diff --git a/CMakeLists.txt b/CMakeLists.txt
index 71d5d4d03..4bc700aa9 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -99,6 +99,8 @@ endif ()
 # The target arch:
 if (CMAKE_SYSTEM_PROCESSOR MATCHES "^arm")
   set(ARM 1)
+elseif (CMAKE_SYSTEM_PROCESSOR MATCHES "^aarch64")
+  set(AARCH64 1)
 else ()
   set(X86 1)
 endif ()
@@ -329,13 +331,18 @@ if (UNIX)
   endif ()
   if (ARM)
     set(EXTRA_FLAGS "${EXTRA_FLAGS} -mthumb -march=armv7-a")
+  endif ()
+  if (AARCH64)
+    set(EXTRA_FLAGS "${EXTRA_FLAGS} -march=armv8-a")
+  endif ()
+  if (ARM OR AARCH64)
     if (ANDROID OR CMAKE_C_LIBRARY_ARCHITECTURE MATCHES "gnueabi$")
       set(EXTRA_FLAGS "${EXTRA_FLAGS} -mfloat-abi=softfp")
       # Android requires PIE.  We export symbols to match our test assumptions.
       set(CMAKE_EXE_LINKER_FLAGS
         "${CMAKE_EXE_LINKER_FLAGS} -fPIE -pie -Wl,--export-dynamic")
-    endif ()
   endif ()
+endif ()
   # We use C++11.
   set(EXTRA_CXXFLAGS "-std=c++11")
   set(CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE_UPPER}
@@ -1029,6 +1036,8 @@ set(asm_deps "${DynamoRIO_DIR}/cpp2asm_defines.h")
 
 if (ARM)
   set(asm_file "asm_utils_arm.asm")
+elseif (AARCH64)
+  set(asm_file "asm_utils_aarch64.asm")
 else ()
   set(asm_file "asm_utils_x86.asm")
 endif ()
diff --git a/common/alloc.c b/common/alloc.c
index a83a3d35b..cdb6f4780 100644
--- a/common/alloc.c
+++ b/common/alloc.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -138,7 +138,7 @@ set_brk(byte *new_val)
 #endif
 
 static void
-alloc_hook(void *wrapcxt, INOUT void **user_data);
+alloc_hook(void *wrapcxt, DR_PARAM_INOUT void **user_data);
 
 static void
 handle_alloc_post(void *wrapcxt, void *user_data);
@@ -967,7 +967,7 @@ replace_realloc_size_app(void *p)
 }
 
 static void
-replace_realloc_size_pre(void *wrapcxt, OUT void **user_data)
+replace_realloc_size_pre(void *wrapcxt, DR_PARAM_OUT void **user_data)
 {
     cls_alloc_t *pt = (cls_alloc_t *)
         drmgr_get_cls_field(dr_get_current_drcontext(), cls_idx_alloc);
@@ -995,12 +995,17 @@ generate_jmp_ind_stub(void *drcontext, app_pc tgt_pc, byte *epc)
     instr_t *instr;
     /* assuming %rax is dead, mov pc => %rax; jmp %rax */
     ASSERT(tgt_pc != NULL, "wrong target pc for call stub");
+#ifdef AARCH64
+    /* XXX i#2016: This will fail for far-away targets. */
+    instr = INSTR_CREATE_b(drcontext, opnd_create_pc(tgt_pc));
+#else
     instr = INSTR_CREATE_mov_imm(drcontext,
                                  opnd_create_reg(DR_REG_XAX),
                                  OPND_CREATE_INTPTR(tgt_pc));
     epc = instr_encode(drcontext, instr, epc);
     instr_destroy(drcontext, instr);
     instr = INSTR_CREATE_jmp_ind(drcontext, opnd_create_reg(DR_REG_XAX));
+#endif
     epc = instr_encode(drcontext, instr, epc);
     instr_destroy(drcontext, instr);
     return epc;
@@ -1594,7 +1599,7 @@ modname_is_libc_or_libcpp(const char *modname)
 
 static bool
 distinguish_operator_by_decoding(routine_type_t generic_type,
-                                 routine_type_t *specific_type OUT,
+                                 routine_type_t *specific_type DR_PARAM_OUT,
                                  const char *name, const module_data_t *mod,
                                  size_t modoffs)
 {
@@ -1691,7 +1696,7 @@ distinguish_operator_by_decoding(routine_type_t generic_type,
  */
 static bool
 distinguish_operator_no_argtypes(routine_type_t generic_type,
-                                 routine_type_t *specific_type OUT,
+                                 routine_type_t *specific_type DR_PARAM_OUT,
                                  const char *name, const module_data_t *mod,
                                  size_t modoffs)
 {
@@ -2482,7 +2487,8 @@ find_alloc_routines(const module_data_t *mod, const possible_alloc_routine_t *po
                 instr_init(drcontext, &inst);
                 decode(drcontext, pc, &inst);
                 if (!instr_valid(&inst) || instr_get_opcode(&inst) ==
-                    IF_X86_ELSE(OP_jmp_ind, OP_bx))
+                    IF_AARCH64_ELSE(OP_br || instr_get_opcode(&inst) == OP_blr,
+                    IF_X86_ELSE(OP_jmp_ind, OP_bx)))
                     pc = NULL;
                 instr_free(drcontext, &inst);
             } else
@@ -2588,10 +2594,10 @@ malloc_wrap__unintercept(app_pc pc, routine_type_t type, alloc_routine_entry_t *
  */
 
 #ifdef WINDOWS
-typedef size_t (__stdcall *rtl_size_func_t)(IN reg_t /*really HANDLE*/ Heap,
-                                            IN ULONG flags,
-                                            IN PVOID ptr);
-typedef size_t (*dbg_size_func_t)(IN byte *pc, int blocktype);
+typedef size_t (__stdcall *rtl_size_func_t)(DR_PARAM_IN reg_t /*really HANDLE*/ Heap,
+                                            DR_PARAM_IN ULONG flags,
+                                            DR_PARAM_IN PVOID ptr);
+typedef size_t (*dbg_size_func_t)(DR_PARAM_IN byte *pc, int blocktype);
 #else
 /* points at libc's version, used in initial heap walk */
 alloc_size_func_t libc_malloc_usable_size;
@@ -2944,7 +2950,7 @@ malloc_entry_redzone_size(malloc_entry_t *e)
 }
 
 static void
-malloc_entry_to_info(malloc_entry_t *e, malloc_info_t *info OUT)
+malloc_entry_to_info(malloc_entry_t *e, malloc_info_t *info DR_PARAM_OUT)
 {
     info->struct_size = sizeof(*info);
     info->base = e->start;
@@ -6391,23 +6397,23 @@ handle_userinfo_pre(void *drcontext, cls_alloc_t *pt, void *wrapcxt,
     /* 3 related routines here:
      *   BOOLEAN NTAPI
      *   RtlGetUserInfoHeap(
-     *       IN PVOID HeapHandle,
-     *       IN ULONG Flags,
-     *       IN PVOID BaseAddress,
-     *       OUT PVOID *UserValue,
-     *       OUT PULONG UserFlags);
+     *       DR_PARAM_IN PVOID HeapHandle,
+     *       DR_PARAM_IN ULONG Flags,
+     *       DR_PARAM_IN PVOID BaseAddress,
+     *       DR_PARAM_OUT PVOID *UserValue,
+     *       DR_PARAM_OUT PULONG UserFlags);
      *   BOOLEAN NTAPI
      *   RtlSetUserValueHeap(
-     *       IN PVOID HeapHandle,
-     *       IN ULONG Flags,
-     *       IN PVOID BaseAddress,
-     *       IN PVOID UserValue);
+     *       DR_PARAM_IN PVOID HeapHandle,
+     *       DR_PARAM_IN ULONG Flags,
+     *       DR_PARAM_IN PVOID BaseAddress,
+     *       DR_PARAM_IN PVOID UserValue);
      *   BOOLEAN NTAPI
      *   RtlSetUserFlagsHeap(
-     *       IN PVOID HeapHandle,
-     *       IN ULONG Flags,
-     *       IN PVOID BaseAddress,
-     *       IN ULONG UserFlags);
+     *       DR_PARAM_IN PVOID HeapHandle,
+     *       DR_PARAM_IN ULONG Flags,
+     *       DR_PARAM_IN PVOID BaseAddress,
+     *       DR_PARAM_IN ULONG UserFlags);
      */
     app_pc base = (app_pc) drwrap_get_arg(wrapcxt, 2);
     if (malloc_is_native(base, pt, true))
@@ -6526,7 +6532,7 @@ handle_alloc_pre_ex(void *drcontext, cls_alloc_t *pt, void *wrapcxt,
                     alloc_routine_entry_t *routine);
 
 static void
-alloc_hook(void *wrapcxt, INOUT void **user_data)
+alloc_hook(void *wrapcxt, DR_PARAM_INOUT void **user_data)
 {
     app_pc pc = drwrap_get_func(wrapcxt);
     /* XXX: for -conservative we should do a lookup and not trust *user_data
@@ -6957,7 +6963,7 @@ malloc_large_remove(byte *start)
 }
 
 bool
-malloc_large_lookup(byte *addr, byte **start OUT, size_t *size OUT)
+malloc_large_lookup(byte *addr, byte **start DR_PARAM_OUT, size_t *size DR_PARAM_OUT)
 {
     bool res = false;
     rb_node_t *node;
diff --git a/common/alloc.h b/common/alloc.h
index 96eb8d7db..60af96d1e 100644
--- a/common/alloc.h
+++ b/common/alloc.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2020 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -194,7 +194,7 @@ malloc_add(app_pc start, app_pc end, app_pc real_end,
 
 /* Looks up mallocs in the "large malloc table" (for mallocs used as stacks) */
 bool
-malloc_large_lookup(byte *addr, byte **start OUT, size_t *size OUT);
+malloc_large_lookup(byte *addr, byte **start DR_PARAM_OUT, size_t *size DR_PARAM_OUT);
 
 bool
 malloc_is_pre_us_ex(app_pc start, bool ok_if_invalid);
@@ -275,17 +275,17 @@ alloc_replace_in_cur_arena(byte *addr);
 /* overlap check includes redzone */
 bool
 alloc_replace_overlaps_delayed_free(byte *start, byte *end,
-                                    malloc_info_t *info INOUT);
+                                    malloc_info_t *info DR_PARAM_INOUT);
 
 /* overlap check includes redzone */
 bool
 alloc_replace_overlaps_any_free(byte *start, byte *end,
-                                malloc_info_t *info INOUT);
+                                malloc_info_t *info DR_PARAM_INOUT);
 
 /* overlap check includes redzone */
 bool
 alloc_replace_overlaps_malloc(byte *start, byte *end,
-                              malloc_info_t *info INOUT);
+                              malloc_info_t *info DR_PARAM_INOUT);
 
 /* Allocate application memory for clients.
  * This function can only be used with -replace_malloc and
@@ -379,7 +379,7 @@ client_handle_realloc_null(app_pc pc, dr_mcontext_t *mc);
  * For wrapping:
  *   Up to the caller to delay, via its return value.
  *   Returns the value to pass to free().  Return "tofree" for no change.
- *   The Windows heap param is INOUT so it can be changed as well.
+ *   The Windows heap param is DR_PARAM_INOUT so it can be changed as well.
  *   client_data is from client_add_malloc_routine().
  * For replacing:
  *   The return value is ignored.  Frees are always delayed, unless
@@ -394,7 +394,7 @@ client_handle_realloc_null(app_pc pc, dr_mcontext_t *mc);
 app_pc
 client_handle_free(malloc_info_t *info, byte *tofree, dr_mcontext_t *mc,
                    app_pc free_routine, void *routine_set_data, bool for_reuse
-                   _IF_WINDOWS(ptr_int_t *auxarg INOUT));
+                   _IF_WINDOWS(ptr_int_t *auxarg DR_PARAM_INOUT));
 
 /* For wrapping:
  *   Never called.
diff --git a/common/alloc_replace.c b/common/alloc_replace.c
index 8c5a9de5a..54d9c88b0 100644
--- a/common/alloc_replace.c
+++ b/common/alloc_replace.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -1139,7 +1139,7 @@ arena_delayed_list_full(arena_header_t *arena)
 
 static inline chunk_header_t *
 next_chunk_forward(arena_header_t *arena, chunk_header_t *head,
-                   arena_header_t **container_out OUT)
+                   arena_header_t **container_out DR_PARAM_OUT)
 {
     arena_header_t *container;
     byte *start = ptr_from_header(head);
@@ -2396,11 +2396,11 @@ alloc_iterate(malloc_iter_cb_t cb, void *iter_data, bool only_live)
 
 static bool
 overlap_helper(chunk_header_t *head,
-               malloc_info_t *info INOUT,
+               malloc_info_t *info DR_PARAM_INOUT,
                uint positive_flags,
                uint negative_flags)
 {
-    /* XXX: this is the one INOUT case of this structure.  Once we extend it,
+    /* XXX: this is the one DR_PARAM_INOUT case of this structure.  Once we extend it,
      * we need to handle back-compat struct size here.  For now, header_to_info()
      * is used here and by above internal code that doesn't set struct-size.
      */
@@ -2421,7 +2421,7 @@ overlap_helper(chunk_header_t *head,
 /* Considers alloc_size to overlap, but returns request size in *found_end */
 static bool
 alloc_replace_overlaps_region(byte *start, byte *end,
-                              malloc_info_t *info INOUT,
+                              malloc_info_t *info DR_PARAM_INOUT,
                               uint positive_flags,
                               uint negative_flags)
 {
@@ -2514,21 +2514,21 @@ alloc_replace_overlaps_region(byte *start, byte *end,
 
 bool
 alloc_replace_overlaps_delayed_free(byte *start, byte *end,
-                                    malloc_info_t *info OUT)
+                                    malloc_info_t *info DR_PARAM_OUT)
 {
     return alloc_replace_overlaps_region(start, end, info, CHUNK_DELAY_FREE, 0);
 }
 
 bool
 alloc_replace_overlaps_any_free(byte *start, byte *end,
-                                malloc_info_t *info OUT)
+                                malloc_info_t *info DR_PARAM_OUT)
 {
     return alloc_replace_overlaps_region(start, end, info, CHUNK_FREED, 0);
 }
 
 bool
 alloc_replace_overlaps_malloc(byte *start, byte *end,
-                              malloc_info_t *info OUT)
+                              malloc_info_t *info DR_PARAM_OUT)
 {
     return alloc_replace_overlaps_region(start, end, info, 0, CHUNK_FREED);
 }
@@ -3574,7 +3574,7 @@ replace_context_exit(void *drcontext, bool thread_exit)
 }
 
 static void
-replace_start_nosy_sequence(void *wrapcxt, OUT void **user_data)
+replace_start_nosy_sequence(void *wrapcxt, DR_PARAM_OUT void **user_data)
 {
     cls_replace_t *data = (cls_replace_t *)
         drmgr_get_cls_field(dr_get_current_drcontext(), cls_idx_replace);
@@ -3588,7 +3588,7 @@ replace_start_nosy_sequence(void *wrapcxt, OUT void **user_data)
 }
 
 static void
-replace_stop_nosy_sequence(void *wrapcxt, OUT void **user_data)
+replace_stop_nosy_sequence(void *wrapcxt, DR_PARAM_OUT void **user_data)
 {
     cls_replace_t *data = (cls_replace_t *)
         drmgr_get_cls_field(dr_get_current_drcontext(), cls_idx_replace);
@@ -4201,7 +4201,8 @@ replace_ignore_arg5(void *arg1, void *arg2, void *arg3, void *arg4, void *arg5)
  * RtlHeap iteration replacement routines
  */
 
-typedef NTSTATUS (*PHEAP_ENUMERATION_ROUTINE)(IN PVOID HeapHandle, IN PVOID UserParam);
+typedef NTSTATUS (*PHEAP_ENUMERATION_ROUTINE)(DR_PARAM_IN PVOID HeapHandle,
+                                              DR_PARAM_IN PVOID UserParam);
 
 typedef struct _getheaps_data_t {
     ULONG actual_len;
@@ -4700,7 +4701,8 @@ alloc_entering_replace_routine(app_pc pc)
 
 static bool
 func_interceptor(routine_type_t type, bool check_mismatch, bool check_winapi_match,
-                 void **routine OUT, bool *at_entry OUT, uint *stack OUT)
+                 void **routine DR_PARAM_OUT, bool *at_entry DR_PARAM_OUT,
+                 uint *stack DR_PARAM_OUT)
 {
     /* almost everything is at the callee entry */
     *at_entry = true;
diff --git a/common/asm_utils.h b/common/asm_utils.h
index be7a28a00..dbc3d6ef5 100644
--- a/common/asm_utils.h
+++ b/common/asm_utils.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -25,11 +25,12 @@
 
 /* Returns the current values of xsp and xbp */
 void
-get_stack_registers(reg_t *xsp OUT, reg_t *xbp OUT);
+get_stack_registers(reg_t *xsp DR_PARAM_OUT, reg_t *xbp DR_PARAM_OUT);
 
 /* Returns the current values of xsp and xbp */
 void
-get_unwind_registers(reg_t *xsp OUT, reg_t *xbp OUT, app_pc *xip OUT);
+get_unwind_registers(reg_t *xsp DR_PARAM_OUT, reg_t *xbp DR_PARAM_OUT,
+                     app_pc *xip DR_PARAM_OUT);
 
 #ifdef UNIX
 ptr_int_t
diff --git a/common/asm_utils_aarch64.asm b/common/asm_utils_aarch64.asm
new file mode 100644
index 000000000..a6ddca73a
--- /dev/null
+++ b/common/asm_utils_aarch64.asm
@@ -0,0 +1,145 @@
+/* **********************************************************
+ * Copyright (c) 2012-2022 Google, Inc.  All rights reserved.
+ * **********************************************************/
+
+/* Dr. Memory: the memory debugger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation;
+ * version 2.1 of the License, and no later version.
+
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/* **********************************************************
+ * Portions Copyright (c) 2014-2015 Google, Inc.  All rights reserved.
+ * ***********************************************************/
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * * Redistributions of source code must retain the above copyright notice,
+ *   this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright notice,
+ *   this list of conditions and the following disclaimer in the documentation
+ *   and/or other materials provided with the distribution.
+ *
+ * * Neither the name of Google, Inc. nor the names of its contributors may be
+ *   used to endorse or promote products derived from this software without
+ *   specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+
+/***************************************************************************
+ * assembly utilities
+ */
+
+#include "cpp2asm_defines.h"
+
+START_FILE
+
+/* void get_stack_registers(reg_t *sp OUT, reg_t *fp OUT) */
+/* Assuming x0 and x1 hold addresses of the memory locations for the
+ * arguments which are passed by reference.
+ */
+#define FUNCNAME get_stack_registers
+        DECLARE_FUNC(FUNCNAME)
+GLOBAL_LABEL(FUNCNAME:)
+        mov      x2, SP
+        str      x2, [x0]
+        str      fp, [x1]
+        ret
+        END_FUNC(FUNCNAME)
+#undef FUNCNAME
+
+
+/* void get_unwind_registers(reg_t *sp OUT, reg_t *fp OUT, app_pc *pc OUT) */
+#define FUNCNAME get_unwind_registers
+        DECLARE_FUNC(FUNCNAME)
+GLOBAL_LABEL(FUNCNAME:)
+        mov      x2, SP
+        str      x2, [x0]
+        str      fp, [x1]
+        str      lr, [x2]
+        ret
+        END_FUNC(FUNCNAME)
+#undef FUNCNAME
+
+
+#ifdef LINUX
+/* Straight from DynamoRIO.
+ * Signature: raw_syscall(sysnum, num_args, arg1, arg2, ...)
+ * x8 - syscall number
+ * x0 to x6 - syscall arguments
+ */
+        DECLARE_FUNC(raw_syscall)
+GLOBAL_LABEL(raw_syscall:)
+        /* Set up first 6 args and read 7th arg from stack
+         * only if there are at least 7 args. */
+        cmp      w1, #7
+        mov      x8, x0
+        mov      x0, x2
+        mov      x1, x3
+        mov      x2, x4
+        mov      x3, x5
+        mov      x4, x6
+        mov      x5, x7
+        b.cc     1f
+1:
+        svc      #0
+        ret
+        END_FUNC(raw_syscall)
+#endif /* LINUX */
+
+
+/* void zero_pointers_on_stack(size_t count);
+ * assuming count must be multiple of ARG_SZ
+ *
+ * Scans the memory in [xsp - count - ARG_SZ, xsp - ARG_SZ) and set it to 0
+ * if the content looks like a pointer (> 0x10000).
+ * Meant to be used to zero the stack, which is dangerous to do
+ * from C as we can easily clobber our own local variables.
+ */
+#define FUNCNAME zero_pointers_on_stack
+        DECLARE_FUNC_SEH(FUNCNAME)
+GLOBAL_LABEL(FUNCNAME:)
+        neg      x0, x0
+        sub      x0, x0, #ARG_SZ
+        mov      x2, #0
+1:
+        /* we assume no pointer pointing to address below 0x10000 */
+        ldr      x1, [SP, x0]
+        cmp      x1, HEX(10000)
+        b.le     2f /* skip store if not a pointer */
+        str      x2, [SP, x0]
+2:
+        add      x0, x0, #ARG_SZ
+        cmp      x0, #-ARG_SZ
+        bne      1b
+        ret
+        END_FUNC(FUNCNAME)
+#undef FUNCNAME
+
+
+END_FILE
diff --git a/common/callstack.c b/common/callstack.c
index e00ae65d1..771ce9799 100644
--- a/common/callstack.c
+++ b/common/callstack.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -290,10 +290,12 @@ static hashtable_t retaddr_table;
 
 static dr_emit_flags_t
 event_basic_block_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                           bool for_trace, bool translating, OUT void **user_data);
+                           bool for_trace, bool translating,
+                           DR_PARAM_OUT void **user_data);
 
 static bool
-module_lookup(byte *pc, app_pc *start OUT, size_t *size OUT, modname_info_t **name OUT);
+module_lookup(byte *pc, app_pc *start DR_PARAM_OUT, size_t *size DR_PARAM_OUT,
+              modname_info_t **name DR_PARAM_OUT);
 
 static void
 modname_info_free(void *p);
@@ -497,7 +499,8 @@ callstack_thread_exit(void *drcontext)
 
 static dr_emit_flags_t
 event_basic_block_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                           bool for_trace, bool translating, OUT void **user_data)
+                           bool for_trace, bool translating,
+                           DR_PARAM_OUT void **user_data)
 {
     instr_t *instr;
     ASSERT(!TEST(FP_SEARCH_ALLOW_UNSEEN_RETADDR, ops.fp_flags), "hashtable not init!");
@@ -517,7 +520,7 @@ event_basic_block_analysis(void *drcontext, void *tag, instrlist_t *bb,
 /***************************************************************************/
 
 static void
-init_symbolized_frame(symbolized_frame_t *frame OUT, uint frame_num)
+init_symbolized_frame(symbolized_frame_t *frame DR_PARAM_OUT, uint frame_num)
 {
     memset(frame, 0, sizeof(*frame));
     frame->num = frame_num;
@@ -527,8 +530,8 @@ init_symbolized_frame(symbolized_frame_t *frame OUT, uint frame_num)
 
