.name for (k, v) in app.globalmemorymap.locations.items()}
+    revgloballocs = {v.name: k for (k, v) in app.globalmemorymap.locations.items()}
+
     globalsymboltable = astapi.globalsymboltable
     codefragments = astapi.codefragments
     typconverter = BC2ASTConverter(app.bcfiles, globalsymboltable)
@@ -240,16 +243,28 @@ def buildast(args: argparse.Namespace) -> NoReturn:
 
         if vname in revsymbolicaddrs:
             gaddr = int(revsymbolicaddrs[vname], 16)
+        elif vname in revgloballocs:
+            gaddr = int(revgloballocs[vname], 16)
         elif vname in revfunctionnames:
             gaddr = int(revfunctionnames[vname], 16)
         elif vname in fnames:
             gaddr = int(fnames[vname], 16)
         elif vname.startswith("sub_"):
-            gaddr = int("0x" + vname[4:], 16)
+            if "_" in vname[4:]:
+                index = vname[4:].index("_")
+                gaddr = int("0x" + vname[4:(index+4)], 16)
+            else:
+                gaddr = int("0x" + vname[4:], 16)
+        elif vname.startswith("gv_"):
+            if "_" in vname[3:]:
+                index = vname[3:].index("_")
+                gaddr = int("0x" + vname[3:(index+3)], 16)
+            else:
+                gaddr = int("0x" + vname[3:], 16)
         else:
             gaddr = 0
 
-        if vname.startswith("__"):
+        if vname.startswith("___"):
             chklogger.logger.debug(
                 "Skip global variable: %s with address %s", vname, hex(gaddr))
         else:
@@ -309,6 +324,7 @@ def buildast(args: argparse.Namespace) -> NoReturn:
             fstackvarintros = {
                 -off: name
                 for (off, name) in stackvarintros.get(faddr, {}).items()}
+            functionannotation = userhints.function_annotation(faddr)
 
             astinterface = ASTInterface(
                 astree,
@@ -318,6 +334,7 @@ def buildast(args: argparse.Namespace) -> NoReturn:
                 astprototype=astprototype,
                 appsignature=appsignature,
                 varintros=varintros,
+                functionannotation=functionannotation,
                 stackvarintros=fstackvarintros,
                 patchevents=patchevents,
                 verbose=verbose)
@@ -326,7 +343,7 @@ def buildast(args: argparse.Namespace) -> NoReturn:
             # xdata records for all instructions in the function. Locations that
             # have a common user are merged. Types are provided by lhs_types.
             astinterface.introduce_ssa_variables(
-                f.rdef_locations(), f.lhs_types(), f.lhs_names)
+                f.rdef_locations(), f.register_lhs_types, f.lhs_names)
 
             # Introduce stack variables for all stack buffers with types
             astinterface.introduce_stack_variables(
diff --git a/chb/cmdline/chkx b/chb/cmdline/chkx
index aaed6597..6cad1015 100755
--- a/chb/cmdline/chkx
+++ b/chb/cmdline/chkx
@@ -561,6 +561,15 @@ def parse() -> argparse.Namespace:
         help=("json filename (without extension) to save opcode statistics"))
     elfdatacmd.set_defaults(func=FF.elfdatacmd)
 
+    # -------------------------------------------------------- disassembly data --
+    ddatacmd = subparsers.add_parser("ddata")
+    ddataparsers = ddatacmd.add_subparsers(title="show options")
+
+    # -- ddata globalvars --
+    ddatagvars = ddataparsers.add_parser("globalvars")
+    ddatagvars.add_argument("xname", help="name of executable")
+    ddatagvars.set_defaults(func=UCC.ddata_gvars)
+
     # ----------------------------------------------------------------- results --
     resultscmd = subparsers.add_parser('results')
     resultscmd.set_defaults(func=resultscommand)
@@ -973,6 +982,12 @@ def parse() -> argparse.Namespace:
             + " for text output)"))
     resultsinvariants.set_defaults(func=UCC.results_invariants)
 
+    # --- results globalrefs ---
+    resultsglobalrefs = resultsparsers.add_parser("globalrefs")
+    resultsglobalrefs.add_argument("xname", help="name of executable")
+    resultsglobalrefs.add_argument("faddr", help="hex address of function")
+    resultsglobalrefs.set_defaults(func=UCC.results_globalrefs)
+
     # --- results functioninfo ---
     resultsfinfo = resultsparsers.add_parser(
         "functioninfo",
@@ -1555,7 +1570,7 @@ def parse() -> argparse.Namespace:
         help="name of first (original) executable (assumed disassembled)")
     relationalcomparecfginfo.add_argument(
         "xname2",
-        help="name of second (patched) executable (asseumed disassembled)"),
+        help="name of second (patched) executable (asseumed disassembled)")
     relationalcomparecfginfo.add_argument(
         "--newfunctions",
         nargs="*",
@@ -1564,6 +1579,17 @@ def parse() -> argparse.Namespace:
     relationalcomparecfginfo.set_defaults(
         func=R.relational_compare_cfg_info)
 
+    # --- relational_compare globalvars
+    relationalcompareglobalvars = relationalcompareparsers.add_parser("globalvars")
+    relationalcompareglobalvars.add_argument(
+        "xname1",
+        help="name of first (original) executable (assumed disassembled)")
+    relationalcompareglobalvars.add_argument(
+        "xname2",
+        help="name of second (patched) executable (asseumed disassembled)")
+    relationalcompareglobalvars.set_defaults(
+        func=R.relational_compare_globalvars)
+
     # ------------------------------------------------------ simulate subcommand
     parser_simulate = subparsers.add_parser("simulate")
     parser_simulate.add_argument("xname", help="name of executable")
diff --git a/chb/cmdline/commandutil.py b/chb/cmdline/commandutil.py
index 06722955..ab498bd8 100644
--- a/chb/cmdline/commandutil.py
+++ b/chb/cmdline/commandutil.py
@@ -622,7 +622,7 @@ def results_stats(args: argparse.Namespace) -> NoReturn:
     elif sortby == "time":
         sortkey = lambda f: f.time
     else:
-        sortkey = lambda f: f.faddr
+        sortkey = lambda f: int(f.faddr, 16)
     for f in sorted(stats.get_function_results(), key=sortkey):
         print(f.metrics_to_string(shownocallees=nocallees))
 
@@ -945,7 +945,7 @@ def results_functions(args: argparse.Namespace) -> NoReturn:
 
     app = get_app(path, xfile, xinfo)
     if len(functions) == 0:
-        fns: Sequence[str] = sorted(app.appfunction_addrs)
+        fns: Sequence[str] = sorted(app.appfunction_addrs, key=lambda f:int(f, 16))
     else:
         fns = functions
 
@@ -1192,6 +1192,38 @@ def results_finfo(args: argparse.Namespace) -> NoReturn:
     exit(0)
 
 
+def results_globalrefs(args: argparse.Namespace) -> NoReturn:
+    """Prints out a list of global references made within a function."""
+
+    # arguments
+    xname: str = str(args.xname)
+    xfaddr: str = args.faddr
+
+    try:
+        (path, xfile) = get_path_filename(xname)
+        UF.check_analysis_results(path, xfile)
+    except UF.CHBError as e:
+        print(str(e.wrap()))
+        exit(1)
+
+    xinfo = XI.XInfo()
+    xinfo.load(path, xfile)
+
+    app = get_app(path, xfile, xinfo)
+
+    if not app.has_function(xfaddr):
+        print_error("Function " + xfaddr + " not found")
+        exit(1)
+
+    f = app.function(xfaddr)
+    for (gaddr, grefs) in f.globalrefs().items():
+        print(gaddr)
+        for gref in grefs:
+            print(str("  " + str(gref)))
+
+    exit(0)
+
+
 def results_invariants(args: argparse.Namespace) -> NoReturn:
     """Prints out a list of invariants for a function per location."""
 
@@ -2368,3 +2400,45 @@ def show_function_semantics_table(args: argparse.Namespace) -> NoReturn:
     print(ixdictionary.function_semantics_table_to_string())
 
     exit(0)
+
+
+def ddata_gvars(args: argparse.Namespace) -> NoReturn:
+
+    # arguments
+    xname: str = str(args.xname)
+
+    try:
+        (path, xfile) = get_path_filename(xname)
+    except UF.CHBError as e:
+        print(str(e.wrap()))
+        exit(1)
+
+    xinfo = XI.XInfo()
+    xinfo.load(path, xfile)
+
+    app = get_app(path, xfile, xinfo)
+
+    memmap = app.globalmemorymap
+    glocs = memmap.locations
+
+    print("Defined locations")
+    for gaddr in sorted(glocs, key=lambda g: int(g, 16)):
+        pgrefs: Dict[str, int] = {}   # count identical grefs
+        gloc = glocs[gaddr]
+        gtype = gloc.gtype
+        if gtype is not None:
+            sgtype = str(gtype)
+        else:
+            sgtype = ""
+        print(gloc.addr.rjust(8)
+              + "  "
+              + gloc.name.ljust(60)
+              + "  "
+              + sgtype.ljust(20))
+
+    (count, coverage) = memmap.coverage()
+
+    print("\nNumber of locations: " + str(len(glocs)))
+    print("Coverage: " + str(coverage) + " (typed: " + str(count) + ")")
+
+    exit(0)
diff --git a/chb/cmdline/relationalcmds.py b/chb/cmdline/relationalcmds.py
index 57761a5a..dec0b38d 100644
--- a/chb/cmdline/relationalcmds.py
+++ b/chb/cmdline/relationalcmds.py
@@ -1086,3 +1086,62 @@ def relational_compare_cfg_info(args: argparse.Namespace) -> NoReturn:
     print("\nNumber of functions different: " + str(diffcount))
 
     exit(0)
+
+
+def relational_compare_globalvars(args: argparse.Namespace) -> NoReturn:
+
+    # arguments
+    xname1: str = args.xname1
+    xname2: str = args.xname2
+
+    try:
+        (path1, xfile1) = UC.get_path_filename(xname1)
+        (path2, xfile2) = UC.get_path_filename(xname2)
+    except UF.CHBError as e:
+        print(str(e.wrap()))
+        exit(1)
+
+    xinfo1 = XI.XInfo()
+    xinfo1.load(path1, xfile1)
+
+    xinfo2 = XI.XInfo()
+    xinfo2.load(path2, xfile2)
+
+    app1 = UC.get_app(path1, xfile1, xinfo1)
+    app2 = UC.get_app(path2, xfile2, xinfo2)
+
+    memmap1 = app1.globalmemorymap
+    memmap2 = app2.globalmemorymap
+
+    if len(memmap1.locations) == 0:
+        UC.print_error(
+            "No memory map found for " + xname1 + " in " + path1)
+        exit(1)
+
+    if len(memmap2.locations) == 0:
+        UC.print_error(
+            "No memory map found for " + xname2 + " in " + path2)
+        exit(1)
+
+    glocs1 = memmap1.locations
+    glocs2 = memmap2.locations
+
+    result: Dict[str, Tuple[str, str]] = {}
+
+    for (addr, gloc1) in sorted(glocs1.items()):
+        gloc2 = memmap2.get_location_by_name(gloc1.name)
+        if gloc2 is not None:
+            result[addr] = (gloc1.name, gloc2.addr)
+
+    for (addr1, (name, addr2)) in sorted(result.items()):
+        diff = int(addr2, 16) - int(addr1, 16)
+        print("  " + addr1.rjust(8) + "  " + addr2.rjust(8) + "  " + str(diff).rjust(8) + "  " + name)
+
+    (loc1count, loc1coverage) = memmap1.coverage()
+    (loc2count, loc2coverage) = memmap2.coverage()
+
+    print("\nCoverage")
+    print("App1: " + str(loc1count) + ", " + str(loc1coverage))
+    print("App2: " + str(loc2count) + ", " + str(loc2coverage))
+
+    exit(0)
diff --git a/chb/invariants/VAssemblyVariable.py b/chb/invariants/VAssemblyVariable.py
index 71f31dfa..ecdb108c 100644
--- a/chb/invariants/VAssemblyVariable.py
+++ b/chb/invariants/VAssemblyVariable.py
@@ -250,7 +250,7 @@ def is_stack_argument(self) -> bool:
         return (
             self.base.is_local_stack_frame
             and self.offset.is_constant_value_offset
-            and self.offset.offsetvalue() > 0)
+            and self.offset.offsetvalue() >= 0)
 