 /* Symbol lookup: i#44/PR 243532 */
 static void
-lookup_func_and_line(symbolized_frame_t *frame OUT,
-                     modname_info_t *name_info IN, size_t modoffs)
+lookup_func_and_line(symbolized_frame_t *frame DR_PARAM_OUT,
+                     modname_info_t *name_info DR_PARAM_IN, size_t modoffs)
 {
     drsym_error_t symres;
     drsym_info_t sym;
@@ -672,7 +675,7 @@ dump_app_stack(void *drcontext, tls_callstack_t *pt, dr_mcontext_t *mc, size_t a
 #endif
 
 static bool
-frame_include_srcfile(symbolized_frame_t *frame IN)
+frame_include_srcfile(symbolized_frame_t *frame DR_PARAM_IN)
 {
     return (frame->fname[0] != '\0' &&
             /* i#589: support hiding source files matching pattern */
@@ -694,7 +697,7 @@ frame_include_srcfile(symbolized_frame_t *frame IN)
  *  5  KERNEL32.dll!BaseProcessStart+0x27 (0x7d4e9982 <KERNEL32.dll+0x29982>)
  */
 static void
-print_file_and_line(symbolized_frame_t *frame IN,
+print_file_and_line(symbolized_frame_t *frame DR_PARAM_IN,
                     char *buf, size_t bufsz, size_t *sofar,
                     uint print_flags, const char *prefix,
                     bool include_srcfile)
@@ -754,7 +757,7 @@ print_file_and_line(symbolized_frame_t *frame IN,
 #endif
 
 static void
-print_frame(symbolized_frame_t *frame IN,
+print_frame(symbolized_frame_t *frame DR_PARAM_IN,
             char *buf, size_t bufsz, size_t *sofar,
             bool use_custom_flags, uint custom_flags,
             size_t max_func_len, const char *prefix)
@@ -867,7 +870,8 @@ print_frame(symbolized_frame_t *frame IN,
  * sub1_sym is for PR 543863: subtract one from retaddrs in callstacks
  */
 static bool
-address_to_frame(symbolized_frame_t *frame OUT, packed_callstack_t *pcs OUT,
+address_to_frame(symbolized_frame_t *frame DR_PARAM_OUT,
+                 packed_callstack_t *pcs DR_PARAM_OUT,
                  app_pc pc, module_data_t *mod_in /*optional*/,
                  bool skip_non_module, bool sub1_sym, uint frame_num)
 {
@@ -961,7 +965,7 @@ static bool
 print_address_common(char *buf, size_t bufsz, size_t *sofar,
                      app_pc pc, module_data_t *mod_in /*optional*/,
                      bool skip_non_module, bool sub1_sym, bool for_log,
-                     bool *last_frame OUT, uint frame_num)
+                     bool *last_frame DR_PARAM_OUT, uint frame_num)
 {
     symbolized_frame_t frame; /* 480 bytes but our stack can handle it */
     if (address_to_frame(&frame, NULL, pc, mod_in, skip_non_module, sub1_sym, 0)) {
@@ -1072,57 +1076,68 @@ is_retaddr(app_pc pc, bool exclude_tool_lib)
         bool match;
         STATS_INC(cstack_is_retaddr_backdecode);
         DR_TRY_EXCEPT(dr_get_current_drcontext(), {
-            IF_X86_ELSE({
-                match = ((*(pc - 5) == OP_CALL_DIR
-                      /* rule out call to next instr used for PIC */
-                      IF_UNIX(&& *(int*)(pc - 4) != 0)) ||
-                     (*(pc - 2) == OP_CALL_IND &&
-                      /* indirect through mem: 0xff /2 (mod==0)
-                       *   => top 5 bits are 0x02, and rule out disp32 (rm==0x5)
-                       */
-                      ((((*(pc - 1) >> 3) == 0x02) && ((*(pc - 1) & 0x3) != 0x5)) ||
-                       /* indirect through reg: 0xff /2 (mod==3)
+            IF_AARCH64_ELSE(
+                match =
+                    // XXX i#2016: Should be checked, BLR + PAC variation?
+                    /* A64 bl <label> */
+                    ((*(pc - 1) & 0xfc) == 0x94) ||
+                    /* A64 blr <reg> */
+                    ((*(pc - 1) == 0xd6) &&
+                    *(pc - 2) == 0x3f &&
+                    (*(pc - 3) & 0xfc) == 0x00 &&
+                    ((*(pc - 4) & 0x3f) == 0x00));
+                , IF_X86_ELSE({
+                    match =
+                        ((*(pc - 5) == OP_CALL_DIR
+                        /* rule out call to next instr used for PIC */
+                        IF_UNIX(&& *(int*)(pc - 4) != 0)) ||
+                        (*(pc - 2) == OP_CALL_IND &&
+                        /* indirect through mem: 0xff /2 (mod==0)
+                        *   => top 5 bits are 0x02, and rule out disp32 (rm==0x5)
+                        */
+                        ((((*(pc - 1) >> 3) == 0x02) && ((*(pc - 1) & 0x3) != 0x5)) ||
+                        /* indirect through reg: 0xff /2 (mod==3)
                         *   => top 5 bits are 0xd0 (0x3 << 3 | 0x2)
                         */
-                       ((*(pc - 1) & 0xf8) == 0xd0))) ||
-                     /* indirect through mem: 0xff /2 + disp8 (mod==1) */
-                     (*(pc - 3) == OP_CALL_IND && ((*(pc - 2) >> 3) == 0x0a)) ||
-                     /* indirect through mem: 0xff /2 + disp32 (mod==2) */
-                     (*(pc - 6) == OP_CALL_IND &&
-                      ((*(pc - 5) >> 3) == 0x12 || *(pc - 5) == 0x15)
-                      /* i#1217: rule out WOW64 syscall from DR code invoked on app
-                       * stack by -replace_malloc.  We always have a syscall
-                       * in an app_loc_t so we should never need it in a frame.
-                       */
-                      IF_NOT_X64(&& (*(uint*)(pc - 4) != WOW64_SYSOFFS ||
-                                     *(pc - 7) != OP_SEG_FS))
-                      ) ||
-                     /* indirect through mem: 0xff /2 + sib (w/o sib reg=5) */
-                     (*(pc - 3) == OP_CALL_IND &&
-                      (*(pc - 2) == 0x14 && ((*(pc - 1) & 0x3) != 5))));
-            }, {
-                match =
-                    (is_thumb &&
-                     /* T32 bl <label> */
-                     ((((*(pc - 3) & 0xf0) == 0xf0) &&
-                       ((*(pc - 1) & 0xd0) == 0xd0)) ||
-                      /* T32 blx <label> */
-                      (((*(pc - 3) & 0xf0) == 0xf0) &&
-                       ((*(pc - 1) & 0xd0) == 0xc0)) ||
-                      /* T32 blx <reg> */
-                      (*(pc - 1) == 0x47 &&
-                       ((*(pc - 2) & 0x87) == 0x80)))) ||
-                    (!is_thumb &&
-                     /* A32 bl <label> */
-                     (((*(pc - 1) & 0x0f) == 0x0b) ||
-                      /* A32 blx <label> */
-                      ((*(pc - 1) & 0xfe) == 0xfa) ||
-                      /* A32 blx <reg> */
-                      (((*(pc - 1) & 0x0f) == 0x01) &&
-                       *(pc - 2) == 0x2f &&
-                       *(pc - 3) == 0xff &&
-                       ((*(pc - 4) & 0xf0) == 0x30))));
-            })
+                        ((*(pc - 1) & 0xf8) == 0xd0))) ||
+                        /* indirect through mem: 0xff /2 + disp8 (mod==1) */
+                        (*(pc - 3) == OP_CALL_IND && ((*(pc - 2) >> 3) == 0x0a)) ||
+                        /* indirect through mem: 0xff /2 + disp32 (mod==2) */
+                        (*(pc - 6) == OP_CALL_IND &&
+                        ((*(pc - 5) >> 3) == 0x12 || *(pc - 5) == 0x15)
+                        /* i#1217: rule out WOW64 syscall from DR code invoked on app
+                        * stack by -replace_malloc.  We always have a syscall
+                        * in an app_loc_t so we should never need it in a frame.
+                        */
+                        IF_NOT_X64(&& (*(uint*)(pc - 4) != WOW64_SYSOFFS ||
+                                        *(pc - 7) != OP_SEG_FS))
+                        ) ||
+                        /* indirect through mem: 0xff /2 + sib (w/o sib reg=5) */
+                        (*(pc - 3) == OP_CALL_IND &&
+                        (*(pc - 2) == 0x14 && ((*(pc - 1) & 0x3) != 5))));
+                }, {
+                    match =
+                        (is_thumb &&
+                        /* T32 bl <label> */
+                        ((((*(pc - 3) & 0xf0) == 0xf0) &&
+                        ((*(pc - 1) & 0xd0) == 0xd0)) ||
+                        /* T32 blx <label> */
+                        (((*(pc - 3) & 0xf0) == 0xf0) &&
+                        ((*(pc - 1) & 0xd0) == 0xc0)) ||
+                        /* T32 blx <reg> */
+                        (*(pc - 1) == 0x47 &&
+                        ((*(pc - 2) & 0x87) == 0x80)))) ||
+                        (!is_thumb &&
+                        /* A32 bl <label> */
+                        (((*(pc - 1) & 0x0f) == 0x0b) ||
+                        /* A32 blx <label> */
+                        ((*(pc - 1) & 0xfe) == 0xfa) ||
+                        /* A32 blx <reg> */
+                        (((*(pc - 1) & 0x0f) == 0x01) &&
+                        *(pc - 2) == 0x2f &&
+                        *(pc - 3) == 0xff &&
+                        ((*(pc - 4) & 0xf0) == 0x30))));
+            }))
         }, { /* EXCEPT */
             match = false;
             /* If we end up with a lot of these we could either cache
@@ -1240,49 +1255,56 @@ check_retaddr_targets_frame(app_pc frame_addr, app_pc next_retaddr, bool fp_walk
              * system calls (i#1436).
              */
             DR_TRY_EXCEPT(dr_get_current_drcontext(), {
-                IF_X86_ELSE({
-                    if (*(pc - 5) == OP_CALL_DIR) {
-                        pc = *(int*)(pc - 4) + pc;
-                        /* Follow "call; jmp*", where jmp* is 0xff /4.
-                         * Allow endbr{32,64} before.
-                         */
-                        if (*(int*)pc == IF_X64_ELSE(ENDBR64,ENDBR32))
-                            pc += 4;
-                        if (*pc != OP_JMP_IND ||
-                            ((*(pc + 1) >> 3) != 0x14 && *(pc + 1) != 0x25))
-                            res = false;
+                IF_AARCH64_ELSE({
+                    /* A64 bl <label>: 100101xxxxxxxxxxxxxxxxxxxxxxxxxx */
+                    if (((*((int*)(pc - 4))) & 0x94000000) == 0x94000000) {
+                        /* TODO i#2016: Rule out call;jmp*. */
+                        res = false;
                     }
                 }, {
-                    /* We assume the PLT is always ARM and looks sthg like this:
-                     *    0xe28fc600  add     r12, pc, #0, 12
-                     *    0xe28cca08  add     r12, r12, #8, 20        ; 0x8000
-                     *    0xe5bcfaf4  ldr     pc, [r12, #2804]!       ; 0xaf4
-                     */
-                    if ((is_thumb &&
-                         /* T32 bl <label> */
-                         ((*(pc - 3) & 0xf0) == 0xf0) &&
-                         ((*(pc - 1) & 0xd0) == 0xd0)) ||
-                        (!is_thumb &&
-                         /* A32 blx <reg> */
-                         ((*(pc - 1) & 0x0f) == 0x01) &&
-                         *(pc - 2) == 0x2f &&
-                         *(pc - 3) == 0xff &&
-                         ((*(pc - 4) & 0xf0) == 0x30)))
-                        res = false;
-                    else if ((is_thumb &&
-                         /* T32 blx <label> */
-                         ((*(pc - 3) & 0xf0) == 0xf0) &&
-                         ((*(pc - 1) & 0xd0) == 0xc0)) ||
-                        (!is_thumb &&
-                         /* A32 bl <label> */
-                         ((*(pc - 1) & 0x0f) == 0x09))) {
-                        pc = get_call_target(pc - 4, is_thumb);
-                        LOG(4, "%s: call tgt is "PFX"\n", __FUNCTION__, pc);
-                        /* Just look for an add -- rare in func prologue 1st instr */
-                        if (((*(uint*)pc) & 0xe2800000) == 0xe2800000)
+                    IF_X86_ELSE({
+                        if (*(pc - 5) == OP_CALL_DIR) {
+                            pc = *(int*)(pc - 4) + pc;
+                            /* Follow "call; jmp*", where jmp* is 0xff /4.
+                             * Allow endbr{32,64} before.
+                             */
+                            if (*(int*)pc == IF_X64_ELSE(ENDBR64,ENDBR32))
+                                pc += 4;
+                            if (*pc != OP_JMP_IND ||
+                                ((*(pc + 1) >> 3) != 0x14 && *(pc + 1) != 0x25))
+                                res = false;
+                        }
+                    }, {
+                        /* We assume the PLT is always ARM and looks sthg like this:
+                        *    0xe28fc600  add     r12, pc, #0, 12
+                        *    0xe28cca08  add     r12, r12, #8, 20        ; 0x8000
+                        *    0xe5bcfaf4  ldr     pc, [r12, #2804]!       ; 0xaf4
+                        */
+                        if ((is_thumb &&
+                            /* T32 bl <label> */
+                            ((*(pc - 3) & 0xf0) == 0xf0) &&
+                            ((*(pc - 1) & 0xd0) == 0xd0)) ||
+                            (!is_thumb &&
+                            /* A32 blx <reg> */
+                            ((*(pc - 1) & 0x0f) == 0x01) &&
+                            *(pc - 2) == 0x2f &&
+                            *(pc - 3) == 0xff &&
+                            ((*(pc - 4) & 0xf0) == 0x30)))
                             res = false;
-                    }
-                })
+                        else if ((is_thumb &&
+                            /* T32 blx <label> */
+                            ((*(pc - 3) & 0xf0) == 0xf0) &&
+                            ((*(pc - 1) & 0xd0) == 0xc0)) ||
+                            (!is_thumb &&
+                            /* A32 bl <label> */
+                            ((*(pc - 1) & 0x0f) == 0x09))) {
+                            pc = get_call_target(pc - 4, is_thumb);
+                            LOG(4, "%s: call tgt is "PFX"\n", __FUNCTION__, pc);
+                            /* Just look for an add -- rare in func prologue 1st instr */
+                            if (((*(uint*)pc) & 0xe2800000) == 0xe2800000)
+                                res = false;
+                        }
+                })})
             }, { /* EXCEPT */
                 res = false;
                 LOG(3, "%s: can't read "PFX"\n", __FUNCTION__, pc);
@@ -1773,7 +1795,8 @@ print_callstack(char *buf, size_t bufsz, size_t *sofar, dr_mcontext_t *mc,
     }
 #endif
 
-    if (MC_SP_REG(mc) != 0 &&
+    /* XXX i#2016: Does frame walk code work for a64?  Disabling for now. */
+    if (IF_AARCH64(false &&) MC_SP_REG(mc) != 0 &&
         (!ALIGNED(MC_FP_REG(mc), sizeof(void*)) ||
          MC_FP_REG(mc) < MC_SP_REG(mc) ||
          MC_FP_REG(mc) - MC_SP_REG(mc) > ops.stack_swap_threshold ||
@@ -2197,7 +2220,8 @@ packed_callstack_first_frame_retaddr(packed_callstack_t *pcs)
 /* Returns false if a syscall.  If returns true, also fills in the OUT params. */
 static bool
 packed_callstack_frame_modinfo(packed_callstack_t *pcs, uint frame,
-                               modname_info_t **name_info OUT, size_t *modoffs OUT)
+                               modname_info_t **name_info DR_PARAM_OUT,
+                               size_t *modoffs DR_PARAM_OUT)
 {
     modname_info_t *info = NULL;
     size_t offs = 0;
@@ -2241,8 +2265,8 @@ packed_callstack_frame_modinfo(packed_callstack_t *pcs, uint frame,
 }
 
 static void
-packed_frame_to_symbolized(packed_callstack_t *pcs IN, symbolized_frame_t *frame OUT,
-                           uint idx)
+packed_frame_to_symbolized(packed_callstack_t *pcs DR_PARAM_IN,
+                           symbolized_frame_t *frame DR_PARAM_OUT, uint idx)
 {
     modname_info_t *info = NULL;
     size_t offs;
@@ -2327,8 +2351,8 @@ packed_callstack_print(packed_callstack_t *pcs, uint num_frames,
 }
 
 void
-packed_callstack_to_symbolized(packed_callstack_t *pcs IN,
-                               symbolized_callstack_t *scs OUT)
+packed_callstack_to_symbolized(packed_callstack_t *pcs DR_PARAM_IN,
+                               symbolized_callstack_t *scs DR_PARAM_OUT)
 {
     uint i;
     STATS_INC(callstacks_symbolized);
@@ -2598,7 +2622,7 @@ packed_callstack_add_to_table(hashtable_t *table, packed_callstack_t *pcs
  */
 
 void
-symbolized_callstack_print(const symbolized_callstack_t *scs IN,
+symbolized_callstack_print(const symbolized_callstack_t *scs DR_PARAM_IN,
                            char *buf, size_t bufsz, size_t *sofar,
                            const char *prefix, bool for_log)
 {
@@ -2841,7 +2865,7 @@ callstack_module_remove_region(app_pc start, app_pc end)
 
 static void
 callstack_module_get_text_bounds(const module_data_t *info, bool loaded,
-                                 app_pc *start OUT, app_pc *end OUT)
+                                 app_pc *start DR_PARAM_OUT, app_pc *end DR_PARAM_OUT)
 {
     ASSERT(loaded, "only supports fully loaded modules");
 #ifdef UNIX
@@ -2968,7 +2992,8 @@ callstack_module_unload(void *drcontext, const module_data_t *info)
 }
 
 static bool
-module_lookup(byte *pc, app_pc *start OUT, size_t *size OUT, modname_info_t **name)
+module_lookup(byte *pc, app_pc *start DR_PARAM_OUT, size_t *size DR_PARAM_OUT,
+              modname_info_t **name)
 {
     rb_node_t *node;
     bool res = false;
@@ -3053,7 +3078,7 @@ module_lookup_preferred_name(byte *pc)
 }
 
 void *
-module_lookup_user_data(byte *pc, app_pc *start OUT, size_t *size OUT)
+module_lookup_user_data(byte *pc, app_pc *start DR_PARAM_OUT, size_t *size DR_PARAM_OUT)
 {
     modname_info_t *name_info;
     bool found = module_lookup(pc, NULL, NULL, &name_info);
diff --git a/common/callstack.h b/common/callstack.h
index cf69238f2..33438b28f 100644
--- a/common/callstack.h
+++ b/common/callstack.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -383,7 +383,7 @@ module_lookup_preferred_name(byte *pc);
  * Optionally returns the module bounds as well.
  */
 void *
-module_lookup_user_data(byte *pc, app_pc *start OUT, size_t *size OUT);
+module_lookup_user_data(byte *pc, app_pc *start DR_PARAM_OUT, size_t *size DR_PARAM_OUT);
 
 /* Warns once about modules that don't have symbols, and records them in a
  * logfile so they can be fetched at the end of execution.
@@ -411,11 +411,11 @@ typedef struct _symbolized_callstack_t {
 } symbolized_callstack_t;
 
 void
-packed_callstack_to_symbolized(packed_callstack_t *pcs IN,
-                               symbolized_callstack_t *scs OUT);
+packed_callstack_to_symbolized(packed_callstack_t *pcs DR_PARAM_IN,
+                               symbolized_callstack_t *scs DR_PARAM_OUT);
 
 void
-symbolized_callstack_print(const symbolized_callstack_t *scs IN,
+symbolized_callstack_print(const symbolized_callstack_t *scs DR_PARAM_IN,
                            char *buf, size_t bufsz, size_t *sofar,
                            const char *prefix, bool for_log);
 
diff --git a/common/heap.c b/common/heap.c
index db3120c15..cb1df262c 100644
--- a/common/heap.c
+++ b/common/heap.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2009-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -185,7 +185,7 @@ get_ntdll_base(void)
  * just one libc.
  */
 app_pc
-get_libc_base(app_pc *libc_end_out OUT)
+get_libc_base(app_pc *libc_end_out DR_PARAM_OUT)
 {
     static app_pc libc_base, libc_end; /* cached values */
     if (libc_base == NULL) {
@@ -293,15 +293,15 @@ static app_pc ld_so_data_end;
 #endif
 
 #ifdef WINDOWS
-DECLARE_NTDLL(RtlLockHeap, (IN HANDLE Heap));
-DECLARE_NTDLL(RtlUnlockHeap, (IN HANDLE Heap));
-DECLARE_NTDLL(RtlGetProcessHeaps, (IN ULONG count,
-                                   OUT HANDLE *Heaps));
-DECLARE_NTDLL(RtlWalkHeap, (IN HANDLE Heap,
-                            OUT rtl_process_heap_entry_t *Info));
-DECLARE_NTDLL(RtlSizeHeap, (IN HANDLE Heap,
-                            IN ULONG flags,
-                            IN PVOID ptr));
+DECLARE_NTDLL(RtlLockHeap, (DR_PARAM_IN HANDLE Heap));
+DECLARE_NTDLL(RtlUnlockHeap, (DR_PARAM_IN HANDLE Heap));
+DECLARE_NTDLL(RtlGetProcessHeaps, (DR_PARAM_IN ULONG count,
+                                   DR_PARAM_OUT HANDLE *Heaps));
+DECLARE_NTDLL(RtlWalkHeap, (DR_PARAM_IN HANDLE Heap,
+                            DR_PARAM_OUT rtl_process_heap_entry_t *Info));
+DECLARE_NTDLL(RtlSizeHeap, (DR_PARAM_IN HANDLE Heap,
+                            DR_PARAM_IN ULONG flags,
+                            DR_PARAM_IN PVOID ptr));
 
 static void
 heap_walk_init(void)
@@ -329,7 +329,7 @@ static void
 walk_individual_heap(byte *heap,
                      void (*cb_region)(app_pc,app_pc _IF_WINDOWS(HANDLE)),
                      void (*cb_chunk)(app_pc,app_pc),
-                     byte **allocated_end OUT)
+                     byte **allocated_end DR_PARAM_OUT)
 {
     rtl_process_heap_entry_t heap_info;
     size_t size, commit_size, sub_size;
diff --git a/common/heap.h b/common/heap.h
index 27a8fc3eb..89e709229 100644
--- a/common/heap.h
+++ b/common/heap.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2009 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -41,7 +41,7 @@ get_ntdll_base(void);
 #endif
 
 app_pc
-get_libc_base(app_pc *libc_end OUT);
+get_libc_base(app_pc *libc_end DR_PARAM_OUT);
 
 bool
 pc_is_in_libc(app_pc pc);
diff --git a/common/redblack.c b/common/redblack.c
index 98f5f7b52..48a48cb48 100644
--- a/common/redblack.c
+++ b/common/redblack.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2012 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -75,7 +75,8 @@ ptrmax(byte *val1, byte *val2)
 
 /* Retrieve copies of fields.  The node pointer is then no longer needed. */
 void
-rb_node_fields(rb_node_t *node, byte **base OUT, size_t *size OUT, void **client OUT)
+rb_node_fields(rb_node_t *node, byte **base DR_PARAM_OUT, size_t *size DR_PARAM_OUT,
+               void **client DR_PARAM_OUT)
 {
     ASSERT(node != NULL, "invalid param");
     if (base != NULL)
diff --git a/common/redblack.h b/common/redblack.h
index 6ed7a3208..b4f534f1d 100644
--- a/common/redblack.h
+++ b/common/redblack.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -54,7 +54,8 @@ rb_tree_destroy(rb_tree_t *tree);
 
 /* Retrieve copies of fields.  The node pointer is then no longer needed. */
 void
-rb_node_fields(rb_node_t *node, byte **base OUT, size_t *size OUT, void **client OUT);
+rb_node_fields(rb_node_t *node, byte **base DR_PARAM_OUT, size_t *size DR_PARAM_OUT,
+               void **client DR_PARAM_OUT);
 
 /* Modify the client field of a node. */
 void
diff --git a/common/sysnum_linux.h b/common/sysnum_linux.h
index 2e60b0ed2..6b8937b9d 100644
--- a/common/sysnum_linux.h
+++ b/common/sysnum_linux.h
@@ -675,7 +675,345 @@
 
 #endif /* X64 */
 
+#ifdef AARCH64
 
+#define SYS_ni -1
+
+#define SYS_io_setup 0
+#define SYS_io_destroy 1
+#define SYS_io_submit 2
+#define SYS_io_cancel 3
+#define SYS_io_getevents 4
+#define SYS_setxattr 5
+#define SYS_lsetxattr 6
+#define SYS_fsetxattr 7
+#define SYS_getxattr 8
+#define SYS_lgetxattr 9
+#define SYS_fgetxattr 10
+#define SYS_listxattr 11
+#define SYS_llistxattr 12
+#define SYS_flistxattr 13
+#define SYS_removexattr 14
+#define SYS_lremovexattr 15
+#define SYS_fremovexattr 16
+#define SYS_getcwd 17
+#define SYS_lookup_dcookie 18
+#define SYS_eventfd2 19
+#define SYS_epoll_create1 20
+#define SYS_epoll_ctl 21
+#define SYS_epoll_pwait 22
+#define SYS_dup 23
+#define SYS_dup3 24
+#define SYS_fcntl 25
+#define SYS_inotify_init1 26
+#define SYS_inotify_add_watch 27
+#define SYS_inotify_rm_watch 28
+#define SYS_ioctl 29
+#define SYS_ioprio_set 30
+#define SYS_ioprio_get 31
+#define SYS_flock 32
+#define SYS_mknodat 33
+#define SYS_mkdirat 34
+#define SYS_unlinkat 35
+#define SYS_symlinkat 36
+#define SYS_linkat 37
+#define SYS_renameat 38
+#define SYS_umount2 39
+#define SYS_mount 40
+#define SYS_pivot_root 41
+#define SYS_nfsservctl 42
+#define SYS_statfs 43
+#define SYS_fstatfs 44
+#define SYS_truncate 45
+#define SYS_ftruncate 46
+#define SYS_fallocate 47
+#define SYS_faccessat 48
+#define SYS_chdir 49
+#define SYS_fchdir 50
+#define SYS_chroot 51
+#define SYS_fchmod 52
+#define SYS_fchmodat 53
+#define SYS_fchownat 54
+#define SYS_fchown 55
+#define SYS_openat 56
+#define SYS_close 57
+#define SYS_vhangup 58
+#define SYS_pipe2 59
+#define SYS_quotactl 60
+#define SYS_getdents64 61
+#define SYS_lseek 62
+#define SYS_read 63
+#define SYS_write 64
+#define SYS_readv 65
+#define SYS_writev 66
+#define SYS_pread64 67
+#define SYS_pwrite64 68
+#define SYS_preadv 69
+#define SYS_pwritev 70
+#define SYS_sendfile 71
+#define SYS_pselect6 72
+#define SYS_ppoll 73
+#define SYS_signalfd4 74
+#define SYS_vmsplice 75
+#define SYS_splice 76
+#define SYS_tee 77
+#define SYS_readlinkat 78
+#define SYS_fstatat64 79
+#define SYS_fstat 80
+#define SYS_sync 81
+#define SYS_fsync 82
+#define SYS_fdatasync 83
+#define SYS_sync_file_range2 84
+#define SYS_sync_file_range 84
+#define SYS_timerfd_create 85
+#define SYS_timerfd_settime 86
+#define SYS_timerfd_gettime 87
+#define SYS_utimensat 88
+#define SYS_acct 89
+#define SYS_capget 90
+#define SYS_capset 91
+#define SYS_personality 92
+#define SYS_exit 93
+#define SYS_exit_group 94
+#define SYS_waitid 95
+#define SYS_set_tid_address 96
+#define SYS_unshare 97
+#define SYS_futex 98
+#define SYS_set_robust_list 99
+#define SYS_get_robust_list 100
+#define SYS_nanosleep 101
+#define SYS_getitimer 102
+#define SYS_setitimer 103
+#define SYS_kexec_load 104
+#define SYS_init_module 105
+#define SYS_delete_module 106
+#define SYS_timer_create 107
+#define SYS_timer_gettime 108
+#define SYS_timer_getoverrun 109
+#define SYS_timer_settime 110
+#define SYS_timer_delete 111
+#define SYS_clock_settime 112
+#define SYS_clock_gettime 113
+#define SYS_clock_getres 114
+#define SYS_clock_nanosleep 115
+#define SYS_syslog 116
+#define SYS_ptrace 117
+#define SYS_sched_setparam 118
+#define SYS_sched_setscheduler 119
+#define SYS_sched_getscheduler 120
+#define SYS_sched_getparam 121
+#define SYS_sched_setaffinity 122
+#define SYS_sched_getaffinity 123
+#define SYS_sched_yield 124
+#define SYS_sched_get_priority_max 125
+#define SYS_sched_get_priority_min 126
+#define SYS_sched_rr_get_interval 127
+#define SYS_restart_syscall 128
+#define SYS_kill 129
+#define SYS_tkill 130
+#define SYS_tgkill 131
+#define SYS_sigaltstack 132
+#define SYS_rt_sigsuspend 133
+#define SYS_rt_sigaction 134
+#define SYS_rt_sigprocmask 135
+#define SYS_rt_sigpending 136
+#define SYS_rt_sigtimedwait 137
+#define SYS_rt_sigqueueinfo 138
+#define SYS_rt_sigreturn 139
+#define SYS_setpriority 140
+#define SYS_getpriority 141
+#define SYS_reboot 142
+#define SYS_setregid 143
+#define SYS_setgid 144
+#define SYS_setreuid 145
+#define SYS_setuid 146
+#define SYS_setresuid 147
+#define SYS_getresuid 148
+#define SYS_setresgid 149
+#define SYS_getresgid 150
+#define SYS_setfsuid 151
+#define SYS_setfsgid 152
+#define SYS_times 153
+#define SYS_setpgid 154
+#define SYS_getpgid 155
+#define SYS_getsid 156
+#define SYS_setsid 157
+#define SYS_getgroups 158
+#define SYS_setgroups 159
+#define SYS_uname 160
+#define SYS_sethostname 161
+#define SYS_setdomainname 162
+#define SYS_getrlimit 163
+#define SYS_setrlimit 164
+#define SYS_getrusage 165
+#define SYS_umask 166
+#define SYS_prctl 167
+#define SYS_getcpu 168
+#define SYS_gettimeofday 169
+#define SYS_settimeofday 170
+#define SYS_adjtimex 171
+#define SYS_getpid 172
+#define SYS_getppid 173
+#define SYS_getuid 174
+#define SYS_geteuid 175
+#define SYS_getgid 176
+#define SYS_getegid 177
+#define SYS_gettid 178
+#define SYS_sysinfo 179
+#define SYS_mq_open 180
+#define SYS_mq_unlink 181
+#define SYS_mq_timedsend 182
+#define SYS_mq_timedreceive 183
+#define SYS_mq_notify 184
+#define SYS_mq_getsetattr 185
+#define SYS_msgget 186
+#define SYS_msgctl 187
+#define SYS_msgrcv 188
+#define SYS_msgsnd 189
+#define SYS_semget 190
+#define SYS_semctl 191
+#define SYS_semtimedop 192
+#define SYS_semop 193
+#define SYS_shmget 194
+#define SYS_shmctl 195
+#define SYS_shmat 196
+#define SYS_shmdt 197
+#define SYS_socket 198
+#define SYS_socketpair 199
+#define SYS_bind 200
+#define SYS_listen 201
+#define SYS_accept 202
+#define SYS_connect 203
+#define SYS_getsockname 204
+#define SYS_getpeername 205
+#define SYS_sendto 206
+#define SYS_recvfrom 207
+#define SYS_setsockopt 208
+#define SYS_getsockopt 209
+#define SYS_shutdown 210
+#define SYS_sendmsg 211
+#define SYS_recvmsg 212
+#define SYS_readahead 213
+#define SYS_brk 214
+#define SYS_munmap 215
+#define SYS_mremap 216
+#define SYS_add_key 217
+#define SYS_request_key 218
+#define SYS_keyctl 219
+#define SYS_clone 220
+#define SYS_execve 221
+#define SYS_mmap 222
+#define SYS_fadvise64 223
+#define SYS_swapon 224
+#define SYS_swapoff 225
+#define SYS_mprotect 226
+#define SYS_msync 227
+#define SYS_mlock 228
+#define SYS_munlock 229
+#define SYS_mlockall 230
+#define SYS_munlockall 231
+#define SYS_mincore 232
+#define SYS_madvise 233
+#define SYS_remap_file_pages 234
+#define SYS_mbind 235
+#define SYS_get_mempolicy 236
+#define SYS_set_mempolicy 237
+#define SYS_migrate_pages 238
+#define SYS_move_pages 239
+#define SYS_rt_tgsigqueueinfo 240
+#define SYS_perf_event_open 241
+#define SYS_accept4 242
+#define SYS_recvmmsg 243
+#define SYS_arch_specific_syscall 244
+#define SYS_wait4 260
+#define SYS_prlimit64 261
+#define SYS_fanotify_init 262
+#define SYS_fanotify_mark 263
+#define SYS_name_to_handle_at         264
+#define SYS_open_by_handle_at         265
+#define SYS_clock_adjtime 266
+#define SYS_syncfs 267
+#define SYS_setns 268
+#define SYS_sendmmsg 269
+#define SYS_process_vm_readv 270
+#define SYS_process_vm_writev 271
+#define SYS_kcmp 272
+#define SYS_finit_module 273
+#define SYS_sched_setattr 274
+#define SYS_sched_getattr 275
+#define SYS_renameat2 276
+#define SYS_seccomp 277
+#define SYS_getrandom 278
+#define SYS_memfd_create 279
+#define SYS_bpf 280
+#define SYS_execveat 281
+#define SYS_userfaultfd 282
+#define SYS_membarrier 283
+#define SYS_mlock2 284
+#define SYS_copy_file_range 285
+#define SYS_preadv2 286
+#define SYS_pwritev2 287
+#define SYS_pkey_mprotect 288
+#define SYS_pkey_alloc 289
+#define SYS_pkey_free 290
+#define SYS_statx 291
+#define SYS_open 1024
+#define SYS_link 1025
+#define SYS_unlink 1026
+#define SYS_mknod 1027
+#define SYS_chmod 1028
+#define SYS_chown 1029
+#define SYS_mkdir 1030
+#define SYS_rmdir 1031
+#define SYS_lchown 1032
+#define SYS_access 1033
+#define SYS_rename 1034
+#define SYS_readlink 1035
+#define SYS_symlink 1036
+#define SYS_utimes 1037
+#define SYS_stat 1038
+#define SYS_lstat 1039
+#define SYS_pipe 1040
+#define SYS_dup2 1041
+#define SYS_epoll_create 1042
+#define SYS_inotify_init 1043
+#define SYS_eventfd 1044
+#define SYS_signalfd 1045
+#define SYS_sendfile64 1046
+#define SYS_ftruncate64 1047
+#define SYS_truncate64 1048
+#define SYS_stat64 1049
+#define SYS_lstat64 1050
+#define SYS_fstat64 1051
+#define SYS_fcntl64 1052
+#define SYS_fadvise64_64 1053
+#define SYS_newfstatat 1054
+#define SYS_fstatfs64 1055
+#define SYS_statfs64 1056
+#define SYS_llseek 1057
+#define SYS_mmap2 1058
+#define SYS_alarm 1059
+#define SYS_getpgrp 1060
+#define SYS_pause 1061
+#define SYS_time 1062
+#define SYS_utime 1063
+#define SYS_creat 1064
+#define SYS_getdents 1065
+#define SYS_futimesat 1066
+#define SYS_select 1067
+#define SYS_poll 1068
+#define SYS_epoll_wait 1069
+#define SYS_ustat 1070
+#define SYS_vfork 1071
+#define SYS_oldwait4 1072
+#define SYS_recv 1073
+#define SYS_send 1074
+#define SYS_bdflush 1075
+#define SYS_umount 1076
+#define SYS_uselib 1077
+#define SYS_sysctl 1078
+#define SYS_fork 1079
+#else
 /* From Fedora 10's /usr/include/bits/syscall.h */
 #define SYS__sysctl __NR__sysctl
 #define SYS_access __NR_access
@@ -1049,5 +1387,6 @@
 # define SYS_waitpid __NR_waitpid
 #endif
 
+#endif
 
 #endif /* _SYSCALL_NUMS_H_ */
diff --git a/common/utils.c b/common/utils.c
index ba926f654..7431389ae 100644
--- a/common/utils.c
+++ b/common/utils.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -425,6 +425,23 @@ print_mcontext(file_t f, dr_mcontext_t *mc)
                mc->r4, mc->r5, mc->r6, mc->r7,
                mc->r8, mc->r9, mc->r10, mc->r11,
                mc->r12, mc->sp, mc->lr, mc->pc);
+# elif defined(AARCH64)
+    dr_fprintf(f, "\tx0="PFX", x1="PFX", x2="PFX", x3="PFX"\n",
+               "\tx4="PFX", x5="PFX", x6="PFX", x7="PFX"\n",
+               "\tx8="PFX", x9="PFX", x10="PFX", x11="PFX"\n",
+               "\tx12="PFX", x13="PFX", x14="PFX", x15="PFX"\n",
+               "\tx16="PFX", x17="PFX", x18="PFX", x19="PFX"\n",
+               "\tx20="PFX", x21="PFX", x22="PFX", x23="PFX"\n",
+               "\tx24="PFX", x25="PFX", x26="PFX", x27="PFX"\n",
+               "\tx28="PFX", x29="PFX", lr="PFX", sp = "PFX", pc="PFX"\n",
+               mc->r0, mc->r1, mc->r2, mc->r3,
+               mc->r4, mc->r5, mc->r6, mc->r7,
+               mc->r8, mc->r9, mc->r10, mc->r11,
+               mc->r12, mc->r13, mc->r14, mc->r15,
+               mc->r16, mc->r17, mc->r18, mc->r19,
+               mc->r20, mc->r21, mc->r22, mc->r23,
+               mc->r24, mc->r25, mc->r26, mc->r27,
+               mc->r28, mc->r29, mc->r30, mc->sp, mc->pc);
 # endif
 }
 #endif
diff --git a/common/utils.h b/common/utils.h
index aadc00e98..d0691a3ec 100644
--- a/common/utils.h
+++ b/common/utils.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -292,6 +292,10 @@ extern "C" {
 # define MC_RET_REG(mc) (mc)->r0
 # define MC_FP_REG(mc)  (mc)->r11
 # define MC_SP_REG(mc)  (mc)->sp
+#elif defined(AARCH64)
+# define MC_RET_REG(mc) (mc)->r0
+# define MC_FP_REG(mc)  (mc)->r29
+# define MC_SP_REG(mc)  (mc)->sp
 #endif
 