     @property
     def is_local_stack_variable(self) -> bool:
@@ -330,6 +330,8 @@ def __str__(self) -> str:
         elif self.is_realigned_stack_variable:
             offset = self.offset.offsetvalue()
             return 'varr.' + '{0:04d}'.format(offset)
+        elif self.offset.is_no_offset:
+            return "*" + str(self.base)
         return str(str(self.base)) + '[' + str(self.offset) + ']'
 
 
diff --git a/chb/invariants/VConstantValueVariable.py b/chb/invariants/VConstantValueVariable.py
index ae99eb3d..b9d62d5c 100644
--- a/chb/invariants/VConstantValueVariable.py
+++ b/chb/invariants/VConstantValueVariable.py
@@ -6,7 +6,7 @@
 #
 # Copyright (c) 2016-2020 Kestrel Technology LLC
 # Copyright (c) 2020      Henny Sipma
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -39,6 +39,11 @@
       * ctxt_iaddress_t
       * ctxt_iaddress_t
   | FunctionReturnValue  of ctxt_iaddress_t        "fr"       2      0
+  | TypeCastValue of                               "tc"       3      2
+     ctxt_iaddress_t
+     * string
+     * btype_t
+     * register_t
   | SyscallErrorReturnValue of ctxt_iaddress_t     "ev"       2      0
   | AugmentedValue of                              "av"       4      2
      variable_t
@@ -131,6 +136,10 @@ def is_global_value(self) -> bool:
     def is_function_return_value(self) -> bool:
         return False
 
+    @property
+    def is_typecast_value(self) -> bool:
+        return False
+
     @property
     def is_symbolic_value(self) -> bool:
         return False
@@ -188,7 +197,10 @@ def variable(self) -> "XVariable":
 
     @property
     def register(self) -> "Register":
-        raise UF.CHBError("Constant value is not an initial register value")
+        raise UF.CHBError(
+            "Constant value is not an initial register value: "
+            + str(self)
+            + " (" + self.tags[0] + ")")
 
     def argument_deref_arg_offset(self, inbytes: bool = False) -> Tuple[int, int]:
         raise UF.CHBError("argument_deref_arg_offset not supported on "
@@ -363,7 +375,9 @@ def is_function_return_deref_value(self) -> bool:
         if avar.is_memory_variable and avar.is_basevar_variable:
             xbasevar = avar.basevar
             offset = avar.offset
-            return xbasevar.is_function_return_value and offset.is_constant_offset
+            return (
+                xbasevar.is_function_return_value
+                and (offset.is_constant_offset or offset.is_no_offset))
         else:
             return False
 
@@ -549,6 +563,46 @@ def __str__(self) -> str:
             return "rtn_" + self.callsite
 
 
+@varregistry.register_tag("tc", VConstantValueVariable)
+class VTypeCastValue(VConstantValueVariable):
+    """Type cast of a register value.
+
+    tags[1]: address of cast
+    tags[2]: name of variable
+    args[0]: index of cast target type in bcdictionary
+    args[1]: index of register in bdictionary
+    """
+
+    def __init__(
+            self,
+            vd: "FnVarDictionary",
+            ixval: IndexedTableValue) -> None:
+        VConstantValueVariable.__init__(self, vd, ixval)
+
+    @property
+    def is_typecast_value(self) -> bool:
+        return True
+
+    @property
+    def iaddr(self) -> str:
+        return self.tags[1]
+
+    @property
+    def name(self) -> str:
+        return self.tags[2]
+
+    @property
+    def tgttype(self) -> "BCTyp":
+        return self.bcd.typ(self.args[0])
+
+    @property
+    def register(self) -> Register:
+        return self.bd.register(self.args[1])
+
+    def __str__(self) -> str:
+        return self.name + "(" + self.iaddr + ", " + str(self.tgttype) + ")"
+
+
 @varregistry.register_tag("fp", VConstantValueVariable)
 class FunctionPointer(VConstantValueVariable):
     """Function pointer.
diff --git a/chb/invariants/XVariable.py b/chb/invariants/XVariable.py
index f1269ee1..8a0025ff 100644
--- a/chb/invariants/XVariable.py
+++ b/chb/invariants/XVariable.py
@@ -6,7 +6,7 @@
 #
 # Copyright (c) 2016-2020 Kestrel Technology LLC
 # Copyright (c) 2020-2021 Henny Sipma
-# Copyright (c) 2021-2024 Aarno Labs LLC
+# Copyright (c) 2021-2025 Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -116,6 +116,13 @@ def is_function_return_value(self) -> bool:
             and self.denotation.is_auxiliary_variable
             and self.denotation.auxvar.is_function_return_value)
 
+    @property
+    def is_typecast_value(self) -> bool:
+        return (
+            self.has_denotation()
+            and self.denotation.is_auxiliary_variable
+            and self.denotation.auxvar.is_typecast_value)
+
     @property
     def is_memory_address_value(self) -> bool:
         return (
diff --git a/chb/invariants/XXpr.py b/chb/invariants/XXpr.py
index 8fd95365..b189851e 100644
--- a/chb/invariants/XXpr.py
+++ b/chb/invariants/XXpr.py
@@ -223,6 +223,10 @@ def is_addressof_var(self) -> bool:
 
         return False
 
+    @property
+    def get_addressof_var(self) -> Optional[XVariable]:
+        return None
+
     def initial_register_value_register(self) -> Register:
         """Returns the register of which this expression represents the initial value."""
         raise UF.CHBError(
@@ -739,6 +743,14 @@ def is_structured_expr(self) -> bool:
     def is_addressof_var(self) -> bool:
         return self.operator == "xf_addressofvar"
 