 #define DR_REG_PTR_RETURN IF_X86_ELSE(DR_REG_XAX, DR_REG_R0)
@@ -715,6 +719,53 @@ atomic_add32_return_sum(volatile int *x, int val)
     ATOMIC_ADD_EXCHANGE32(x, val, temp);
     return (temp + val);
 }
+# elif defined(AARCH64)
+#  define ATOMIC_INC32(x)                                   \
+     __asm__ __volatile__(                                  \
+       "1: ldxr  w2, %0         \n\t"                       \
+       "   add   w2, w2, #1     \n\t"                       \
+       "   stxr  w3, w2, %0     \n\t"                       \
+       "   cbnz  w3, 1b         \n\t"                       \
+       "   cmp   w2, #0" /* for possible SET_FLAG use */    \
+       : "=Q" (x) /* no offset for AARCH64 mode */          \
+       : : "cc", "memory", "w2", "w3")
+#  define ATOMIC_DEC32(x)                                   \
+     __asm__ __volatile__(                                  \
+       "1: ldxr  w2, %0         \n\t"                       \
+       "   sub   w2, w2, #1     \n\t"                       \
+       "   stxr  w3, w2, %0     \n\t"                       \
+       "   cbnz  w3, 1b         \n\t"                       \
+       "   cmp   w2, #0" /* for possible SET_FLAG use */    \
+       : "=Q" (x) /* no offset for AARCH64 mode */          \
+       : : "cc", "memory", "w2", "w3")
+#  define ATOMIC_ADD32(x, val)                              \
+     __asm__ __volatile__(                                  \
+       "1: ldxr  w2, %0         \n\t"                       \
+       "   add   x2, x2, %1     \n\t"                       \
+       "   stxr  w3, w2, %0     \n\t"                       \
+       "   cbnz  w3, 1b         \n\t"                       \
+       "   cmp   w2, #0" /* for possible SET_FLAG use */    \
+       : "=Q" (x) /* no offset for AARCH64 mode */          \
+       : "r"  (val)                                         \
+       : "cc", "memory", "w2", "w3")
+#  define ATOMIC_ADD_EXCHANGE32(x, val, result)             \
+     __asm__ __volatile__(                                  \
+       "1: ldxr  w2, %0         \n\t"                       \
+       "   add   x2, x2, %2     \n\t"                       \
+       "   stxr  w3, w2, %0     \n\t"                       \
+       "   cbnz  w3, 1b         \n\t"                       \
+       "   sub   x2, x2, %2     \n\t"                       \
+       "   str   w2, %1"                                    \
+       : "=Q" (*x), "=m" (result)                           \
+       : "r"  (val)                                         \
+       : "cc", "memory", "w2", "w3")
+static inline int
+atomic_add32_return_sum(volatile int *x, int val)
+{
+    int temp;
+    ATOMIC_ADD_EXCHANGE32(x, val, temp);
+    return (temp + val);
+}
 # endif
 #else
 # define ATOMIC_INC32(x) _InterlockedIncrement((volatile LONG *)&(x))
@@ -917,7 +968,7 @@ dr_os_version_t
 get_windows_version(void);
 
 void
-get_windows_version_string(char *buf OUT, size_t bufsz);
+get_windows_version_string(char *buf DR_PARAM_OUT, size_t bufsz);
 
 app_pc
 get_highest_user_address(void);
@@ -1037,8 +1088,8 @@ text_contains_any_string(const char *text, const char *patterns, bool ignore_cas
  * in "sol" and the end of the line (prior to any whitespace, if skip_ws) in "eol".
  */
 const char *
-find_next_line(const char *start, const char *eof, const char **sol OUT,
-               const char **eol OUT, bool skip_ws);
+find_next_line(const char *start, const char *eof, const char **sol DR_PARAM_OUT,
+               const char **eol DR_PARAM_OUT, bool skip_ws);
 
 /***************************************************************************
  * REGISTER CONVERSION UTILITIES
diff --git a/common/utils_shared.c b/common/utils_shared.c
index 4859b13dd..8cfca94a9 100755
--- a/common/utils_shared.c
+++ b/common/utils_shared.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2020 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -113,7 +113,7 @@ drmem_strndup(const char *src, size_t max, heapstat_t type)
 /* see description in header */
 const char *
 find_next_line(const char *start, const char *eof, const char **sol,
-               const char **eol OUT, bool skip_ws)
+               const char **eol DR_PARAM_OUT, bool skip_ws)
 {
     const char *line = start, *newline, *next_line;
     /* First, set "line" to start of line and "newline" to end (pre-whitespace) */
diff --git a/drfuzz/CMakeLists.txt b/drfuzz/CMakeLists.txt
index 8eae1d82f..c07c0e496 100644
--- a/drfuzz/CMakeLists.txt
+++ b/drfuzz/CMakeLists.txt
@@ -50,7 +50,7 @@ endif ()
 # We save pdb+dll space by not using libc (xref DRi#714).
 # For Android, we allow running w/o a private Bionic.
 # For Linux x86 we need libc for div+mod routines.
-if (WIN32 OR ARM OR ANDROID)
+if (WIN32 OR ARM OR ANDROID OR AARCH64)
   set(DynamoRIO_USE_LIBC OFF)
 endif ()
 
diff --git a/drfuzz/drfuzz.c b/drfuzz/drfuzz.c
index 492cfd440..959c7b006 100644
--- a/drfuzz/drfuzz.c
+++ b/drfuzz/drfuzz.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2015-2016 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /*
@@ -122,7 +122,7 @@ typedef struct _pass_target_t {
     void *wrapcxt;
     fuzz_target_t *target;
     reg_t xsp;            /* stack level at entry to the fuzz target */
-#ifdef ARM
+#ifdef AARCHXX
     reg_t lr;             /* link register value at entry */
 #endif
     retaddr_unclobber_t unclobber; /* see comment on retaddr_unclobber_t */
@@ -196,7 +196,7 @@ bb_event(void *drcontext, void *tag, instrlist_t *bb,
          bool for_trace, bool translating);
 
 static void
-pre_fuzz_handler(void *wrapcxt, INOUT void **user_data);
+pre_fuzz_handler(void *wrapcxt, DR_PARAM_INOUT void **user_data);
 
 static void
 post_fuzz_handler(void *wrapcxt, void *user_data);
@@ -547,7 +547,7 @@ drfuzz_get_target_num_bbs(generic_func_t func_pc, uint64 *num_bbs)
 
 DR_EXPORT drmf_status_t
 drfuzz_get_arg(void *fuzzcxt, generic_func_t target_pc, int arg, bool original,
-               OUT void **arg_value)
+               DR_PARAM_OUT void **arg_value)
 {
     fuzz_pass_context_t *fp = (fuzz_pass_context_t *) fuzzcxt;
     pass_target_t *target;
@@ -580,7 +580,7 @@ drfuzz_set_arg(void *fuzzcxt, int arg, void *val)
 }
 
 DR_EXPORT drmf_status_t
-drfuzz_get_target_user_data(IN generic_func_t target_pc, OUT void **user_data)
+drfuzz_get_target_user_data(DR_PARAM_IN generic_func_t target_pc, DR_PARAM_OUT void **user_data)
 {
     fuzz_target_t *target = hashtable_lookup(&fuzz_target_htable, target_pc);
 
@@ -592,8 +592,8 @@ drfuzz_get_target_user_data(IN generic_func_t target_pc, OUT void **user_data)
 }
 
 DR_EXPORT drmf_status_t
-drfuzz_set_target_user_data(IN generic_func_t target_pc, IN void *user_data,
-                            IN void (*delete_callback)(void *user_data))
+drfuzz_set_target_user_data(DR_PARAM_IN generic_func_t target_pc, DR_PARAM_IN void *user_data,
+                            DR_PARAM_IN void (*delete_callback)(void *user_data))
 {
     fuzz_target_t *target = hashtable_lookup(&fuzz_target_htable, target_pc);
 
@@ -606,8 +606,8 @@ drfuzz_set_target_user_data(IN generic_func_t target_pc, IN void *user_data,
 }
 
 DR_EXPORT drmf_status_t
-drfuzz_get_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t target_pc,
-                                       OUT void **user_data)
+drfuzz_get_target_per_thread_user_data(DR_PARAM_IN void *fuzzcxt, DR_PARAM_IN generic_func_t target_pc,
+                                       DR_PARAM_OUT void **user_data)
 {
     fuzz_pass_context_t *fp = (fuzz_pass_context_t *) fuzzcxt;
     pass_target_t *target;
@@ -626,9 +626,9 @@ drfuzz_get_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t targe
 }
 
 DR_EXPORT drmf_status_t
-drfuzz_set_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t target_pc,
-                                       IN void *user_data,
-                                       IN void (*delete_callback)(void *fuzzcxt,
+drfuzz_set_target_per_thread_user_data(DR_PARAM_IN void *fuzzcxt, DR_PARAM_IN generic_func_t target_pc,
+                                       DR_PARAM_IN void *user_data,
+                                       DR_PARAM_IN void (*delete_callback)(void *fuzzcxt,
                                                                   void *user_data))
 {
     fuzz_pass_context_t *fp = (fuzz_pass_context_t *) fuzzcxt;
@@ -649,7 +649,7 @@ drfuzz_set_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t targe
 }
 
 static void
-pre_fuzz_handler(void *wrapcxt, INOUT void **user_data)
+pre_fuzz_handler(void *wrapcxt, DR_PARAM_INOUT void **user_data)
 {
     void *dcontext = drwrap_get_drcontext(wrapcxt);
     app_pc target_to_fuzz = drwrap_get_func(wrapcxt);
@@ -697,7 +697,10 @@ pre_fuzz_handler(void *wrapcxt, INOUT void **user_data)
 #ifdef X86
         live->unclobber.retaddr_loc = (reg_t *) mc->xsp; /* see retaddr_unclobber_t */
 #endif
-        IF_ARM(live->lr = mc->lr);
+
+#ifdef AARCHXX
+    live->lr = mc->lr;
+#endif
         live->unclobber.retaddr = (reg_t) drwrap_get_retaddr(wrapcxt);
         DRFUZZ_LOG(4, "fuzz target "PFX": saving stack pointer "PFX"\n",
                    target_to_fuzz, mc->xsp);
@@ -717,7 +720,7 @@ pre_fuzz_handler(void *wrapcxt, INOUT void **user_data)
         drwrap_set_arg(wrapcxt, i, (void *) live->original_args[i]);
     }
 
-#ifdef ARM
+#ifdef AARCHXX
     mc->lr = live->unclobber.retaddr; /* restore retaddr to link register */
 #else /* X86 */
     *live->unclobber.retaddr_loc = live->unclobber.retaddr; /* restore retaddr to stack */
@@ -751,7 +754,9 @@ post_fuzz_handler(void *wrapcxt, void *user_data)
         /* Restore lr, to avoid incorrect flushes in drwrap from it thinking there
          * is a different retaddr for our repeating function.
          */
-        IF_ARM(mc->lr = live->lr);
+#ifdef AARCHXX
+   mc->lr = live->lr;
+#endif
         mc->pc = live->target->func_pc;
         IF_DEBUG(redirect_status =) drwrap_redirect_execution(wrapcxt);
         DRFUZZ_LOG(4, "fuzz target "PFX" requesting redirect to self entry; result: %d\n",
@@ -1058,7 +1063,7 @@ static drfuzz_mutator_api_t default_mutator = {
 };
 
 DR_EXPORT drmf_status_t
-drfuzz_mutator_load(IN const char *lib_path, INOUT drfuzz_mutator_api_t *api)
+drfuzz_mutator_load(DR_PARAM_IN const char *lib_path, DR_PARAM_INOUT drfuzz_mutator_api_t *api)
 {
     int *ver_compat, *ver_cur;
     char *func;
@@ -1112,7 +1117,7 @@ drfuzz_mutator_load(IN const char *lib_path, INOUT drfuzz_mutator_api_t *api)
 }
 
 DR_EXPORT drmf_status_t
-drfuzz_mutator_unload(IN drfuzz_mutator_api_t *api)
+drfuzz_mutator_unload(DR_PARAM_IN drfuzz_mutator_api_t *api)
 {
     if (api == NULL)
         return DRMF_ERROR_INVALID_PARAMETER;
diff --git a/drfuzz/drfuzz.h b/drfuzz/drfuzz.h
index 6f6bb8fce..285863a91 100644
--- a/drfuzz/drfuzz.h
+++ b/drfuzz/drfuzz.h
@@ -1,5 +1,5 @@
 /* **************************************************************
- * Copyright (c) 2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **************************************************************/
 
 /*
@@ -386,7 +386,7 @@ DR_EXPORT
  * fuzzing function in the case of nested fuzzing.
  */
 drmf_status_t
-drfuzz_get_target_num_bbs(IN generic_func_t target_pc, OUT uint64 *num_bbs);
+drfuzz_get_target_num_bbs(DR_PARAM_IN generic_func_t target_pc, DR_PARAM_OUT uint64 *num_bbs);
 
 DR_EXPORT
 /**
@@ -404,7 +404,7 @@ DR_EXPORT
  */
 drmf_status_t
 drfuzz_get_arg(void *fuzzcxt, generic_func_t target_pc, int arg, bool original,
-               OUT void **arg_value);
+               DR_PARAM_OUT void **arg_value);
 
 DR_EXPORT
 /**
@@ -422,7 +422,7 @@ DR_EXPORT
  * Get the user data associated with the \p target_pc.
  */
 drmf_status_t
-drfuzz_get_target_user_data(IN generic_func_t target_pc, OUT void **user_data);
+drfuzz_get_target_user_data(DR_PARAM_IN generic_func_t target_pc, DR_PARAM_OUT void **user_data);
 
 DR_EXPORT
 /**
@@ -432,8 +432,8 @@ DR_EXPORT
  * \note: Only one slot is provided for the data, so multiple writes will overwrite.
  */
 drmf_status_t
-drfuzz_set_target_user_data(IN generic_func_t target_pc, IN void *user_data,
-                            IN void (*delete_callback)(void *user_data));
+drfuzz_set_target_user_data(DR_PARAM_IN generic_func_t target_pc, DR_PARAM_IN void *user_data,
+                            DR_PARAM_IN void (*delete_callback)(void *user_data));
 
 DR_EXPORT
 /**
@@ -441,8 +441,8 @@ DR_EXPORT
  * \p fuzzcxt is NULL, the fuzzcxt for the current thread will be used (if any).
  */
 drmf_status_t
-drfuzz_get_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t target_pc,
-                                       OUT void **user_data);
+drfuzz_get_target_per_thread_user_data(DR_PARAM_IN void *fuzzcxt, DR_PARAM_IN generic_func_t target_pc,
+                                       DR_PARAM_OUT void **user_data);
 
 DR_EXPORT
 /**
@@ -454,9 +454,9 @@ DR_EXPORT
  * \note: Only one slot is provided for the data, so multiple writes will overwrite.
  */
 drmf_status_t
-drfuzz_set_target_per_thread_user_data(IN void *fuzzcxt, IN generic_func_t target_pc,
-                                       IN void *user_data,
-                                       IN void (*delete_callback)(void *fuzzcxt,
+drfuzz_set_target_per_thread_user_data(DR_PARAM_IN void *fuzzcxt, DR_PARAM_IN generic_func_t target_pc,
+                                       DR_PARAM_IN void *user_data,
+                                       DR_PARAM_IN void (*delete_callback)(void *fuzzcxt,
                                                                   void *user_data));
 
 DR_EXPORT
@@ -506,14 +506,14 @@ DR_EXPORT
  * DRMF_SUCCESS on success.
  */
 drmf_status_t
-drfuzz_mutator_load(IN const char *lib_path, INOUT drfuzz_mutator_api_t *api);
+drfuzz_mutator_load(DR_PARAM_IN const char *lib_path, DR_PARAM_INOUT drfuzz_mutator_api_t *api);
 
 DR_EXPORT
 /**
  * Unloads a custom mutator library.  Returns DRMF_SUCCESS on success.
  */
 drmf_status_t
-drfuzz_mutator_unload(IN drfuzz_mutator_api_t *lib);
+drfuzz_mutator_unload(DR_PARAM_IN drfuzz_mutator_api_t *lib);
 
 
 /*@}*/ /* end doxygen group */
diff --git a/drfuzz/drfuzz_mutator.c b/drfuzz/drfuzz_mutator.c
index 1a298e949..c44354a81 100644
--- a/drfuzz/drfuzz_mutator.c
+++ b/drfuzz/drfuzz_mutator.c
@@ -1,5 +1,5 @@
 /* **************************************************************
- * Copyright (c) 2015-2016 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **************************************************************/
 
 /*
@@ -443,8 +443,10 @@ drfuzz_mutator_set_options(drfuzz_mutator_t *mutator_in,
  */
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_start(OUT drfuzz_mutator_t **mutator_out, IN void *input_seed,
-                     IN size_t size, IN int argc, IN const char *argv[])
+drfuzz_mutator_start(DR_PARAM_OUT drfuzz_mutator_t **mutator_out,
+                     DR_PARAM_IN void *input_seed,
+                     DR_PARAM_IN size_t size, DR_PARAM_IN int argc,
+                     DR_PARAM_IN const char *argv[])
 {
     mutator_t *mutator;
     drmf_status_t res;
@@ -505,7 +507,8 @@ drfuzz_mutator_has_next_value(drfuzz_mutator_t *mutator_in)
 }
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_get_current_value(IN drfuzz_mutator_t *mutator_in, OUT void *buffer)
+drfuzz_mutator_get_current_value(DR_PARAM_IN drfuzz_mutator_t *mutator_in,
+                                 DR_PARAM_OUT void *buffer)
 {
     mutator_t *mutator = (mutator_t *) mutator_in;
     memcpy(buffer, mutator->current_value, mutator->size);
@@ -683,7 +686,7 @@ get_next_random_value(mutator_t *mutator, void *buffer)
 }
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_get_next_value(drfuzz_mutator_t *mutator_in, IN void *buffer)
+drfuzz_mutator_get_next_value(drfuzz_mutator_t *mutator_in, DR_PARAM_IN void *buffer)
 {
     mutator_t *mutator = (mutator_t *) mutator_in;
     drmf_status_t res;
diff --git a/drfuzz/drfuzz_mutator.h b/drfuzz/drfuzz_mutator.h
index 947a7838a..14ff47217 100644
--- a/drfuzz/drfuzz_mutator.h
+++ b/drfuzz/drfuzz_mutator.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -103,8 +103,10 @@ LIB_EXPORT
  * @param[in]   argv        An array of \p argc arguments to customize the mutator.
  */
 drmf_status_t
-LIBFUNC(drfuzz_mutator_start)(OUT drfuzz_mutator_t **mutator, IN void *input_seed,
-                              IN size_t size, IN int argc, IN const char *argv[]);
+LIBFUNC(drfuzz_mutator_start)(DR_PARAM_OUT drfuzz_mutator_t **mutator,
+                              DR_PARAM_IN void *input_seed,
+                              DR_PARAM_IN size_t size, DR_PARAM_IN int argc,
+                              DR_PARAM_IN const char *argv[]);
 
 LIB_EXPORT
 /**
@@ -119,14 +121,16 @@ LIB_EXPORT
  * Provides a copy of the current mutator value. Returns DRMF_SUCCESS on success.
  */
 drmf_status_t
-LIBFUNC(drfuzz_mutator_get_current_value)(IN drfuzz_mutator_t *mutator, OUT void *buffer);
+LIBFUNC(drfuzz_mutator_get_current_value)(DR_PARAM_IN drfuzz_mutator_t *mutator,
+                                          DR_PARAM_OUT void *buffer);
 
 LIB_EXPORT
 /**
  * Writes the next fuzz value to the provided buffer. Returns DRMF_SUCCESS on success.
  */
 drmf_status_t
-LIBFUNC(drfuzz_mutator_get_next_value)(drfuzz_mutator_t *mutator, OUT void *buffer);
+LIBFUNC(drfuzz_mutator_get_next_value)(drfuzz_mutator_t *mutator,
+                                       DR_PARAM_OUT void *buffer);
 
 LIB_EXPORT
 /**
diff --git a/drltrace/CMakeLists.txt b/drltrace/CMakeLists.txt
index 41df54942..594b56d90 100644
--- a/drltrace/CMakeLists.txt
+++ b/drltrace/CMakeLists.txt
@@ -194,11 +194,20 @@ else ()
   set(libcall_both_variants "    arg 0: done \\(type=char\\*, size=0x([0-9a-f]+)\\)\n")
   set(libcall_args1_01 ${libcall_both_variants})
 