+    @property
+    def get_addressof_var(self) -> Optional[XVariable]:
+        if self.is_addressof_var:
+            operand = self.operands[0]
+            if operand.is_var:
+                return cast(XprVariable, operand).variable
+        return None
+
     def has_global_variables(self) -> bool:
         return any([op.has_global_variables() for op in self.operands])
 
diff --git a/chb/invariants/XXprUtil.py b/chb/invariants/XXprUtil.py
index 0e76cbf5..3265b94d 100644
--- a/chb/invariants/XXprUtil.py
+++ b/chb/invariants/XXprUtil.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs LLC
+# Copyright (c) 2021-2025  Aarno Labs LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -55,7 +55,7 @@
         VMemoryVariable, VAuxiliaryVariable, VRegisterVariable)
     from chb.invariants.VConstantValueVariable import (
         VInitialRegisterValue, VInitialMemoryValue, VFunctionReturnValue,
-        SymbolicValue, MemoryAddress)
+        VTypeCastValue, SymbolicValue, MemoryAddress)
     from chb.invariants.VMemoryBase import (
         VMemoryBase,
         VMemoryBaseBaseVar,
@@ -149,7 +149,7 @@ def xconstant_to_ast_expr(
             gvaddrtype = gvaddr.ctype(astree.ctyper)
             if gvaddrtype is not None and gvaddrtype.is_array:
                 # array already is an address
-                return astree.mk_lval_expr(lval)
+                return astree.mk_start_of(lval)
             else:
                 return astree.mk_address_of(lval)
         else:
@@ -259,7 +259,7 @@ def vreturn_deref_value_to_ast_lval_expression(
         astree: ASTInterface,
         anonymous: bool = False) -> AST.ASTExpr:
 
-    if not offset.is_constant_value_offset:
+    if not (offset.is_constant_value_offset or offset.is_no_offset):
         chklogger.logger.error(
             "Non-constant offset: %s not yet supported at address %s",
             str(offset), iaddr)
@@ -485,6 +485,13 @@ def global_variable_to_lval_expression(
                     globaladdress=gaddr,
                     anonymous=anonymous)
 
+        if offset.offset.is_array_index_offset and vinfo is not None:
+            arrayoffset = cast("VMemoryOffsetArrayIndexOffset", offset.offset)
+            astoffset = array_offset_to_ast_offset(
+                arrayoffset, xdata, iaddr, astree, anonymous=anonymous)
+            return astree.mk_vinfo_lval_expression(
+                vinfo, astoffset, anonymous=anonymous)
+
     chklogger.logger.error(
         "Conversion of global variable %s at address %s not yet supported",
         str(offset), iaddr)
@@ -601,6 +608,40 @@ def vargument_deref_value_to_ast_lval_expression(
     return astree.mk_temp_lval_expression()
 
 
+def stack_argument_to_ast_lval_expression(
+        offset: int,
+        xdata: "InstrXData",
+        iaddr: str,
+        astree: ASTInterface,
+        anonymous: bool = False) -> AST.ASTExpr:
+
+    fsig = astree.appsignature
+    if fsig is None:
+        chklogger.logger.error(
+            "Unable to judge stack argument with offset %d without app "
+            + "at address %s",
+            offset, iaddr)
+        return astree.mk_temp_lval_expression()
+
+    optindex = fsig.index_of_stack_parameter_location(offset)
+    if optindex is not None:
+        arglvals = astree.function_argument(optindex - 1)
+        if len(arglvals) != 1:
+            chklogger.logger.error(
+                "Encountered multiple arg values for initial stack argument "
+                + "%s at address %s",
+                str(offset), iaddr)
+            return astree.mk_temp_lval_expression()
+        else:
+            return astree.mk_lval_expression(arglvals[0], anonymous=anonymous)
+    else:
+        chklogger.logger.error(
+            "Cannot determine argument index for initial stack argument %s "
+            + "at address %s",
+            str(offset), iaddr)
+        return astree.mk_temp_lval_expression()
+
+
 def vinitmemory_value_to_ast_lval_expression(
         vconstvar: "VInitialMemoryValue",
         xdata: "InstrXData",
@@ -628,7 +669,7 @@ def vinitmemory_value_to_ast_lval_expression(
 
     if avar.is_memory_variable and avar.is_basevar_variable:
         avar = cast("VMemoryVariable", avar)
-        if not avar.offset.is_constant_value_offset:
+        if not (avar.offset.is_constant_value_offset or avar.offset.is_no_offset):
             chklogger.logger.error(
                 "Non-constant offset: %s not yet supported at address %s",
                 str(avar.offset), iaddr)
@@ -660,6 +701,19 @@ def vinitmemory_value_to_ast_lval_expression(
                     return astree.mk_temp_lval_expression()
 
                 compinfo = astree.compinfo(compkey)
+                if not compinfo.has_field_offsets():
+                    chklogger.logger.error(
+                        "No fields are specified for compinfo %s (at address %s)",
+                        compinfo.compname, iaddr)
+                    return astree.mk_temp_lval_expression()
+
+                if not compinfo.has_field_offset(coff):
+                    chklogger.logger.error(
+                        "Compinfo %s does not have a field at offset %d "
+                        + "(at address %s)",
+                        compinfo.compname, coff, iaddr)
+                    return astree.mk_temp_lval_expression()
+
                 (field, restoffset) = compinfo.field_at_offset(coff)
                 if restoffset > 0:
                     chklogger.logger.error(
@@ -678,6 +732,10 @@ def vinitmemory_value_to_ast_lval_expression(
             iaddr)
         return astree.mk_temp_lval_expression()
 
+    if avar.is_memory_variable and avar.is_stack_argument:
+        return stack_argument_to_ast_lval_expression(
+            avar.offset.offsetvalue(), xdata, iaddr, astree, anonymous=anonymous)
+
     chklogger.logger.error(
         "AST conversion of vinitmemory value %s of %s not yet supported at "
         + "address %s",
@@ -794,6 +852,8 @@ def xvariable_to_ast_def_lval_expression(
             return astree.mk_temp_lval_expression()
 
         else:
+            chklogger.logger.error(
+                "No rdefs found for %s at address %s", str(reg), iaddr)
             return astree.mk_temp_lval_expression()
 
     if xvar.is_global_variable:
@@ -831,6 +891,24 @@ def xvariable_to_ast_def_lval_expression(
         vinfo = astree.globalsymboltable.get_symbol(name)
         return astree.mk_vinfo_lval_expression(vinfo, anonymous=anonymous)
 
+    if xvar.is_typecast_value:
+        tcvar = cast("VTypeCastValue", xvar.denotation.auxvar)
+        variaddr = tcvar.iaddr
+        varreg = tcvar.register
+        if variaddr in astree.ssa_intros and str(varreg) in astree.ssa_intros[variaddr]:
+            vinfo = astree.ssa_intros[variaddr][str(varreg)]
+            ssavalue = astree.get_ssa_value(vinfo.vname)
+            if ssavalue is not None:
+                return ssavalue
+            else:
+                return astree.mk_vinfo_lval_expression(
+                    vinfo, anonymous=anonymous)
+        chklogger.logger.error(
+            "AST def conversion of typecast value %s to lval at address %s "
+            + "not yet supported",
+            str(tcvar), iaddr)
+        return astree.mk_temp_lval_expression()
+
     chklogger.logger.error(
         "AST def conversion of variable %s to lval-expression at address "
         + "%s not yet supported",
@@ -1011,7 +1089,7 @@ def default() -> AST.ASTExpr:
         astxpr2 = xxpr_to_ast_def_expr(
             xpr2, xdata, iaddr, astree, anonymous=anonymous)
         if operator in [
-                "plus", "minus", "mult", "div",
+                "plus", "minus", "mult", "div", "mod",
                 "band", "land", "lor", "bor", "asr", "bxor",
                 "lsl", "lsr", "eq", "ne", "gt", "le", "lt", "ge"]:
             return astree.mk_binary_expression(operator, astxpr1, astxpr2)
@@ -1325,17 +1403,21 @@ def array_offset_to_ast_offset(
     if offset.has_no_offset():
         return astree.mk_expr_index_offset(indexxpr)
 
-    def to_ast_offset(suboffset: "VMemoryOffset") -> AST.ASTOffset:
-        if suboffset.is_constant_value_offset:
-            return astree.mk_scalar_index_offset(suboffset.offsetconstant)
-        elif suboffset.is_field_offset:
-            suboffset = cast ("VMemoryOffsetFieldOffset", suboffset)
-            return astree.mk_field_offset(suboffset.fieldname, suboffset.ckey)
-        else:
-            return nooffset
+    if offset.offset.is_field_offset:
+        fsuboffset = cast("VMemoryOffsetFieldOffset", offset.offset)
+        astoffset: AST.ASTOffset = field_offset_to_ast_offset(
+            fsuboffset, xdata, iaddr, astree)
+        return astree.mk_expr_index_offset(indexxpr, offset=astoffset)
 
-    return astree.mk_expr_index_offset(
-        indexxpr, offset=to_ast_offset(offset.offset))
+    if offset.offset.is_array_index_offset:
+        asuboffset = cast("VMemoryOffsetArrayIndexOffset", offset.offset)
+        astoffset = array_offset_to_ast_offset(
+            asuboffset, xdata, iaddr, astree)
+        return astree.mk_expr_index_offset(indexxpr, offset=astoffset)
+
+    chklogger.logger.error(
+        "Offset %s not recognized at address %s", str(offset), iaddr)
+    return astree.mk_expr_index_offset(indexxpr)
 
 
 def field_offset_to_ast_offset(
@@ -1364,7 +1446,6 @@ def field_offset_to_ast_offset(
         offset.fieldname, offset.ckey, offset=suboffset)
 
 
-
 def array_variable_to_ast_lval(
         base: "MemoryAddress",
         elementtyp: AST.ASTTyp,
@@ -1486,18 +1567,23 @@ def global_variable_to_ast_lval(
             return astree.mk_vinfo_lval(vinfo, astoffset, anonymous=anonymous)
 
         if offset.offset.is_field_offset and vinfo is not None:
-            fieldoffset = cast ("VMemoryOffsetFieldOffset", offset.offset)
+            fieldoffset = cast("VMemoryOffsetFieldOffset", offset.offset)
             fieldname = fieldoffset.fieldname
             compkey = fieldoffset.ckey
             if fieldoffset.offset.is_no_offset:
                 subfieldastoffset: AST.ASTOffset = nooffset
             elif fieldoffset.offset.is_field_offset:
-                subfieldoffset = cast(
+                subfieldfldoffset = cast(
                     "VMemoryOffsetFieldOffset", fieldoffset.offset)
-                subfieldname = subfieldoffset.fieldname
-                subfieldkey = subfieldoffset.ckey
+                subfieldname = subfieldfldoffset.fieldname
+                subfieldkey = subfieldfldoffset.ckey
                 subfieldastoffset = astree.mk_field_offset(
                     subfieldname, subfieldkey)
+            elif fieldoffset.offset.is_array_index_offset:
+                subfieldarrayoffset = cast(
+                    "VMemoryOffsetArrayIndexOffset", fieldoffset.offset)
+                subfieldastoffset = array_offset_to_ast_offset(
+                    subfieldarrayoffset, xdata, iaddr, astree, anonymous=anonymous)
             else:
                 chklogger.logger.error(
                     "Index sub offset of global offset %s not yet handled at %s",
@@ -1508,6 +1594,12 @@ def global_variable_to_ast_lval(
                 fieldname, compkey, offset=subfieldastoffset)
             return astree.mk_vinfo_lval(vinfo, astoffset, anonymous=anonymous)
 