+if (AARCH64)
+  set(libcall_args2_0 "    arg 0: /dev/null \\(type=char\\*, size=0x([0-9a-f]+)\\)\n")
+  set(libcall_args2_1 "    arg 1: 0x([0-9a-f]+) \\(type=int\\*, size=0x([0-9a-f]+)\\)\n")
+else ()
   set(libcall_args2_0 "    arg 0: /dev/null \\(type=char \\*\\*, size=0x([0-9a-f]+)\\)\n")
   set(libcall_args2_1 "    arg 1: 0x([0-9a-f]+) \\(type=<unknown>\\*, size=0x([0-9a-f]+)\\)\n")
+endif (AARCH64)
 
   set(libcall_name1 "~~([0-9a-f]+)~~ libc.so.6!puts\n")
+if (AARCH64)
+  set(libcall_name2 "~~([0-9a-f]+)~~ libc.so.6!open64\n")
+else ()
   set(libcall_name2 "~~([0-9a-f]+)~~ libc.so.6!open\n")
+endif(AARCH64)
 endif(WIN32)
   set_tests_properties(drltrace_libcalls PROPERTIES PASS_REGULAR_EXPRESSION
                        ${libcall_name1}${libcall_args1_01}${libcall_args1_02}${libcall_ret})
diff --git a/drltrace/drltrace.cpp b/drltrace/drltrace.cpp
index 3c920d9f9..3c0e436a6 100644
--- a/drltrace/drltrace.cpp
+++ b/drltrace/drltrace.cpp
@@ -1,5 +1,5 @@
 /* ***************************************************************************
- * Copyright (c) 2013-2019 Google, Inc.  All rights reserved.
+ * Copyright (c) 2013-2024 Google, Inc.  All rights reserved.
  * ***************************************************************************/
 
 /*
@@ -59,6 +59,9 @@
  *   the library entries.
  */
 
+using ::dynamorio::droption::droption_parser_t;
+using ::dynamorio::droption::DROPTION_SCOPE_CLIENT;
+
 /* Where to write the trace */
 static file_t outf;
 
@@ -232,7 +235,7 @@ print_symbolic_args(const char *name, void *wrapcxt, app_pc func)
  */
 
 static void
-lib_entry(void *wrapcxt, INOUT void **user_data)
+lib_entry(void *wrapcxt, DR_PARAM_INOUT void **user_data)
 {
     const char *name = (const char *) *user_data;
     const char *modname = NULL;
diff --git a/drltrace/drltrace_frontend.cpp b/drltrace/drltrace_frontend.cpp
index 9b098a411..0b246b563 100644
--- a/drltrace/drltrace_frontend.cpp
+++ b/drltrace/drltrace_frontend.cpp
@@ -46,6 +46,10 @@
 #include "utils.h"
 #include <string.h>
 
+using ::dynamorio::droption::droption_parser_t;
+using ::dynamorio::droption::DROPTION_SCOPE_ALL;
+using ::dynamorio::droption::DROPTION_SCOPE_FRONTEND;
+
 #define MAX_DR_CMDLINE (MAXIMUM_PATH*6)
 
 #define DRLTRACE_ERROR(msg, ...) do { \
diff --git a/drltrace/drltrace_linux.config b/drltrace/drltrace_linux.config
index eba109bc0..d8ed95e15 100644
--- a/drltrace/drltrace_linux.config
+++ b/drltrace/drltrace_linux.config
@@ -47,4 +47,5 @@ int|strcmp|char *|char *
 int|wcscmp|wchar *|wchar *
 int|printf|char *
 int|puts|char *
+int|open64|char **|int *
 
diff --git a/drltrace/drltrace_options.cpp b/drltrace/drltrace_options.cpp
index bd7d42b65..be0602d1d 100644
--- a/drltrace/drltrace_options.cpp
+++ b/drltrace/drltrace_options.cpp
@@ -33,6 +33,14 @@
 #include "droption.h"
 #include "drltrace_options.h"
 
+using ::dynamorio::droption::droption_t;
+using ::dynamorio::droption::DROPTION_SCOPE_ALL;
+using ::dynamorio::droption::DROPTION_SCOPE_CLIENT;
+using ::dynamorio::droption::DROPTION_SCOPE_FRONTEND;
+using ::dynamorio::droption::DROPTION_FLAG_SWEEP;
+using ::dynamorio::droption::DROPTION_FLAG_ACCUMULATE;
+using ::dynamorio::droption::DROPTION_FLAG_INTERNAL;
+
 /* Frontend scope is defined here because if logdir is a forbidden path we have to change
  * it and provide for our client manually.
  */
diff --git a/drltrace/drltrace_options.h b/drltrace/drltrace_options.h
index 1857f1530..0b4366721 100644
--- a/drltrace/drltrace_options.h
+++ b/drltrace/drltrace_options.h
@@ -32,20 +32,20 @@
 
 #include "droption.h"
 
-extern droption_t<std::string> op_logdir;
-extern droption_t<bool> op_only_from_app;
-extern droption_t<bool> op_follow_children;
-extern droption_t<bool> op_print_ret_addr;
-extern droption_t<unsigned int> op_unknown_args;
-extern droption_t<int> op_max_args;
-extern droption_t<bool> op_config_file_default;
-extern droption_t<std::string> op_config_file;
-extern droption_t<std::string> op_sysnum_file;
-extern droption_t<std::string> op_symcache_dir;
-extern droption_t<bool> op_ignore_underscore;
-extern droption_t<std::string> op_only_to_lib;
-extern droption_t<bool> op_help;
-extern droption_t<bool> op_version;
-extern droption_t<unsigned int> op_verbose;
-extern droption_t<bool> op_use_config;
-extern droption_t<std::string> op_ltracelib_ops;
+extern dynamorio::droption::droption_t<std::string> op_logdir;
+extern dynamorio::droption::droption_t<bool> op_only_from_app;
+extern dynamorio::droption::droption_t<bool> op_follow_children;
+extern dynamorio::droption::droption_t<bool> op_print_ret_addr;
+extern dynamorio::droption::droption_t<unsigned int> op_unknown_args;
+extern dynamorio::droption::droption_t<int> op_max_args;
+extern dynamorio::droption::droption_t<bool> op_config_file_default;
+extern dynamorio::droption::droption_t<std::string> op_config_file;
+extern dynamorio::droption::droption_t<std::string> op_sysnum_file;
+extern dynamorio::droption::droption_t<std::string> op_symcache_dir;
+extern dynamorio::droption::droption_t<bool> op_ignore_underscore;
+extern dynamorio::droption::droption_t<std::string> op_only_to_lib;
+extern dynamorio::droption::droption_t<bool> op_help;
+extern dynamorio::droption::droption_t<bool> op_version;
+extern dynamorio::droption::droption_t<unsigned int> op_verbose;
+extern dynamorio::droption::droption_t<bool> op_use_config;
+extern dynamorio::droption::droption_t<std::string> op_ltracelib_ops;
diff --git a/drmemory/alloc_drmem.c b/drmemory/alloc_drmem.c
index 618ec7dcd..d184ff8c9 100644
--- a/drmemory/alloc_drmem.c
+++ b/drmemory/alloc_drmem.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -327,7 +327,7 @@ mmap_tree_remove(byte *base, size_t size)
 }
 
 bool
-mmap_anon_lookup(byte *addr, byte **start OUT, size_t *size OUT)
+mmap_anon_lookup(byte *addr, byte **start DR_PARAM_OUT, size_t *size DR_PARAM_OUT)
 {
     dr_mutex_lock(mmap_tree_lock);
     bool res = false;
@@ -718,7 +718,7 @@ print_free_tree(rb_node_t *node, void *data)
  * pointer.  Caller must hold lock.
  */
 static app_pc
-next_to_free(delay_free_info_t *info, int idx _IF_WINDOWS(ptr_int_t *auxarg OUT),
+next_to_free(delay_free_info_t *info, int idx _IF_WINDOWS(ptr_int_t *auxarg DR_PARAM_OUT),
              const char *reason)
 {
     app_pc pass_to_free = NULL;
@@ -765,12 +765,12 @@ next_to_free(delay_free_info_t *info, int idx _IF_WINDOWS(ptr_int_t *auxarg OUT)
 }
 
 /* Returns the value to pass to free().  Return "tofree" for no change.
- * The auxarg param is INOUT so it can be changed as well.
+ * The auxarg param is DR_PARAM_INOUT so it can be changed as well.
  */
 app_pc
 client_handle_free(malloc_info_t *mal, byte *tofree, dr_mcontext_t *mc,
                    app_pc free_routine, void *routine_set_data, bool for_reuse
-                   _IF_WINDOWS(ptr_int_t *auxarg INOUT))
+                   _IF_WINDOWS(ptr_int_t *auxarg DR_PARAM_INOUT))
 {
     report_malloc(mal->base, mal->base + mal->request_size, "free", mc);
 
@@ -1016,9 +1016,9 @@ client_handle_heap_destroy(void *drcontext, HANDLE heap, void *client_data)
 
 bool
 overlaps_delayed_free(byte *start, byte *end,
-                      byte **free_start OUT, /* app base */
-                      byte **free_end OUT,   /* app request size */
-                      packed_callstack_t **pcs OUT,
+                      byte **free_start DR_PARAM_OUT, /* app base */
+                      byte **free_end DR_PARAM_OUT,   /* app request size */
+                      packed_callstack_t **pcs DR_PARAM_OUT,
                       bool delayed_only)
 {
     bool res = false;
@@ -1663,7 +1663,7 @@ event_kernel_xfer(void *drcontext, const dr_kernel_xfer_info_t *info)
 #ifdef X86 /* replacement should avoid needing to port this to ARM */
 static bool
 is_rawmemchr_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
-                     app_pc addr, uint sz, instr_t *inst, bool *now_addressable OUT)
+                     app_pc addr, uint sz, instr_t *inst, bool *now_addressable DR_PARAM_OUT)
 {
     /* PR 406535: glibc's rawmemchr does some bit tricks that can end
      * up using unaddressable or undefined values.  The erroneous load
@@ -1763,7 +1763,7 @@ is_rawmemchr_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
 
 bool
 is_alloca_pattern(void *drcontext, app_pc pc, app_pc next_pc, instr_t *inst,
-                  bool *now_addressable OUT)
+                  bool *now_addressable DR_PARAM_OUT)
 {
     /* Check for alloca probes to trigger guard pages.
      * So far we've seen just a handful of different sequences:
@@ -1965,7 +1965,7 @@ is_alloca_pattern(void *drcontext, app_pc pc, app_pc next_pc, instr_t *inst,
     instr_free(drcontext, &next);
 
     return match;
-#elif defined(ARM)
+#elif defined(ARM) || defined(AARCH64)
     /* FIXME i#1726: add ARM patterns */
     return false;
 #endif
@@ -1974,7 +1974,7 @@ is_alloca_pattern(void *drcontext, app_pc pc, app_pc next_pc, instr_t *inst,
 #ifdef X86 /* replacement should avoid needing to port this to ARM */
 static bool
 is_strlen_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
-                  app_pc addr, uint sz, instr_t *inst, bool *now_addressable OUT)
+                  app_pc addr, uint sz, instr_t *inst, bool *now_addressable DR_PARAM_OUT)
 {
     /* Check for intel\strlen.asm case where it reads 4 bytes for efficiency:
      * it only does so if aligned, so no danger of touching next page, and
@@ -2074,7 +2074,7 @@ is_strlen_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
 
 static bool
 is_strcpy_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
-                  app_pc addr, uint sz, instr_t *inst, bool *now_addressable OUT)
+                  app_pc addr, uint sz, instr_t *inst, bool *now_addressable DR_PARAM_OUT)
 {
     instr_t next;
     app_pc dpc = next_pc;
@@ -2148,7 +2148,7 @@ is_strcpy_pattern(void *drcontext, bool write, app_pc pc, app_pc next_pc,
 
 static bool
 is_prefetch(void *drcontext, bool write, app_pc pc, app_pc next_pc,
-            app_pc addr, uint sz, instr_t *inst, bool *now_addressable OUT,
+            app_pc addr, uint sz, instr_t *inst, bool *now_addressable DR_PARAM_OUT,
             app_loc_t *loc, dr_mcontext_t *mc)
 {
     /* i#585: prefetch should not raise an unaddr error, only a warning */
@@ -2171,7 +2171,7 @@ is_prefetch(void *drcontext, bool write, app_pc pc, app_pc next_pc,
 #ifdef WINDOWS
 static bool
 is_heap_seh(void *drcontext, bool write, app_pc pc, app_pc next_pc,
-            app_pc addr, uint sz, instr_t *inst, bool *now_addressable OUT,
+            app_pc addr, uint sz, instr_t *inst, bool *now_addressable DR_PARAM_OUT,
             app_loc_t *loc, dr_mcontext_t *mc)
 {
     /* i#689: Rtl*Heap SEH finalizer reads Heap to unlock the Heap's critsec.
@@ -2645,11 +2645,11 @@ region_overlap_with_malloc_block(malloc_iter_data_t *iter_data)
  */
 bool
 region_in_redzone(byte *addr, size_t size,
-                  packed_callstack_t **alloc_pcs OUT,
-                  app_pc *app_start OUT,
-                  app_pc *app_end OUT,
-                  app_pc *redzone_start OUT,
-                  app_pc *redzone_end OUT)
+                  packed_callstack_t **alloc_pcs DR_PARAM_OUT,
+                  app_pc *app_start DR_PARAM_OUT,
+                  app_pc *app_end DR_PARAM_OUT,
+                  app_pc *redzone_start DR_PARAM_OUT,
+                  app_pc *redzone_end DR_PARAM_OUT)
 {
     malloc_iter_data_t iter_data = {addr, size, NULL, NULL, NULL, false, false};
     if (options.replace_malloc) {
diff --git a/drmemory/alloc_drmem.h b/drmemory/alloc_drmem.h
index 316e65425..e80b8202e 100644
--- a/drmemory/alloc_drmem.h
+++ b/drmemory/alloc_drmem.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2013-2020 Google, Inc.  All rights reserved.
+ * Copyright (c) 2013-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2009 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -47,7 +47,7 @@ dr_signal_action_t
 event_signal_alloc(void *drcontext, dr_siginfo_t *info);
 
 bool
-mmap_anon_lookup(byte *addr, byte **start OUT, size_t *size OUT);
+mmap_anon_lookup(byte *addr, byte **start DR_PARAM_OUT, size_t *size DR_PARAM_OUT);
 #endif
 
 void
@@ -67,14 +67,14 @@ check_reachability(bool at_exit);
  */
 bool
 overlaps_delayed_free(byte *start, byte *end,
-                      byte **free_start OUT, /* app base */
-                      byte **free_end OUT,   /* app request size */
-                      packed_callstack_t **pcs OUT,
+                      byte **free_start DR_PARAM_OUT, /* app base */
+                      byte **free_end DR_PARAM_OUT,   /* app request size */
+                      packed_callstack_t **pcs DR_PARAM_OUT,
                       bool delayed_only);
 
 bool
 is_alloca_pattern(void *drcontext, app_pc pc, app_pc next_pc, instr_t *inst,
-                  bool *now_addressable OUT);
+                  bool *now_addressable DR_PARAM_OUT);
 
 /* check if region [addr, addr + size) overlaps with any malloc redzone,
  * - if overlaps, return true and fill all the passed in parameters,
@@ -82,11 +82,11 @@ is_alloca_pattern(void *drcontext, app_pc pc, app_pc next_pc, instr_t *inst,
  */
 bool
 region_in_redzone(byte *addr, size_t size,
-                  packed_callstack_t **alloc_pcs OUT,
-                  app_pc *app_start OUT,
-                  app_pc *app_end OUT,
-                  app_pc *redzone_start OUT,
-                  app_pc *redzone_end OUT);
+                  packed_callstack_t **alloc_pcs DR_PARAM_OUT,
+                  app_pc *app_start DR_PARAM_OUT,
+                  app_pc *app_end DR_PARAM_OUT,
+                  app_pc *redzone_start DR_PARAM_OUT,
+                  app_pc *redzone_end DR_PARAM_OUT);
 
 /* Synchronizes access to malloc callstacks (malloc_get_client_data()) */
 void
diff --git a/drmemory/annotations.c b/drmemory/annotations.c
index 57e3e588c..71d19c048 100644
--- a/drmemory/annotations.c
+++ b/drmemory/annotations.c
@@ -45,7 +45,7 @@
 extern void check_reachability(bool at_exit);
 #endif
 
-#ifndef ARM /* FIXME DRi#1672: add ARM annotation support to DR */
+#if !defined(ARM) && !defined(AARCH64) /* FIXME DRi#1672: add ARM annotation support to DR */
 static ptr_uint_t
 handle_make_mem_defined_if_addressable(dr_vg_client_request_t *request)
 {
@@ -105,7 +105,7 @@ annotate_init(void)
 {
     /* Valgrind annotations are not available for 64-bit Windows */
 #if !(defined(WINDOWS) && defined(X64))
-# ifndef ARM /* FIXME DRi#1672: add ARM annotation support to DR */
+# if !defined(ARM) && !defined(AARCH64) /* FIXME DRi#1672: add ARM annotation support to DR */
     dr_annotation_register_valgrind(DR_VG_ID__MAKE_MEM_DEFINED_IF_ADDRESSABLE,
                                     handle_make_mem_defined_if_addressable);
     dr_annotation_register_valgrind(DR_VG_ID__DO_LEAK_CHECK,
@@ -113,7 +113,7 @@ annotate_init(void)
 # endif
 #endif
 
-#ifndef ARM /* FIXME DRi#1672: add ARM annotation support to DR */
+#if !defined(ARM) && !defined(AARCH64) /* FIXME DRi#1672: add ARM annotation support to DR */
     const char *dumpmem_name = "drmemory_dump_memory_layout";
     if (!dr_annotation_register_call(dumpmem_name,
                                      handle_dump_memory_layout, false, 0,
diff --git a/drmemory/drmemory.c b/drmemory/drmemory.c
index aa8f792bf..4b278390f 100644
--- a/drmemory/drmemory.c
+++ b/drmemory/drmemory.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -150,7 +150,7 @@ up_one_dir(const char *string)
  *   dr_get_client_path()/../fname
  */
 bool
-obtain_configfile_path(char *buf OUT, size_t bufsz, const char *fname)
+obtain_configfile_path(char *buf DR_PARAM_OUT, size_t bufsz, const char *fname)
 {
     const char *mypath = dr_get_client_path(client_id);
     /* Windows kernel doesn't like paths with .. (0xc0000033 =
@@ -354,7 +354,7 @@ typedef struct _persist_data_t {
 
 static size_t
 event_persist_ro_size(void *drcontext, void *perscxt, size_t file_offs,
-                      void **user_data OUT)
+                      void **user_data DR_PARAM_OUT)
 {
     return sizeof(persist_data_t) +
         instrument_persist_ro_size(drcontext, perscxt);
@@ -376,7 +376,7 @@ event_persist_ro(void *drcontext, void *perscxt, file_t fd, void *user_data)
 }
 
 static bool
-event_resurrect_ro(void *drcontext, void *perscxt, byte **map INOUT)
+event_resurrect_ro(void *drcontext, void *perscxt, byte **map DR_PARAM_INOUT)
 {
     persist_data_t *pd = (persist_data_t *) *map;
     *map += sizeof(*pd);
diff --git a/drmemory/drmemory.h b/drmemory/drmemory.h
index 8586deb81..869e401ca 100644
--- a/drmemory/drmemory.h
+++ b/drmemory/drmemory.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -99,7 +99,7 @@ extern uint num_nudges;
 #endif /* STATISTICS */
 
 bool
-obtain_configfile_path(char *buf OUT, size_t bufsz, const char *fname);
+obtain_configfile_path(char *buf DR_PARAM_OUT, size_t bufsz, const char *fname);
 
 #ifdef UNIX
 
diff --git a/drmemory/fastpath.c b/drmemory/fastpath.c
index 1f3b7b822..24ce8d4e1 100644
--- a/drmemory/fastpath.c
+++ b/drmemory/fastpath.c
@@ -150,6 +150,7 @@ get_isa_mode_from_fault_mc(dr_mcontext_t *mc)
 
 #ifdef TOOL_DR_MEMORY
 
+#ifndef AARCH64
 /* PR 448701: handle fault on write to a special shadow block */
 static byte *
 compute_app_address_on_shadow_fault(void *drcontext, byte *target,
@@ -260,7 +261,9 @@ handle_special_shadow_fault(void *drcontext, byte *target,
 
     instr_free(drcontext, &fault_inst);
 }
+#endif
 
+#ifndef AARCH64
 /* i#1015: report write-to-read-only as an unaddressable warning */
 static bool
 handle_possible_write_to_read_only(void *drcontext,
@@ -312,6 +315,7 @@ handle_possible_write_to_read_only(void *drcontext,
     return res;
 }
 