+        if offset.offset.is_array_index_offset and vinfo is not None:
+            aindexoffset = cast("VMemoryOffsetArrayIndexOffset", offset.offset)
+            astoffset = array_offset_to_ast_offset(
+                aindexoffset, xdata, iaddr, astree, anonymous=anonymous)
+            return astree.mk_vinfo_lval(vinfo, astoffset, anonymous=anonymous)
+
     chklogger.logger.error(
         ("Conversion of global ast lval for address %s at address %s "
          + "not yet supported"),
@@ -1674,10 +1766,39 @@ def vargument_deref_value_to_ast_lval(
         astree: ASTInterface,
         anonymous: bool = False) -> AST.ASTLval:
 
+    if offset.is_no_offset:
+        if basevar.is_initial_register_value:
+            asmvar = cast("VAuxiliaryVariable", basevar.denotation)
+            vinitvar = cast("VInitialRegisterValue", asmvar.auxvar)
+            xinitarg = vinitregister_value_to_ast_lval_expression(
+                vinitvar, xdata, iaddr, astree, anonymous=anonymous)
+            argtype = xinitarg.ctype(astree.ctyper)
+            if argtype is None:
+                chklogger.logger.error(
+                    "Untyped dereferenced argument value %s not yet supported at "
+                    + "address %s",
+                    str(xinitarg), iaddr)
+                return astree.mk_temp_lval()
+            else:
+                return astree.mk_memref_lval(xinitarg, anonymous=anonymous)
+
+        if basevar.is_function_return_value:
+            asmvar = cast("VAuxiliaryVariable", basevar.denotation)
+            frvinitrvar = cast("VFunctionReturnValue", asmvar.auxvar)
+            callsite = frvinitrvar.callsite
+            if callsite in astree.ssa_intros:
+                if len(astree.ssa_intros[callsite]) == 1:
+                    vinfo = list(astree.ssa_intros[callsite].values())[0]
+                    vtype = vinfo.vtype
+                    vexpr = astree.mk_vinfo_lval_expression(
+                        vinfo, anonymous=anonymous)
+                    return astree.mk_memref_lval(vexpr, anonymous=anonymous)
+
     if not offset.is_constant_value_offset:
         chklogger.logger.error(
-            "Non-constant offset: %s not yet supported at address %s",
-            str(offset), iaddr)
+            "Non-constant offset: %s with variable %s not yet supported at "
+            + "address %s",
+            str(offset), str(basevar), iaddr)
         return astree.mk_temp_lval()
 
     coff = offset.offsetvalue()
@@ -1777,6 +1898,39 @@ def vargument_deref_value_to_ast_lval(
             str(basevar), str(offset), iaddr)
         return astree.mk_temp_lval()
 
+    if basevar.is_typecast_value:
+        asmvar = cast("VAuxiliaryVariable", basevar.denotation)
+        vtcv = cast("VTypeCastValue", asmvar.auxvar)
+        bctype = vtcv.tgttype
+        vtype = bctype.convert(astree.typconverter)
+        if vtype is not None and vtype.is_pointer:
+            tgttype = cast(AST.ASTTypPtr, vtype).tgttyp
+            castaddr = vtcv.iaddr
+            if len(astree.ssa_intros[castaddr]) == 1:
+                vinfo = list(astree.ssa_intros[castaddr].values())[0]
+                vexpr = astree.mk_vinfo_lval_expression(
+                    vinfo, anonymous=anonymous)
+                if tgttype.is_compound:
+
+                    return field_pointer_to_ast_memref_lval(
+                        vexpr,
+                        tgttype,
+                        coff,
+                        iaddr,
+                        astree,
+                        anonymous=anonymous)
+
+            chklogger.logger.error(
+                "AST conversion of typecast value %s with type %s not yet handled "
+                + " at address %s",
+                str(basevar), str(tgttype), iaddr)
+            return astree.mk_temp_lval()
+
+        chklogger.logger.error(
+            "AST conversion of typecast value %s with type %s not yet handled at %s",
+            str(basevar), str(vtype), iaddr)
+        return astree.mk_temp_lval()
+
     chklogger.logger.error(
         "AST conversion of argument deref lvalue: %s with offset %s not yet "
         + "handled at %s (variable denotation type: %s)",
@@ -1848,6 +2002,7 @@ def xmemory_dereference_lval(
         anonymous: bool = False) -> AST.ASTLval:
 
     xaddr = xxpr_to_ast_def_expr(address, xdata, iaddr, astree)
+
     if xaddr.is_ast_binary_op:
         xaddr = cast(AST.ASTBinaryOp, xaddr)
         if xaddr.exp1.is_ast_startof:
diff --git a/chb/userdata/UserHints.py b/chb/userdata/UserHints.py
index 63797f8c..8380fdef 100644
--- a/chb/userdata/UserHints.py
+++ b/chb/userdata/UserHints.py
@@ -4,7 +4,7 @@
 # ------------------------------------------------------------------------------
 # The MIT License (MIT)
 #
-# Copyright (c) 2021-2024  Aarno Labs, LLC
+# Copyright (c) 2021-2025  Aarno Labs, LLC
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy
 # of this software and associated documentation files (the "Software"), to deal
@@ -51,6 +51,9 @@
 - DataBlocks
       pairs of addresses (start inclusive, end exclusive) that indicate data
 
+- FunctionAnnotations
+      register and stack variable introductions
+
 - FunctionEntryPoints
       addresses of function entry points
 
@@ -102,6 +105,7 @@
 from chb.userdata.UserBType import UserStructBType
 
 import chb.util.fileutil as UF
+from chb.util.loggingutil import chklogger
 import chb.util.xmlutil as UX
 
 
@@ -451,6 +455,274 @@ def __str__(self) -> str:
         return "\n".join(lines)
 
 
+class RegisterVarIntro:
+
+    def __init__(self, d: Dict[str, Union[str, List[str]]]) -> None:
+        self._d = d
+
+    @property
+    def varintro(self) -> Dict[str, Union[str, List[str]]]:
+        return self._d
+
+    @property
+    def iaddr(self) -> str:
+        if not "iaddr" in self.varintro:
+            chklogger.logger.warning(
+                "Register variable intro without address; returning 0x0")
+        return cast(str, self.varintro.get("iaddr", "0x0"))
+
+    @property
+    def name(self) -> str:
+        if not "name" in self.varintro:
+            chklogger.logger.warning(
+                "Register variable intro without name; returning noname")
+        return cast(str, self.varintro.get("name", "noname"))
+
+    @property
+    def typename(self) -> Optional[str]:
+        return cast(str, self.varintro.get("typename", None))
+
+    @property
+    def ispointerto(self) -> bool:
+        return "ptrto" in self.mods
+
+    @property
+    def mods(self) -> List[str]:
+        return cast(List[str], self.varintro.get("mods", []))
+
+    def has_cast(self) -> bool:
+        return "cast" in self.mods
+
+    def to_xml(self, node: ET.Element) -> None:
+        xvintro = ET.Element("vintro")
+        node.append(xvintro)
+        xvintro.set("name", self.name)
+        xvintro.set("iaddr", self.iaddr)
+        if self.typename is not None:
+            xvintro.set("typename", self.typename)
+        if self.ispointerto:
+            xvintro.set("ptrto", "yes")
+        if self.has_cast():
+            xvintro.set("cast", "yes")
+
+    def __str__(self) -> str:
+        return (
+            "iaddr: " + self.iaddr
+            + "; name: " + self.name
+            + (("; typename: " + self.typename) if self.typename else ""))
+
+
+class StackVarIntro:
+
+    def __init__(self, d: Dict[str, str]) -> None:
+        self._d = d
+
+    @property
+    def varintro(self) -> Dict[str, str]:
+        return self._d
+
+    @property
+    def offset(self) -> int:
+        """The offset is negated to reflect the actual relationship between
+        the stack pointer address at function entry and the address of the
+        variable.
+        """
+
+        if not "offset" in self.varintro:
+            chklogger.logger.warning(
+                "Stack variable intro without offset; returning 0")
+        index = int(self.varintro.get("offset", "0"))
+        if index > 0:
+            return -index
+        else:
+            raise UF.CHBError(
+                "Unexpected non-positive offset in stack-variable intro: "
+                + str(self.offset))
+
+    @property
+    def name(self) -> str:
+        if not "name" in self.varintro:
+            chklogger.logger.warning(
+                "Stack variable intro without name; returning noname")
+        return self.varintro.get("name", "noname")
+
+    @property
+    def typename(self) -> Optional[str]:
+        return self.varintro.get("typename", None)
+
+    @property
+    def mods(self) -> List[str]:
+        return cast(List[str], self.varintro.get("mods", []))
+
+    @property
+    def is_array(self) -> bool:
+        return any(a for a in self.mods if a.startswith("array"))
+
+    @property
+    def arraysize(self) -> Optional[int]:
+        if self.is_array:
+            entry = next(a for a in self.mods if a.startswith("array"))
+            eindex = entry.find(":")
+            if eindex > 0:
+                return int(entry[eindex+1:])
+        return None
+
+    @property
+    def ispointer(self) -> bool:
+        return "ptrto" in self.mods
+
+    def to_xml(self, node: ET.Element) -> None:
+        xvintro = ET.Element("vintro")
+        node.append(xvintro)
+        xvintro.set("name", self.name)
+        xvintro.set("offset", str(self.offset))
+        if self.typename is not None:
+            xvintro.set("typename", self.typename)
+            if self.arraysize is not None:
+                xvintro.set("arraysize", str(self.arraysize))
+            elif self.ispointer:
+                xvintro.set("ptrto", "yes")
+
+    def __str__(self) -> str:
+        return (
+            "offset: " + str(self.offset)
+            + "; name: " + self.name
+            + (("; typename: " + self.typename) if self.typename else ""))
+
+
+class FunctionAnnotation:
+
+    def __init__(self, fnannotation: Dict[str, Any]) -> None:
+        self._fnannotation = fnannotation
+
+    @property
+    def fnannotation(self) -> Dict[str, Any]:
+        return self._fnannotation
+
+    @property
+    def faddr(self) -> str:
+        if not "faddr" in self.fnannotation:
+            chklogger.logger.warning(
+                "Function annotation without faddr, returning 0x0")
+        return self.fnannotation.get("faddr", "0x0")
+
+    @property
+    def stack_variable_introductions(self) -> Dict[int, StackVarIntro]:
+        result: Dict[int, StackVarIntro] = {}
+        for d in self.fnannotation.get("stack-variable-introductions", []):
+            svi = StackVarIntro(d)
+            result[svi.offset] = svi
+        return result
+
+    @property
+    def register_variable_introductions(self) -> Dict[str, RegisterVarIntro]:
+        result: Dict[str, RegisterVarIntro] = {}
+        for d in self.fnannotation.get("register-variable-introductions", []):
+            rvi = RegisterVarIntro(d)
+            result[rvi.iaddr] = rvi
+        return result
+
+    def has_register_variable_introduction(self, iaddr: str) -> bool:
+        return iaddr in self.register_variable_introductions
+
+    def get_register_variable_introduction(self, iaddr: str) -> RegisterVarIntro:
+        rvintros = self.register_variable_introductions
+        if iaddr in rvintros:
+            return rvintros[iaddr]
+        raise UF.CHBError("No register variable introductions for " + iaddr)
+
+    def has_stack_variable_introduction(self, offset: int) -> bool:
+        return offset in self.stack_variable_introductions
+
+    def get_stack_variable_introduction(self, offset: int) -> StackVarIntro:
+        svintros = self.stack_variable_introductions
+        if offset in svintros:
+            return svintros[offset]
+        raise UF.CHBError(
+            "No stack variable introduction for offset " + str(offset))
+
+    def to_xml(self, node: ET.Element) -> None:
+        node.set("faddr", self.faddr)
+        if len(self.stack_variable_introductions) > 0:
+            xstackintros = ET.Element("stackvar-intros")
+            node.append(xstackintros)
+            for svintro in self.stack_variable_introductions.values():
+                svintro.to_xml(xstackintros)
+        if len(self.register_variable_introductions) > 0:
+            xregintros = ET.Element("regvar-intros")
+            node.append(xregintros)
+            for rvintro in self.register_variable_introductions.values():
+                rvintro.to_xml(xregintros)
+
+    def __str__(self) -> str:
+        lines: List[str] = []
+        lines.append("Function: " + self.faddr)
+        if len(self.stack_variable_introductions) > 0:
+            lines.append("  Stack variable introductions:")
+            for svintro in self.stack_variable_introductions:
+                lines.append("  " + str(svintro))
+        if len(self.register_variable_introductions) > 0:
+            for rvintro in self.register_variable_introductions:
+                lines.append("  " + str(rvintro))
+        lines.append("")
+        return "\n".join(lines)
+
+
+class FunctionAnnotations(HintsEntry):
+    """List of functions with variable introductions.
+
+    Supersedes variable-introductions and stack-variable-introductions.
+    """
+
+    def __init__(self, fnannotations: List[Dict[str, Any]]) -> None:
+        HintsEntry.__init__(self, "function-annotations")
+        self._fnannotations = fnannotations
+
+    @property
+    def fnannotations(self) -> List[Dict[str, Any]]:
+        return self._fnannotations
+
+    def has_function(self, faddr: str) -> bool:
+        for a in self.fnannotations:
+            if faddr == a.get("faddr", "0x0"):
+                return True
+        else:
+            return False
+
+    def get_function(self, faddr: str) -> FunctionAnnotation:
+        for a in self.fnannotations:
+            if faddr == a.get("faddr", "0x0"):
+                return FunctionAnnotation(a)
+        raise UF.CHBError("No annotations found for function address " + faddr)
+
+    def update(self, l: List[Dict[str, Any]]) -> None:
+        for d in l:
+            faddr = d.get("faddr", "0x0")
+            if self.has_function(faddr):
+                chklogger.logger.warning(
+                    "Duplicate record for function annotations: %s. "
+                    + "New entry is ignored",
+                    faddr)
+            else:
+                self._fnannotations.append(d)
+
+    def to_xml(self, node: ET.Element) -> None:
+        xfnannotations = ET.Element(self.name)
+        node.append(xfnannotations)
+        for a in self.fnannotations:
+            xfa = ET.Element("function-annotation")
+            FunctionAnnotation(a).to_xml(xfa)
+            xfnannotations.append(xfa)
+
+    def __str__(self) -> str:
+        lines: List[str] = []
+        lines.append("Function annotations")
+        lines.append("--------------------")
+        for a in self.fnannotations:
+            lines.append(str(FunctionAnnotation(a)))
+        return "\n".join(lines)
+
+
 class FunctionEntryPointsHints(HintsEntry):
     """List of function entry points in hex."""
 