+#endif
 #endif /* TOOL_DR_MEMORY */
 
 /* PR 448701: we fault if we write to a special block */
@@ -319,7 +323,7 @@ handle_possible_write_to_read_only(void *drcontext,
 dr_signal_action_t
 event_signal_instrument(void *drcontext, dr_siginfo_t *info)
 {
-# ifdef TOOL_DR_MEMORY
+# if defined(TOOL_DR_MEMORY) && !defined(AARCH64)
     /* Handle faults from writes to special shadow blocks */
     /* i#1488: we sometimes get SIGBUS on Mac */
     if (info->sig == SIGSEGV || info->sig == SIGBUS) {
diff --git a/drmemory/fastpath.h b/drmemory/fastpath.h
index 917c22f13..e7cff02a1 100644
--- a/drmemory/fastpath.h
+++ b/drmemory/fastpath.h
@@ -44,6 +44,8 @@ enum {
 # define NUM_LIVENESS_REGS IF_X64_ELSE(16, 8)
 #elif defined(ARM)
 # define NUM_LIVENESS_REGS IF_X64_ELSE(32, 16)
+#elif defined(AARCH64)
+# define NUM_LIVENESS_REGS 32
 #endif
 #define  REG_START         IF_X64_ELSE(REG_START_64, REG_START_32)
 
@@ -165,9 +167,12 @@ struct _bb_info_t {
     /* whole-bb spilling (PR 489221) */
     int aflags;
     int aflags_where;
+#ifndef AARCH64
     bool eax_dead;
+#endif
     bool eflags_used;
     bool is_repstr_to_loop;
+    reg_id_t shared_reg;
     scratch_reg_info_t reg1;
     scratch_reg_info_t reg2;
     /* the instr after which we should spill global regs */
@@ -309,11 +314,13 @@ add_shadow_table_lookup(void *drcontext, instrlist_t *bb, instr_t *inst,
  * Utility routines
  */
 
+#ifndef AARCH64
 bool
 instr_is_spill(instr_t *inst);
 
 bool
 instr_is_restore(instr_t *inst);
+#endif
 
 bool
 instr_at_pc_is_restore(void *drcontext, byte *pc);
diff --git a/drmemory/fastpath_arm.c b/drmemory/fastpath_arm.c
index 9611daadc..ade9cfcd7 100644
--- a/drmemory/fastpath_arm.c
+++ b/drmemory/fastpath_arm.c
@@ -46,7 +46,6 @@
 bool
 instr_ok_for_instrument_fastpath(instr_t *inst, fastpath_info_t *mi, bb_info_t *bi)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     /* Probably a lot of code can be shared with fastpath_x86.c: it
      * needs further refactoring.
      */
@@ -86,4 +85,21 @@ handle_slowpath_fault(void *drcontext, dr_mcontext_t *raw_mc, dr_mcontext_t *mc,
     return false;
 }
 
+void
+add_jcc_slowpath(void *drcontext, instrlist_t *bb, instr_t *inst, uint jcc_opcode,
+                 fastpath_info_t *mi)
+{
+    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+}
+
+void
+add_shadow_table_lookup(void *drcontext, instrlist_t *bb, instr_t *inst,
+                        fastpath_info_t *mi,
+                        bool get_value, bool value_in_reg2, bool need_offs,
+                        bool zero_rest_of_offs,
+                        reg_id_t reg1, reg_id_t reg2, reg_id_t reg3,
+                        bool check_alignment)
+{
+    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+}
 #endif /* TOOL_DR_MEMORY */
diff --git a/drmemory/frontend.c b/drmemory/frontend.c
index f63627234..f19663ba5 100644
--- a/drmemory/frontend.c
+++ b/drmemory/frontend.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -155,7 +155,7 @@ on_supported_version(void)
     if (uname(&uinfo) != 0)
         return false;
 #   define MIN_DARWIN_VERSION_SUPPORTED 11  /* OSX 10.7.x */
-#   define MAX_DARWIN_VERSION_SUPPORTED 19  /* OSX 10.15.x */
+#   define MAX_DARWIN_VERSION_SUPPORTED 20  /* OSX 10.11 */
     return (dr_sscanf(uinfo.release, "%d", &kernel_major) == 1 &&
             kernel_major <= MAX_DARWIN_VERSION_SUPPORTED &&
             kernel_major >= MIN_DARWIN_VERSION_SUPPORTED);
diff --git a/drmemory/fuzzer.c b/drmemory/fuzzer.c
index 498b48fbb..f91b66f38 100644
--- a/drmemory/fuzzer.c
+++ b/drmemory/fuzzer.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2015-2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -425,6 +425,10 @@ fuzzer_fuzz_target_init()
 #ifdef ARM
         else if (strcmp(options.fuzz_call_convention, "arm32") == 0)
             fuzz_target.callconv = DRWRAP_CALLCONV_ARM;
+#endif
+#ifdef AARCH64
+        else if (strcmp(options.fuzz_call_convention, "aarch64") == 0)
+            fuzz_target.callconv = DRWRAP_CALLCONV_AARCH64;
 #endif
         else
             FUZZ_WARN("Unknown calling convention, using default value instead.\n");
@@ -819,7 +823,8 @@ log_target_buffer(void *dcontext, uint loglevel, fuzz_state_t *thread)
 }
 
 size_t
-fuzzer_error_report(IN void *dcontext, OUT char *notify, IN size_t notify_size, int eid)
+fuzzer_error_report(DR_PARAM_IN void *dcontext, DR_PARAM_OUT char *notify,
+                    DR_PARAM_IN size_t notify_size, int eid)
 {
     ssize_t len = 0;
     size_t sofar = 0;
@@ -902,9 +907,19 @@ struct _callconv_args_t { /* forward declared at top */
     uint stack_offset; /* retaddr (1) and/or reserved slots */
 };
 
-#ifdef ARM /* 32-bit */
+#ifdef AARCHXX/* 32-bit */
 # ifdef X64
-#  error NYI ARM X64
+static const reg_t arg_regs_aarch64[] = {
+    DR_REG_R0,
+    DR_REG_R1,
+    DR_REG_R2,
+    DR_REG_R3,
+    DR_REG_R4,
+    DR_REG_R5,
+    DR_REG_R6,
+    DR_REG_R7,
+};
+static const callconv_args_t callconv_args_aarch64 = { arg_regs_aarch64, 8, 0 };
 # else /* 32-bit */
 static const reg_t arg_regs_arm[] = {
     DR_REG_R0,
@@ -952,6 +967,9 @@ map_callconv_args(drwrap_callconv_t callconv)
 #ifdef ARM
     case DRWRAP_CALLCONV_ARM:
         return &callconv_args_arm;
+#elif defined(AARCH64)
+    case DRWRAP_CALLCONV_AARCH64:
+        return &callconv_args_aarch64;
 #else /* Intel x86 */
 # ifdef X64
     case DRWRAP_CALLCONV_AMD64:
@@ -1079,7 +1097,7 @@ create_shadow_state(void *dcontext)
 }
 
 static bool
-init_thread_shadow_state(OUT shadow_state_t **shadow_out)
+init_thread_shadow_state(DR_PARAM_OUT shadow_state_t **shadow_out)
 {
     drmf_status_t res;
     shadow_state_t *shadow;
@@ -1807,8 +1825,8 @@ tokenizer_exit_with_usage_error()
 }
 
 static bool
-tokenizer_copy_to(IN tokenizer_t *t, IN const char *to, OUT size_t *len,
-                  OUT char **token)
+tokenizer_copy_to(DR_PARAM_IN tokenizer_t *t, DR_PARAM_IN const char *to,
+                  DR_PARAM_OUT size_t *len, DR_PARAM_OUT char **token)
 {
     *len = (to + 1/*null-term*/ - t->src);
     *token = global_alloc(*len, t->type);
@@ -1823,7 +1841,7 @@ tokenizer_copy_to(IN tokenizer_t *t, IN const char *to, OUT size_t *len,
 }
 
 static bool
-tokenizer_has_next(IN tokenizer_t *t, IN char delimiter)
+tokenizer_has_next(DR_PARAM_IN tokenizer_t *t, DR_PARAM_IN char delimiter)
 {
     const char *next_ptr = NULL;
 
@@ -1834,8 +1852,9 @@ tokenizer_has_next(IN tokenizer_t *t, IN char delimiter)
 }
 
 static bool
-tokenizer_find_next(IN tokenizer_t *t, OUT const char **src_ptr_out, IN char delim,
-                    IN char raw_delim, IN const char *field_name)
+tokenizer_find_next(DR_PARAM_IN tokenizer_t *t, DR_PARAM_OUT const char **src_ptr_out,
+                    DR_PARAM_IN char delim, DR_PARAM_IN char raw_delim,
+                    DR_PARAM_IN const char *field_name)
 {
     const char *src_ptr = NULL;
 
@@ -1858,8 +1877,9 @@ tokenizer_find_next(IN tokenizer_t *t, OUT const char **src_ptr_out, IN char del
 }
 
 static bool
-tokenizer_copy_next(IN tokenizer_t *t, OUT size_t *len, OUT char **token,
-                    IN char delimiter, IN const char *field_name)
+tokenizer_copy_next(DR_PARAM_IN tokenizer_t *t, DR_PARAM_OUT size_t *len,
+                    DR_PARAM_OUT char **token, DR_PARAM_IN char delimiter,
+                    DR_PARAM_IN const char *field_name)
 {
     const char *src_ptr = NULL;
 
@@ -1870,8 +1890,9 @@ tokenizer_copy_next(IN tokenizer_t *t, OUT size_t *len, OUT char **token,
 }
 
 static bool
-tokenizer_next_int(IN tokenizer_t *t, OUT byte *dst, IN char delimiter,
-                   IN bool hex, IN bool is_64, IN const char *field_name)
+tokenizer_next_int(DR_PARAM_IN tokenizer_t *t, DR_PARAM_OUT byte *dst,
+                   DR_PARAM_IN char delimiter, DR_PARAM_IN bool hex,
+                   DR_PARAM_IN bool is_64, DR_PARAM_IN const char *field_name)
 {
     size_t len;
     char *src;
@@ -1892,7 +1913,8 @@ tokenizer_next_int(IN tokenizer_t *t, OUT byte *dst, IN char delimiter,
  * `chrs`. If found, return true and point `res` to that character within `t->src`.
  */
 static bool
-tokenizer_strchrs(IN tokenizer_t *t, OUT const char **res, IN const char *chrs)
+tokenizer_strchrs(DR_PARAM_IN tokenizer_t *t, DR_PARAM_OUT const char **res,
+                  DR_PARAM_IN const char *chrs)
 {
     const char *c, *c_ptr, *first_match = NULL;
     uint first_match_len = 0xffffffff;
diff --git a/drmemory/fuzzer.h b/drmemory/fuzzer.h
index 7a451c84b..c7d20ca31 100644
--- a/drmemory/fuzzer.h
+++ b/drmemory/fuzzer.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -88,7 +88,7 @@ fuzzer_set_singleton_input(const char *input_value);
  * true if any thread was fuzzing; i.e., if anything was written to user_message.
  */
 size_t
-fuzzer_error_report(IN void *dcontext, OUT char *user_message, IN size_t size,
-                    int error_id);
+fuzzer_error_report(DR_PARAM_IN void *dcontext, DR_PARAM_OUT char *user_message,
+                    DR_PARAM_IN size_t size, int error_id);
 
 #endif /* _FUZZER_H_ */
diff --git a/drmemory/instru.c b/drmemory/instru.c
index 24a158261..4423f33fe 100644
--- a/drmemory/instru.c
+++ b/drmemory/instru.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -91,7 +91,7 @@ bool first_bb = true;
 #ifdef TOOL_DR_MEMORY
 static dr_emit_flags_t
 instru_event_bb_app2app(void *drcontext, void *tag, instrlist_t *bb,
-                        bool for_trace, bool translating, OUT void **user_data);
+                        bool for_trace, bool translating, DR_PARAM_OUT void **user_data);
 
 static dr_emit_flags_t
 instru_event_bb_analysis(void *drcontext, void *tag, instrlist_t *bb,
@@ -481,7 +481,7 @@ populate_us2app_table(void)
 #endif
 
 bool
-instrument_resurrect_ro(void *drcontext, void *perscxt, byte **map INOUT)
+instrument_resurrect_ro(void *drcontext, void *perscxt, byte **map DR_PARAM_INOUT)
 {
     bool ok = true;
     if (!INSTRUMENT_MEMREFS())
@@ -931,7 +931,7 @@ convert_repstr_to_loop(void *drcontext, instrlist_t *bb, bb_info_t *bi,
 /* Conversions to app code itself that should happen before instrumentation */
 static dr_emit_flags_t
 instru_event_bb_app2app(void *drcontext, void *tag, instrlist_t *bb,
-                        bool for_trace, bool translating, OUT void **user_data)
+                        bool for_trace, bool translating, DR_PARAM_OUT void **user_data)
 {
     bb_info_t *bi;
 
@@ -1118,6 +1118,15 @@ instru_event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *ins
 
     memset(&mi, 0, sizeof(mi));
 
+#ifdef AARCH64
+    if (options.pattern == 0){
+        // There is probably optimisation to do here
+        IF_DEBUG(drreg_status_t res =)
+            drreg_reserve_aflags(drcontext, bb, inst);
+        ASSERT(res == DRREG_SUCCESS, "reserve of aflags should work");
+    }
+#endif
+
     /* We can't change bi->check_ignore_unaddr in the middle b/c of recreation
      * so only set if entering/exiting on first
      */
@@ -1142,7 +1151,8 @@ instru_event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *ins
          */
         if (whole_bb_spills_enabled() &&
             !(options.pattern != 0 && options.pattern_opt_repstr)) {
-            if (options.pattern != 0) { /* pattern uses drreg */
+#ifndef AARCH64
+            if (options.pattern != 0 IF_AARCH64( && false)) { /* pattern uses drreg */
                 IF_DEBUG(drreg_status_t res =)
                     drreg_reserve_aflags(drcontext, bb, inst);
                 ASSERT(res == DRREG_SUCCESS, "reserve of aflags should work");
@@ -1157,6 +1167,7 @@ instru_event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *ins
                  * jecxz is an app instr now so we should naturally restore it
                  */
             }
+#endif
         }
     }
 
@@ -1215,7 +1226,11 @@ instru_event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *ins
                 /* written to => no longer known to be addressable,
                  * unless modified by const amt: we look for push/pop
                  */
+#ifdef AARCH64
+                if ((!(instr_is_push(inst) || (instr_is_push(inst) && i > 0)))) {
+#else
                 if (!(opc_is_push(opc) || (opc_is_pop(opc) && i > 0))) {
+#endif
                     bi->addressable[reg_to_pointer_sized(opnd_get_reg(opnd)) -
                                     DR_REG_START_GPR] = false;
                 }
@@ -1327,6 +1342,10 @@ instru_event_bb_insert(void *drcontext, void *tag, instrlist_t *bb, instr_t *ins
          */
         bi->shared_memop = opnd_create_null();
     }
+#ifdef AARCH64
+    drreg_unreserve_aflags(drcontext, bb, inst);
+#endif
+
     /* We store whether bi->check_ignore_unaddr in our own data struct to avoid
      * DR having to store translations, so we can recreate deterministically
      * => DR_EMIT_DEFAULT
diff --git a/drmemory/instru.h b/drmemory/instru.h
index 433fd5e79..353fa9372 100644
--- a/drmemory/instru.h
+++ b/drmemory/instru.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -52,7 +52,7 @@ bool
 instrument_persist_ro(void *drcontext, void *perscxt, file_t fd);
 
 bool
-instrument_resurrect_ro(void *drcontext, void *perscxt, byte **map INOUT);
+instrument_resurrect_ro(void *drcontext, void *perscxt, byte **map DR_PARAM_INOUT);
 
 void
 bb_save_add_entry(app_pc key, bb_saved_info_t *save);
diff --git a/drmemory/leak.c b/drmemory/leak.c
index 208f19639..8e01e8321 100644
--- a/drmemory/leak.c
+++ b/drmemory/leak.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -1309,7 +1309,7 @@ malloc_iterate_build_tree_cb(malloc_info_t *info, void *iter_data)
 }
 
 static void
-prepare_thread_for_scan(void *drcontext, bool *was_app_state OUT)
+prepare_thread_for_scan(void *drcontext, bool *was_app_state DR_PARAM_OUT)
 {
     ASSERT(was_app_state != NULL, "invalid param");
     *was_app_state = dr_using_app_state(drcontext);
@@ -1385,7 +1385,8 @@ leak_scan_for_leaks(bool at_exit)
 
     /* XXX: no MacOS private loader yet */
     /* ARM is always in app state */
-#if !defined(MACOS) && !defined(ARM)
+    //TDOD: is AARCH64 always in app state?
+#if !defined(MACOS) && !defined(ARM) && !defined(AARCH64)
     /* i#1016: ensure the thread performing the leak scan is in DR state,
      * which should be the case regardless of whether at exit or a nudge.
      */
diff --git a/drmemory/optionsx.h b/drmemory/optionsx.h
index c56f982c6..e16b564ad 100644
--- a/drmemory/optionsx.h
+++ b/drmemory/optionsx.h
@@ -473,7 +473,7 @@ OPTION_CLIENT_BOOL(drmemscope, handle_leaks_only, false,
                    "Puts "TOOLNAME" into a handle-leak-check-only mode that has lower overhead but does not detect other types of errors other than handle leaks in Windows.")
 #endif /* WINDOWS */
 /* XXX i#1726: only pattern is currently supported on ARM */
-OPTION_CLIENT_BOOL(drmemscope, check_uninitialized, IF_ARM_ELSE(false, true),
+OPTION_CLIENT_BOOL(drmemscope, check_uninitialized, IF_AARCH64_ELSE(true, IF_ARM_ELSE(false, true)),
                    "Check for uninitialized read errors",
                    "Check for uninitialized read errors.  When disabled, puts "TOOLNAME" into a mode that has lower overhead but does not detect definedness errors.  Furthermore, the lack of definedness information reduces accuracy of leak identification, resulting in potentially failing to identify some leaks.")
 OPTION_CLIENT_BOOL(drmemscope, check_stack_bounds, false,
@@ -568,7 +568,7 @@ OPTION_CLIENT_BOOL(drmemscope, unaddr_only, false,
                    "Enables a lightweight mode that detects only unaddressable errors",
                    "This option enables a lightweight mode that only detects critical errors of unaddressable accesses on heap data.  This option cannot be used with 'light' or 'check_uninitialized'.")
 /* XXX i#1726: only pattern is currently supported on ARM */
-OPTION_CLIENT_SCOPE(drmemscope, pattern, uint, IF_ARM_ELSE(DEFAULT_PATTERN, 0),
+OPTION_CLIENT_SCOPE(drmemscope, pattern, uint, IF_AARCH64_ELSE(0, IF_ARM_ELSE(DEFAULT_PATTERN, 0)),
                     0, USHRT_MAX,
                     "Enables pattern mode. A non-zero 2-byte value must be provided",
                     "Use sentinels to detect accesses on unaddressable regions around allocated heap objects.  When this option is enabled, checks for uninitialized read errors will be disabled.  The value passed as the pattern must be a non-zero 2-byte value.")
@@ -777,14 +777,14 @@ OPTION_CLIENT_BOOL(internal, track_heap, true,
 OPTION_CLIENT_BOOL(internal, size_in_redzone, true,
                    "Store alloc size in redzone",
                    "Store size in redzone.  This can only be enabled if redzone_size >= sizeof(size_t).")
-OPTION_CLIENT_BOOL(internal, fastpath, true,
+OPTION_CLIENT_BOOL(internal, fastpath, IF_AARCH64_ELSE(false, true),
                    "Enable fastpath",
                    "Enable fastpath")
 /* XXX i#2027: implement and enable for x64 */
-OPTION_CLIENT_BOOL(internal, esp_fastpath, IF_X64_ELSE(false, true),
+OPTION_CLIENT_BOOL(internal, esp_fastpath, IF_AARCH64_ELSE(false, IF_X64_ELSE(false, true)),
                    "Enable esp-adjust fastpath",
                    "Enable esp-adjust fastpath")
-OPTION_CLIENT_BOOL(internal, shared_slowpath, true,
+OPTION_CLIENT_BOOL(internal, shared_slowpath, IF_AARCH64_ELSE(false, true),
                    "Enable shared slowpath calling code",
                    "Enable shared slowpath calling code")
 OPTION_CLIENT_BOOL(internal, loads_use_table, true,
diff --git a/drmemory/pattern.c b/drmemory/pattern.c
index 3fe2467f4..c809b56f8 100644
--- a/drmemory/pattern.c
+++ b/drmemory/pattern.c
@@ -139,12 +139,16 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
     instr_t *label;
     app_pc pc = instr_get_app_pc(app);
     IF_DEBUG(drreg_status_t res;)
-#ifdef ARM
+#ifdef AARCHXX
     uint i;
     reg_id_t scratch, scratch2;
     dr_pred_type_t pred = instr_get_predicate(app);
     instr_t *in;
+#endif
+#ifdef ARM
     uint val = opnd_get_immed_int(pattern);
+#elif defined(AARCH64)
+    uint64 val = opnd_get_immed_int(pattern);
 #endif
 
     label = INSTR_CREATE_label(drcontext);
@@ -155,7 +159,7 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
     ASSERT(res == DRREG_SUCCESS, "should restore memref regs");
     PREXL8M(ilist, app,
             INSTR_XL8(INSTR_CREATE_cmp(drcontext, ref, pattern), pc));
-#elif defined(ARM)
+#elif defined(AARCHXX)
     /* We use an inefficient but simple 2-scratch-reg scheme for now.
      * XXX: if we limit the pattern value to a 1-byte value we can do a direct
      * cmp in thumb mode via a repeated-4-times immed and avoid scratch2.
@@ -170,6 +174,13 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
     IF_DEBUG(res =)
         drreg_reserve_register(drcontext, ilist, app, NULL, &scratch2);
     ASSERT(res == DRREG_SUCCESS, "should always find 2nd scratch reg");
+
+#ifdef AARCH64
+    if (opnd_get_size(ref) == OPSZ_4) {
+        scratch = reg_64_to_32(scratch);
+        scratch2 = reg_64_to_32(scratch2);
+    }
+#endif
     /* To handle a predicated memref, because we can't predicate a conditional
      * branch nor OP_udf, we need an explicit branch to skip the OP_udf if the
      * app pred doesn't match.  We just skip all the instru and don't predicate.
@@ -219,17 +230,28 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
                                    OPND_CREATE_MEM16(scratch, 0));
         }
     } else {
-        ASSERT(opnd_get_size(ref) == OPSZ_4, "unsupported ARM memref size");
+        ASSERT(opnd_get_size(ref) == OPSZ_4 IF_AARCH64(|| opnd_get_size(ref) == OPSZ_8),
+                "unsupported ARM memref size");
         in = INSTR_CREATE_ldr(drcontext, opnd_create_reg(scratch), ref);
     }
     PREXL8M(ilist, app, INSTR_XL8(in, pc));
     /* movw+movt pattern to scratch2 */
-    in = INSTR_CREATE_movw(drcontext, opnd_create_reg(scratch2),
-                           OPND_CREATE_INT(val & 0xffff));
+    in = IF_AARCH64_ELSE(INSTR_CREATE_movz(drcontext, opnd_create_reg(scratch2),
+                           OPND_CREATE_INT16(val & 0xffff), OPND_CREATE_INT(0)),
+                           NSTR_CREATE_movw(drcontext, opnd_create_reg(scratch2),
+                           OPND_CREATE_INT(val & 0xffff)));
     PREXL8M(ilist, app, INSTR_XL8(in, pc));
-    if (opnd_get_size(ref) == OPSZ_4) {
-        in = INSTR_CREATE_movt(drcontext, opnd_create_reg(scratch2),
-                               OPND_CREATE_INT(val >> 16));
+    if (opnd_get_size(ref) == OPSZ_4 IF_AARCH64(|| opnd_get_size(ref) == OPSZ_8)) {
+        in = IF_AARCH64_ELSE(INSTR_CREATE_movk(drcontext, opnd_create_reg(scratch2),
+                               OPND_CREATE_INT16((val >> 16) & 0xffff), OPND_CREATE_INT(0)),
+                               INSTR_CREATE_movt(drcontext, opnd_create_reg(scratch2),
+                               OPND_CREATE_INT(val >> 16)));
+
+        PREXL8M(ilist, app, INSTR_XL8(in, pc));
+    }
+    if (opnd_get_size(ref) == OPSZ_8) {
+        in = INSTR_CREATE_movk(drcontext, opnd_create_reg(scratch2),
+            OPND_CREATE_INT16((val >> 32) && 0xffff), OPND_CREATE_INT(0));
         PREXL8M(ilist, app, INSTR_XL8(in, pc));
     }
     /* cmp scratch to scratch2 */
@@ -240,6 +262,13 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
     in = INSTR_CREATE_cmp(drcontext, opnd_create_reg(scratch),
                           opnd_create_reg(scratch2));
     PREXL8M(ilist, app, INSTR_XL8(in, pc));
+
+#ifdef AARCH64
+    if (opnd_get_size(ref) == OPSZ_4) {
+        scratch = reg_32_to_64(scratch);
+        scratch2 = reg_32_to_64(scratch2);
+    }
+#endif
     IF_DEBUG(res =)
         drreg_unreserve_register(drcontext, ilist, app, scratch2);
     ASSERT(res == DRREG_SUCCESS, "should always succeed");
@@ -253,7 +282,7 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
 #ifdef X86
     PRE(ilist, app, INSTR_CREATE_jcc_short(drcontext, OP_jne_short,
                                            opnd_create_instr(label)));
-#elif defined(ARM)
+#elif defined(AARCHXX)
     PRE(ilist, app, INSTR_PRED
         (XINST_CREATE_jump_short(drcontext, opnd_create_instr(label)), DR_PRED_NE));
 #endif
@@ -264,6 +293,8 @@ pattern_insert_cmp_jne_ud2a(void *drcontext, instrlist_t *ilist, instr_t *app,
     PREXL8M(ilist, app, INSTR_XL8(INSTR_CREATE_ud2a(drcontext), pc));
 #elif defined(ARM)
     PREXL8M(ilist, app, INSTR_XL8(INSTR_CREATE_udf(drcontext, OPND_CREATE_INT32(0)), pc));
+#elif defined(AARCH64)
+    PREXL8M(ilist, app, INSTR_XL8(INSTR_CREATE_ret(drcontext, opnd_create_reg(DR_REG_XZR)), pc));
 #endif
     /* label */
     PRE(ilist, app, label);
@@ -983,8 +1014,8 @@ pattern_handle_ill_fault(void *drcontext,
     /* we are not skipping all cmps for this instr, which is ok because we
      * clobberred the pattern if a 2nd memref was unaddr.
      */
-    skip = IF_ARM_ELSE(fault_mode == DR_ISA_ARM_THUMB ?
-                       UDF_THUMB_LENGTH : UDF_ARM_LENGTH, UD2A_LENGTH);
+    skip = IF_AARCH64_ELSE(UDF_ARM_LENGTH, IF_ARM_ELSE(fault_mode == DR_ISA_ARM_THUMB ?
+                       UDF_THUMB_LENGTH : UDF_ARM_LENGTH, UD2A_LENGTH));
     LOG(2, "pattern check ud2a triggered@"PFX" => skip to "PFX"\n",
         raw_mc->pc, raw_mc->pc + skip);
     raw_mc->pc += skip;
diff --git a/drmemory/perturb.c b/drmemory/perturb.c
index 5b20e085f..2f7d1a8ed 100755
--- a/drmemory/perturb.c
+++ b/drmemory/perturb.c
@@ -372,7 +372,7 @@ instr_is_synch_op(instr_t *inst)
             (instr_get_opcode(inst) == OP_xchg &&
              !opnd_same(instr_get_src(inst, 0),
                         instr_get_src(inst, 1))));
-#elif defined(ARM)
+#elif defined(ARM) || defined(AARCH64)
     return instr_is_exclusive_store(inst);
 #endif
 }
diff --git a/drmemory/report.c b/drmemory/report.c
index 1138ce839..18760fd6e 100644
--- a/drmemory/report.c
+++ b/drmemory/report.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -587,7 +587,7 @@ suppress_spec_finish(suppress_spec_t *spec,
 static bool
 suppress_spec_prefix_line(suppress_spec_t *spec, const char *cstack_start,
                           const char *line_in, size_t line_len, int brace_line,
-                          const char *line, bool *skip OUT)
+                          const char *line, bool *skip DR_PARAM_OUT)
 {
     const char *c;
     if (skip != NULL)
@@ -1110,7 +1110,7 @@ stack_matches_suppression(const error_callstack_t *ecs, const suppress_spec_t *s
 
 static bool
 on_suppression_list_helper(uint type, error_callstack_t *ecs,
-                           suppress_spec_t **matched OUT)
+                           suppress_spec_t **matched DR_PARAM_OUT)
 {
     suppress_spec_t *spec;
     ASSERT(type >= 0 && type < ERROR_MAX_VAL, "invalid error type");
@@ -1134,7 +1134,7 @@ on_suppression_list_helper(uint type, error_callstack_t *ecs,
 }
 
 static bool
-on_suppression_list(uint type, error_callstack_t *ecs, suppress_spec_t **matched OUT)
+on_suppression_list(uint type, error_callstack_t *ecs, suppress_spec_t **matched DR_PARAM_OUT)
 {
     ASSERT(type >= 0 && type < ERROR_MAX_VAL, "invalid error type");
     if (on_suppression_list_helper(type, ecs, matched))
@@ -2215,7 +2215,7 @@ record_error(uint type, packed_callstack_t *pcs, app_loc_t *loc, dr_mcontext_t *
  * This two-part scheme allows putting heap info in the error title (i#1593).
  */
 static void
-gather_heap_info(INOUT error_toprint_t *etp, app_pc addr, size_t sz)
+gather_heap_info(DR_PARAM_INOUT error_toprint_t *etp, app_pc addr, size_t sz)
 {
     byte *start, *end;
     ssize_t size;
@@ -2404,8 +2404,9 @@ gather_heap_info(INOUT error_toprint_t *etp, app_pc addr, size_t sz)
  * XXX PR 423750: provide this info on dups not just 1st unique.
  */
 static void
-report_heap_info(IN error_toprint_t *etp, OUT char *buf, size_t bufsz, size_t *sofar,
-                 app_pc addr, size_t sz, bool invalid_heap_arg, bool for_log)
+report_heap_info(DR_PARAM_IN error_toprint_t *etp, DR_PARAM_OUT char *buf, size_t bufsz,
+                 size_t *sofar, app_pc addr, size_t sz, bool invalid_heap_arg,
+                 bool for_log)
 {
     void *drcontext = dr_get_current_drcontext();
     ssize_t len = 0;
diff --git a/drmemory/shadow.c b/drmemory/shadow.c
index 6db0369dd..d77750b15 100644
--- a/drmemory/shadow.c
+++ b/drmemory/shadow.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -21,6 +21,8 @@
  */
 
 #include "dr_api.h"
+#include "dr_tools.h"
+#include "drreg.h"
 #include "drmemory.h"
 #include "utils.h"
 #include "shadow.h"
@@ -356,7 +358,7 @@ shadow_get_special(app_pc addr, uint *val)
  */
 /* it also has the racy problem on accessing partial byte, xref i#271 */
 uint
-shadow_get_byte(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
+shadow_get_byte(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 {
     ptr_uint_t idx;
     if (addr < info->app_base || addr >= info->app_base + info->app_size) {
@@ -384,7 +386,7 @@ shadow_get_byte(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 /* Returns the byte that shadows the 4-byte-aligned address */
 /* see comment in shadow_get_byte about using umbra_shadow_memory_info_t */
 uint
-shadow_get_dword(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
+shadow_get_dword(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 {
     ptr_uint_t idx;
     if (addr < info->app_base || addr >= info->app_base + info->app_size) {
@@ -411,7 +413,7 @@ shadow_get_dword(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 
 #ifdef X64
 uint
-shadow_get_qword(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
+shadow_get_qword(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 {
     ptr_uint_t idx;
     if (addr < info->app_base || addr >= info->app_base + info->app_size) {
@@ -438,7 +440,7 @@ shadow_get_qword(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 #endif
 
 uint
-shadow_get_ptrsz(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
+shadow_get_ptrsz(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 {
 #ifdef X64
     return shadow_get_qword(info, addr);
@@ -450,7 +452,7 @@ shadow_get_ptrsz(INOUT umbra_shadow_memory_info_t *info, app_pc addr)
 /* Sets the two bits for the byte at the passed-in address */
 /* see comment in shadow_get_byte about using umbra_shadow_memory_info_t */
 void
-shadow_set_byte(INOUT umbra_shadow_memory_info_t *info, app_pc addr, uint val)
+shadow_set_byte(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr, uint val)
 {
     ASSERT(val <= 4, "invalid shadow value");
     if (addr < info->app_base || addr >= info->app_base + info->app_size) {
@@ -1482,13 +1484,13 @@ const byte shadow_word_addr_not_bit[4][256] = {
 /***************************************************************************
  * SHADOWING THE GPR REGISTERS
  */
-
-#ifdef X64
-# define NUM_XMM_REGS 16
-#else
-# define NUM_XMM_REGS 8
-#endif
-#define NUM_MMX_REGS 8
+#ifdef X86
+# ifdef X64
+#  define NUM_XMM_REGS 16
+# else
+#  define NUM_XMM_REGS 8
+# endif
+# define NUM_MMX_REGS 8
 
 typedef struct _shadow_aux_registers_t {
     /* i#243: shadow xmm registers */
@@ -1499,6 +1501,16 @@ typedef struct _shadow_aux_registers_t {
     /* XXX i#471: add floating-point registers here as well */
 } shadow_aux_registers_t;
 
+#elif defined(AARCH64)
+/*FIXME: Support only for 128-bit sized SIMD regs. Add code to make
+ *       it generic enough to support 64-bit, 32-bit, 16-bit and
+ *       8-bit configurations. */
+# define NUM_SIMD_REGS 32
+typedef struct _shadow_aux_registers_t {
+    int simd[NUM_SIMD_REGS];
+} shadow_aux_registers_t;
+#endif
+
 #ifdef X64
 typedef unsigned short shadow_reg_type_t;
 #else
@@ -1508,6 +1520,7 @@ typedef byte shadow_reg_type_t;
 /* We keep our shadow register bits in TLS */
 typedef struct _shadow_registers_t {
 #ifdef TOOL_DR_MEMORY
+# ifdef X86
     /* First 8-byte TLS slot */
     shadow_reg_type_t xax;
     shadow_reg_type_t xcx;
@@ -1518,7 +1531,7 @@ typedef struct _shadow_registers_t {
     shadow_reg_type_t xbp;
     shadow_reg_type_t xsi;
     shadow_reg_type_t xdi;
-# ifdef X64
+#  ifdef X64
     /* Third 8-byte TLS slot */
     shadow_reg_type_t r8;
     shadow_reg_type_t r9;
@@ -1529,12 +1542,52 @@ typedef struct _shadow_registers_t {
     shadow_reg_type_t r13;
     shadow_reg_type_t r14;
     shadow_reg_type_t r15;
-# endif
+#  endif
     /* Third/fifth TLS slot.  We go ahead and write GPR-sized values here
      * for simplicity in our fastpath even though we treat this as
      * a single tracked value.
      */
     shadow_reg_type_t eflags;
+# elif defined(AARCH64)
+    shadow_reg_type_t x0;
+    shadow_reg_type_t x1;
+    shadow_reg_type_t x2;
+    shadow_reg_type_t x3;
+    shadow_reg_type_t x4;
+    shadow_reg_type_t x5;
+    shadow_reg_type_t x6;
+    shadow_reg_type_t x7;
+    shadow_reg_type_t x8;
+    shadow_reg_type_t x9;
+    shadow_reg_type_t x10;
+    shadow_reg_type_t x11;
+    shadow_reg_type_t x12;
+    shadow_reg_type_t x13;
+    shadow_reg_type_t x14;
+    shadow_reg_type_t x15;
+    shadow_reg_type_t x16;
+    shadow_reg_type_t x17;
+    shadow_reg_type_t x18;
+    shadow_reg_type_t x19;
+    shadow_reg_type_t x20;
+    shadow_reg_type_t x21;
+    shadow_reg_type_t x22;
+    shadow_reg_type_t x23;
+    shadow_reg_type_t x24;
+    shadow_reg_type_t x25;
+    shadow_reg_type_t x26;
+    shadow_reg_type_t x27;
+    shadow_reg_type_t x28;
+    shadow_reg_type_t x29;
+    shadow_reg_type_t x30;
+
+    shadow_reg_type_t sp;
+
+    shadow_reg_type_t nzcv;
+    /* XXX i#2016: Should we shadow fpsr + fpcr? */
+# elif defined(ARM)
+    /* TODO i#1726: Currently only pattern mode is supported for ARM. */
+# endif
     /* Used for PR 578892.  Should remain a very small integer so byte is fine. */
     byte in_heap_routine;
     byte padding[IF_X64_ELSE(4,2)];
@@ -1542,10 +1595,9 @@ typedef struct _shadow_registers_t {
      * shadow memory.
      */
     shadow_aux_registers_t *aux;
-#else
+#endif /* TOOL_DR_MEMORY */
     /* Avoid empty struct.  FIXME: this is a waste of a tls slot */
     void *bogus;
-#endif
 } shadow_registers_t;
 
 #define NUM_SHADOW_TLS_SLOTS (sizeof(shadow_registers_t)/sizeof(reg_t))
@@ -1558,6 +1610,7 @@ static uint tls_shadow_base;
 static int tls_idx_shadow = -1;
 
 #ifdef TOOL_DR_MEMORY
+#ifdef X86
 /* For xmm this points at the shadow aux ptr: need a de-ref */
 opnd_t
 opnd_create_shadow_reg_slot(reg_id_t reg)
@@ -1581,7 +1634,46 @@ opnd_create_shadow_reg_slot(reg_id_t reg)
          false, true, false);
 }
 
-#ifdef X64
+#elif defined(AARCH64)
+/* For xmm this points at the shadow aux ptr: need a de-ref */
+opnd_t
+opnd_create_shadow_reg_slot(reg_id_t reg)
+{
+    uint offs;
+    opnd_size_t opsz;
+    ASSERT(options.shadowing, "incorrectly called");
+    if (reg_is_gpr(reg)) {
+        reg_id_t r = reg_to_pointer_sized(reg);
+        offs = (r - DR_REG_START_GPR) * sizeof(shadow_reg_type_t);
+        opsz = SHADOW_GPR_OPSZ;
+    }
+    else {
+        ASSERT(reg_is_simd(reg), "internal shadow reg error");
+        offs = offsetof(shadow_registers_t, aux);
+        opsz = OPSZ_PTR;
+    }
+
+    opnd_t res = opnd_create_base_disp_aarch64
+        (tls_shadow_seg, REG_NULL, 0, false,
+         tls_shadow_base + offs, DR_OPND_MULTI_PART, opsz);
+    return res;
+}
+
+opnd_t
+opnd_create_shadow_reg_slot_high_dword(reg_id_t reg)
+{
+    uint offs;
+    reg_id_t r = reg_to_pointer_sized(reg);
+    ASSERT(options.shadowing && reg_is_gpr(reg), "incorrectly called");
+    offs = (r - DR_REG_START_GPR) * sizeof(shadow_reg_type_t) + 1/*little-endian*/;
+    opnd_t res = opnd_create_base_disp_aarch64
+        (tls_shadow_seg, REG_NULL, 0, false,
+         tls_shadow_base + offs, DR_OPND_MULTI_PART, OPSZ_1);
+    return res;
+}
+#endif
+
+#if defined(X64) && !defined(AARCH64)
 opnd_t
 opnd_create_shadow_reg_slot_high_dword(reg_id_t reg)
 {
@@ -1614,6 +1706,26 @@ get_shadow_xmm_offs(reg_id_t reg)
 #endif
 }
 
+#ifdef AARCH64
+uint
+get_shadow_simd_offs(reg_id_t reg)
+{
+    ASSERT(reg_is_simd(reg), "invalid reg");
+    return offsetof(shadow_aux_registers_t, simd) + sizeof(int)*(reg - DR_REG_Q0);
+}
+
+opnd_t opnd_create_shadow_nzcv_slot(void)
+{
+    ASSERT(options.shadowing, "incorrectly called");
+    return opnd_create_base_disp_aarch64
+        (tls_shadow_seg, REG_NULL, 0, false, tls_shadow_base +
+         offsetof(shadow_registers_t, nzcv), DR_OPND_MULTI_PART, SHADOW_GPR_OPSZ);
+}
+//DR_REG_X1, DR_REG_NULL, 0, false, 0, 0, OPSZ_8
+/*TODO: Check if similar functions for fpcr and fpsr are needed.
+ * */
+
+#elif(defined X86)
 opnd_t
 opnd_create_shadow_eflags_slot(void)
 {
@@ -1625,6 +1737,7 @@ opnd_create_shadow_eflags_slot(void)
           * Core or Core2, and P4 doesn't care that much */
          false, true, false);
 }
+#endif
 