@@ -1131,6 +1403,19 @@ def variable_introductions(self) -> Dict[str, str]:
         else:
             return {}
 
+    def function_annotations(self) -> Optional[FunctionAnnotations]:
+        if "function-annotations" in self.astdata:
+            return cast(
+                FunctionAnnotations, self.astdata["function-annotations"])
+        return None
+
+    def function_annotation(self, faddr: str) -> Optional[FunctionAnnotation]:
+        fnannotations = self.function_annotations()
+        if fnannotations is not None:
+            if fnannotations.has_function(faddr):
+                return fnannotations.get_function(faddr)
+        return None
+
     def stack_variable_introductions(self) -> Dict[str, Dict[int, str]]:
         """Return map from function address to stack offset to variable name.
 
@@ -1242,6 +1527,20 @@ def add_hints(self, hints: Dict[str, Any]) -> None:
             else:
                 self.userdata[tag] = FunctionEntryPointsHints(fepoints)
 
+        if "function-annotations" in hints:
+            tag = "function-annotations"
+            fnannotations: List[Dict[str, Any]] = hints[tag]
+            if self._toxml:
+                if tag in self.userdata:
+                    self.userdata[tag].update(fnannotations)
+                else:
+                    self.userdata[tag] = FunctionAnnotations(fnannotations)
+            else:
+                if tag in self.astdata:
+                    self.astdata[tag].update(fnannotations)
+                else:
+                    self.astdata[tag] = FunctionAnnotations(fnannotations)
+
         if "function-names" in hints:
             tag = "function-names"
             fnames: Dict[str, str] = hints[tag]
diff --git a/chb/util/fileutil.py b/chb/util/fileutil.py
index 52a1acb7..181e20e1 100644
--- a/chb/util/fileutil.py
+++ b/chb/util/fileutil.py
@@ -48,6 +48,7 @@
     x_bdict.xml             basic types
     x_ixdict.xml            interface types
     x_global_state.xml
+    x_global_locations.xml
     x_system_info.xml
     x_functions.jar
     x_asm.log
@@ -531,6 +532,21 @@ def get_systeminfo_xnode(path: str, xfile: str) -> ET.Element:
     return get_chb_xnode(filename, "system-info")
 
 
+def has_global_locations_file(path:str, xfile: str) -> bool:
+    filename = get_global_locations_filename(path, xfile)
+    return os.path.isfile(filename)
+
+
+def get_global_locations_filename(path: str, xfile: str) -> str:
+    fdir = get_analysis_dir(path, xfile)
+    return get_chb_filename(fdir, xfile, "global_locations.xml")
+
+
+def get_global_locations_xnode(path: str, xfile: str) -> ET.Element:
+    filename = get_global_locations_filename(path, xfile)
+    return get_chb_xnode(filename, "global-locations")
+
+
 def get_tcdictionary_filename(path: str, xfile: str) -> str:
     fdir = get_analysis_dir(path, xfile)
     return get_chb_filename(fdir, xfile, "tcdict.xml")