 /* Opnd to acquire in_heap_routine TLS counter. Used for PR 578892. */
 opnd_t
@@ -1678,7 +1791,11 @@ shadow_registers_thread_init(void *drcontext)
         memset(sr, SHADOW_DWORD_DEFINED, sizeof(*sr));
         sr->aux = aux;
         memset(sr->aux, SHADOW_DWORD_DEFINED, sizeof(*sr->aux));
+#ifdef X86
         sr->eflags = SHADOW_DEFINED;
+#elif defined(AARCH64)
+        sr->nzcv = SHADOW_DEFINED;
+#endif
     } else {
         /* we are in at start for new threads */
         uint init_shadow = SHADOW_DWORD_UNDEFINED;
@@ -1691,11 +1808,21 @@ shadow_registers_thread_init(void *drcontext)
         memset(sr, init_shadow, sizeof(*sr));
         sr->aux = aux;
         memset(sr->aux, init_shadow, sizeof(*sr->aux));
+#ifdef X86
         sr->eflags = init_shadow;
+#elif(defined AARCH64)
+        sr->nzcv = init_shadow;
+#endif
 #ifdef LINUX
         /* PR 426162: post-clone, esp and eax are defined */
+#ifdef X86
         sr->xsp = SHADOW_PTRSZ_DEFINED;
         sr->xax = SHADOW_PTRSZ_DEFINED;
+#elif(defined AARCH64)
+    /*TODO: Look into what PR 426162 means and confirm
+     * if only SP needs to be set to DEFINED*/
+        sr->sp = SHADOW_PTRSZ_DEFINED;
+#endif
 #elif defined(WINDOWS)
         /* new thread on Windows has esp defined */
         sr->xsp = SHADOW_PTRSZ_DEFINED;
@@ -1750,6 +1877,7 @@ print_shadow_registers(void)
     uint i;
     IF_DEBUG(shadow_registers_t *sr = get_shadow_registers());
     ASSERT(options.shadowing, "shouldn't be called");
+#ifdef X86
 #ifdef X64
     LOG(0, "    rax=%04x rcx=%04x rdx=%04x rbx=%04x "
         "rsp=%04x rbp=%04x rsi=%04x rdi=%04x\n"
@@ -1775,15 +1903,44 @@ print_shadow_registers(void)
     for (i = 0; i < NUM_MMX_REGS; i++) {
         LOG(0, "mm%d=%04x ", i, (unsigned short)sr->aux->mm[i]);
     }
+#elif(defined AARCH64)
+    LOG(0,  "x0=%04x x1=%04x x2=%04x x3=%04x\n"
+            "x4=%04x x5=%04x x6=%04x x7=%04x\n"
+            "x8=%04x x9=%04x x10=%04x x11=%04x "
+            "x12=%04x x13=%04x x14=%04x x15=%04x\n"
+            "x16=%04x x17=%04x x18=%04x x19=%04x "
+            "x20=%04x x21=%04x x22=%04x x23=%04x\n"
+            "x24=%04x x25=%04x x26=%04x x27=%04x "
+            "x28=%04x x29=%04x x30=%04x "
+            "sp=%04x nzcv=%04x\n",
+        sr->x0, sr->x1, sr->x2, sr->x3, sr->x4, sr->x5, sr->x6, sr->x7, sr->x8, sr->x9,
+        sr->x10, sr->x11, sr->x12, sr->x13, sr->x14, sr->x15, sr->x16, sr->x17, sr->x18, sr->x19,
+        sr->x20, sr->x21, sr->x22, sr->x23, sr->x24, sr->x25, sr->x26, sr->x27, sr->x28, sr->x29,
+    sr->x30, sr->sp, sr->nzcv);
+
+    for (i = 0; i < NUM_SIMD_REGS; i++) {
+        if (i % 4 == 0)
+            LOG(0, "    ");
+        LOG(0, "simd%d=%08x ", i, sr->aux->simd[i]);
+        if (i % 4 == 3)
+            LOG(0, "\n");
+    }
+#endif
     LOG(0, "\n");
 }
 
 static byte *
 reg_shadow_addr(shadow_registers_t *sr, reg_id_t reg)
 {
+#ifdef X86
     /* REG_NULL means eflags */
     if (reg == REG_NULL)
         return ((byte *)sr) + offsetof(shadow_registers_t, eflags);
+#elif(defined AARCH64)
+    /* REG_NULL means nzcv */
+    if (reg == REG_NULL)
+        return ((byte *)sr) + offsetof(shadow_registers_t, nzcv);
+#endif
     else if (reg_is_gpr(reg)) {
         return ((byte *)sr) +
             (reg_to_pointer_sized(reg) - DR_REG_START_GPR)*sizeof(shadow_reg_type_t);
@@ -1798,12 +1955,14 @@ reg_shadow_addr(shadow_registers_t *sr, reg_id_t reg)
             ASSERT(reg_is_mmx(reg), "invalid reg");
             return (byte *) &sr->aux->mm[reg - DR_REG_MM0];
         }
-#else
-        /* FIXME i#1726: port to ARM: shadow SIMD regs */
-        ASSERT_NOT_IMPLEMENTED();
-        return NULL;
+#elif(defined AARCH64)
+        if (reg_is_simd(reg))
+            return (byte *) &sr->aux->simd[reg - DR_REG_Q0];
 #endif
     }
+    /* FIXME i#1726: port to ARM: shadow SIMD regs */
+    ASSERT_NOT_IMPLEMENTED();
+    return NULL;
 }
 
 static uint
@@ -1813,8 +1972,13 @@ get_shadow_register_common(shadow_registers_t *sr, reg_id_t reg)
     opnd_size_t sz = reg_get_size(reg);
     byte *addr = reg_shadow_addr(sr, reg);
     ASSERT(options.shadowing, "incorrectly called");
+#ifdef X86
     if (reg_is_xmm(reg) || reg_is_mmx(reg))
         return *(uint *)addr;
+#elif(defined AARCH64)
+    if (reg_is_simd(reg))
+        return *(uint *)addr;
+#endif
     ASSERT(reg_is_gpr(reg), "internal shadow reg error");
     if (sz == OPSZ_1) {
         val = *addr;
@@ -1828,8 +1992,12 @@ get_shadow_register_common(shadow_registers_t *sr, reg_id_t reg)
     } else if (sz == OPSZ_4) {
         val = *addr;
     } else if (sz == OPSZ_8) {
-        IF_NOT_X86(ASSERT_NOT_REACHED());
+    /*TODO: Confirm comment below is needed for AARCH64*/
+#ifdef X86
         val = *(ushort*)addr;
+#elif defined(AARCH64)
+        val = *addr;
+#endif
     } else {
         val = 0;
         ASSERT_NOT_REACHED();
@@ -1870,8 +2038,10 @@ register_shadow_set_byte(reg_id_t reg, uint bytenum, uint val)
     byte *addr = reg_shadow_addr(sr, reg);
     ASSERT(options.shadowing, "incorrectly called");
     while (shift > 7) {
+#ifdef X86
         ASSERT(reg_is_xmm(reg) ||
                (shift < 16 IF_NOT_X64(&& reg_is_mmx(reg))), "shift too big for reg");
+#endif
         addr++;
         shift -= 8;
     }
@@ -1930,6 +2100,7 @@ register_shadow_set_dqword(reg_id_t reg, uint val)
     *(uint *)addr = val;
 }
 
+#ifdef X86
 uint
 get_shadow_eflags(void)
 {
@@ -1945,6 +2116,39 @@ set_shadow_eflags(uint val)
     ASSERT(options.shadowing, "incorrectly called");
     sr->eflags = (byte) val;
 }
+#elif(defined AARCH64)
+uint
+get_shadow_eflags(void)
+{
+    shadow_registers_t *sr = get_shadow_registers();
+    ASSERT(options.shadowing, "incorrectly called");
+    return sr->nzcv;
+}
+
+void
+set_shadow_eflags(uint val)
+{
+    shadow_registers_t *sr = get_shadow_registers();
+    ASSERT(options.shadowing, "incorrectly called");
+    sr->nzcv = (byte) val;
+}
+#elif(defined ARM)
+uint
+get_shadow_eflags(void)
+{
+    /* TODO i#1726: Not supported yet for ARM. */
+    ASSERT_NOT_REACHED();
+    return 0;
+}
+
+void
+set_shadow_eflags(uint val)
+{
+    /* TODO i#1726: Not supported yet for ARM. */
+    ASSERT_NOT_REACHED();
+    return 0;
+}
+#endif
 
 byte
 get_shadow_inheap(void)
diff --git a/drmemory/shadow.h b/drmemory/shadow.h
index cb48a4e8c..12a286ee9 100644
--- a/drmemory/shadow.h
+++ b/drmemory/shadow.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -173,27 +173,27 @@ shadow_get_special(app_pc addr, uint *val);
  */
 /* it also has the racy problem on accessing partial byte, xref i#271 */
 uint
-shadow_get_byte(INOUT umbra_shadow_memory_info_t *info, app_pc addr);
+shadow_get_byte(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr);
 
 /* Returns the byte that shadows the 4-byte-aligned address */
 /* see comment in shadow_get_byte about using umbra_shadow_memory_info_t */
 uint
-shadow_get_dword(INOUT umbra_shadow_memory_info_t *info, app_pc addr);
+shadow_get_dword(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr);
 
 #ifdef X64
 /* Returns the byte that shadows the 8-byte-aligned address */
 /* see comment in shadow_get_byte about using umbra_shadow_memory_info_t */
 uint
-shadow_get_qword(INOUT umbra_shadow_memory_info_t *info, app_pc addr);
+shadow_get_qword(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr);
 #endif
 
 uint
-shadow_get_ptrsz(INOUT umbra_shadow_memory_info_t *info, app_pc addr);
+shadow_get_ptrsz(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr);
 
 /* Sets the two bits for the byte at the passed-in address */
 /* see comment in shadow_get_byte about using umbra_shadow_memory_info_t */
 void
-shadow_set_byte(INOUT umbra_shadow_memory_info_t *info, app_pc addr, uint val);
+shadow_set_byte(DR_PARAM_INOUT umbra_shadow_memory_info_t *info, app_pc addr, uint val);
 
 /* Converts the special shadow block for addr to non-special
  * and returns a pointer to the same offset within the new
@@ -301,8 +301,13 @@ shadow_memory_is_shadow(app_pc addr);
 void
 print_shadow_registers(void);
 
+#ifdef X86
 opnd_t
 opnd_create_shadow_reg_slot(reg_id_t reg);
+#elif defined(AARCH64)
+opnd_t
+opnd_create_shadow_reg_slot(reg_id_t reg);
+#endif
 
 #ifdef X64
 opnd_t
@@ -313,8 +318,16 @@ opnd_create_shadow_reg_slot_high_dword(reg_id_t reg);
 uint
 get_shadow_xmm_offs(reg_id_t reg);
 
+#ifdef AARCH64
+uint
+get_shadow_simd_offs(reg_id_t reg);
+
+opnd_t
+opnd_create_shadow_nzcv_slot(void);
+#elif(defined X86)
 opnd_t
 opnd_create_shadow_eflags_slot(void);
+#endif
 
 opnd_t
 opnd_create_shadow_inheap_slot(void);
diff --git a/drmemory/slowpath.c b/drmemory/slowpath.c
index 27e65e3a0..057edc5ff 100644
--- a/drmemory/slowpath.c
+++ b/drmemory/slowpath.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -25,9 +25,14 @@
  */
 
 #include "dr_api.h"
+#include "dr_ir_opnd.h"
 #include "drutil.h"
 #include "drmemory.h"
 #include "instru.h"
+#include "utils.h"
+#ifdef AARCH64
+#include "drreg.h"
+#endif
 #include "slowpath.h"
 #include "slowpath_arch.h"
 #include "spill.h"
@@ -49,6 +54,7 @@
 #include <stddef.h>
 #include "asm_utils.h"
 
+
 #ifdef STATISTICS
 /* per-opcode counts */
 uint64 slowpath_count[OP_LAST+1];
@@ -134,6 +140,17 @@ uint num_bbs;
  */
 /* XXX i#1726: update for ARM */
 /* variable-reg: reg1 and reg2 */
+#ifdef AARCH64
+enum {
+    SPILL_REG_NONE, /* !used and !dead */
+    SPILL_REG_R0,  /* this reg is spilled to tls */
+    SPILL_REG_R1,
+    SPILL_REG_R2,
+    SPILL_REG_R3,
+    SPILL_REG_R4,
+    SPILL_REG_NUM,
+};
+#else
 enum {
     SPILL_REG_NONE, /* !used and !dead */
     SPILL_REG_EAX,  /* this reg is spilled to tls */
@@ -146,6 +163,7 @@ enum {
     SPILL_REG_EBX_DEAD,
     SPILL_REG_NUM,
 };
+#endif
 enum {
     SPILL_REG3_NOSPILL,
     SPILL_REG3_SPILL,
@@ -228,15 +246,21 @@ get_cur_src_value(void *drcontext, instr_t *inst, uint i, reg_t *val)
             return false;
         return (safe_read(addr, sz, val));
     } else if (opnd_is_reg(src)) {
-        byte val32[sizeof(dr_ymm_t)];
         reg_id_t reg = opnd_get_reg(src);
         if (!reg_is_gpr(reg)) {
             mc.flags |= DR_MC_MULTIMEDIA;
             dr_get_mcontext(drcontext, &mc);
         }
+#ifdef AARCH64
+        /* reg_get_value_ex() is NYI but we're only handling GPR values for now. */
+        ASSERT(reg_is_gpr(reg), "non-gpr reg_get_value_ex NYI");
+        *val = reg_get_value(reg, &mc);
+#else
+        byte val32[sizeof(dr_ymm_t)];
         if (!reg_get_value_ex(reg, &mc, val32))
             return false;
         *val = *(reg_t*)val32;
+#endif
         return true;
     }
     return false;
@@ -329,7 +353,7 @@ shadow_combine_init(shadow_combine_t *comb, instr_t *inst, uint opcode, uint max
  * comb->dst to be assigned to the destination.
  */
 static void
-integrate_register_shadow(shadow_combine_t *comb INOUT, int opnum,
+integrate_register_shadow(shadow_combine_t *comb DR_PARAM_INOUT, int opnum,
                           reg_id_t reg, uint shadow, bool pushpop)
 {
     uint i, sz;
@@ -374,7 +398,7 @@ integrate_register_shadow(shadow_combine_t *comb INOUT, int opnum,
 
 /* Assigns the array of source shadow_vals to the destination register shadow */
 static void
-assign_register_shadow(shadow_combine_t *comb INOUT, int opnum, opnd_t opnd,
+assign_register_shadow(shadow_combine_t *comb DR_PARAM_INOUT, int opnum, opnd_t opnd,
                        reg_id_t reg, bool pushpop)
 {
     uint shift = 0;
@@ -583,6 +607,7 @@ slow_path_with_mc(void *drcontext, app_pc pc, app_pc decode_pc, dr_mcontext_t *m
 
     slowpath_update_app_loc_arch(opc, decode_pc, &loc);
 
+
 #ifdef STATISTICS
     STATS_INC(slowpath_count[opc]);
     {
@@ -661,7 +686,11 @@ slow_path_with_mc(void *drcontext, app_pc pc, app_pc decode_pc, dr_mcontext_t *m
      */
     check_definedness = instr_check_definedness(&inst);
     always_defined = result_is_always_defined(&inst, false/*us*/);
+#ifdef AARCH64
+    pushpop = instr_is_push(&inst) || instr_is_pop(&inst);
+#else
     pushpop = opc_is_push(opc) || opc_is_pop(opc);
+#endif
     check_srcs_after = instr_needs_all_srcs_and_vals(&inst);
     if (check_srcs_after) {
         /* We need to check definedness of addressing registers, and so we do
@@ -670,7 +699,7 @@ slow_path_with_mc(void *drcontext, app_pc pc, app_pc decode_pc, dr_mcontext_t *m
          * check_mem_opnd() and integrate_register_shadow(), causing the 2
          * sources to be laid out side-by-side in comb->dst.
          */
-        ASSERT(instr_num_srcs(&inst) == 2, "and/or special handling error");
+        ASSERT(IF_AARCH64_ELSE(true, instr_num_srcs(&inst) == 2), "and/or special handling error");
         check_definedness = false;
         IF_DEBUG(comb.opsz = 0;) /* for asserts below */
     }
@@ -930,8 +959,9 @@ slow_path_with_mc(void *drcontext, app_pc pc, app_pc decode_pc, dr_mcontext_t *m
                    (instr_at_pc_is_restore(drcontext, ret_pc) &&
                     pc == decode_next_pc(drcontext, xl8)) ||
                    /* for native ret we changed pc */
-                   (options.replace_malloc && opc == IF_X86_ELSE(OP_ret, OP_bx) &&
-                    alloc_entering_replace_routine(xl8)),
+                   //TODO: Might need to match more than just OP_ret for AARCH64?
+                   (options.replace_malloc && opc == IF_AARCH64_ELSE(OP_ret, IF_X86_ELSE(OP_ret, OP_bx) &&
+                    alloc_entering_replace_routine(xl8))),
                    "xl8 doesn't match");
         }
     });
@@ -990,7 +1020,9 @@ instr_shared_slowpath_decode_pc(instr_t *inst, fastpath_info_t *mi,
          */
         *decode_pc_opnd = OPND_CREATE_INTPTR(decode_pc);
         return false;
-    } else if (pc == instr_get_raw_bits(inst)) {
+    }
+
+    if (IF_AARCH64(true || )pc == instr_get_raw_bits(inst)) {
         /* If it matches the raw bits we know we only need one pc */
         *decode_pc_opnd = OPND_CREATE_INTPTR(pc);
         return true;
@@ -1042,7 +1074,7 @@ instrument_slowpath(void *drcontext, instrlist_t *bb, instr_t *inst,
     opnd_t decode_pc_opnd;
     ASSERT(options.pattern == 0, "No slow path for pattern mode");
     if (instr_shared_slowpath_decode_pc(inst, mi, &decode_pc_opnd)
-        IF_ARM(&& false/*NYI: see below*/)) {
+        IF_AARCH64_ELSE(&& false, IF_ARM(&& false/*NYI: see below*/))) {
 #ifdef X86
         /* Since the clean call instr sequence is quite long we share
          * it among all bbs.  Rather than switch to a clean stack we jmp
@@ -1147,12 +1179,6 @@ instrument_slowpath(void *drcontext, instrlist_t *bb, instr_t *inst,
             instru_insert_mov_pc(drcontext, bb, inst, opnd_create_reg(mi->reg1.reg),
                                  OPND_CREATE_INTPTR(shadow_bitlevel_addr()));
         }
-#else
-        /* FIXME i#1726: add ARM port.  Some of the above code was
-         * made cross-platform, but the per-scratch-reg code and some
-         * of the generated instrs are x86-specific still.
-         */
-        ASSERT_NOT_IMPLEMENTED();
 #endif
     } else {
         app_pc pc = instr_get_app_pc(inst);
@@ -1228,7 +1254,9 @@ shared_slowpath_restore(void *drcontext, instrlist_t *ilist, int type, int slot)
 byte *
 generate_shared_slowpath(void *drcontext, instrlist_t *ilist, byte *pc)
 {
-#ifdef X86
+#ifdef AARCH64
+    return pc;
+#elif defined (X86)
     int r1, r2, r3, ef;
 
     /* Create our shared slowpath.  To save space at the "call" site, we
@@ -1425,7 +1453,7 @@ bool
 handle_mem_ref_internal(uint flags, app_loc_t *loc, app_pc addr, size_t sz,
                         dr_mcontext_t *mc,
                         /* these 2 are required for MEMREF_USE_VALUES */
-                        int opnum, shadow_combine_t *comb INOUT)
+                        int opnum, shadow_combine_t *comb DR_PARAM_INOUT)
 {
     uint i;
     bool allgood = true;
@@ -1760,7 +1788,7 @@ handle_mem_ref(uint flags, app_loc_t *loc, app_pc addr, size_t sz, dr_mcontext_t
 
 bool
 check_mem_opnd(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
-               dr_mcontext_t *mc, int opnum, shadow_combine_t *comb INOUT)
+               dr_mcontext_t *mc, int opnum, shadow_combine_t *comb DR_PARAM_INOUT)
 {
     app_pc addr = NULL;
 #ifdef TOOL_DR_MEMORY
@@ -1774,7 +1802,7 @@ check_mem_opnd(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
         /* First check definedness of base+index regs */
         for (i = 0; i < opnd_num_regs_used(opnd); i++) {
             reg_id_t reg = opnd_get_reg_used(opnd, i);
-            if (!reg_is_segment(reg) &&
+            if (IF_X86_ELSE(!reg_is_segment(reg), true) &&
                 !is_shadow_register_defined(get_shadow_register(reg))) {
                 /* FIXME: report which bytes within reg via container params? */
                 report_undefined_read
@@ -1791,7 +1819,8 @@ check_mem_opnd(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
         return true;
 
     addr = opnd_compute_address(opnd, mc);
-    if (opc == OP_pop && !TEST(MEMREF_PUSHPOP, flags) &&
+
+    if (IF_AARCH64_ELSE(false, opc == OP_pop) && !TEST(MEMREF_PUSHPOP, flags) &&
         opnd_is_base_disp(opnd) && opnd_uses_reg(opnd, DR_REG_XSP)) {
         /* XXX i#1502: we probably want a solution coming from DR, but for
          * now we fix this inside DrMem.
diff --git a/drmemory/slowpath.h b/drmemory/slowpath.h
index 7174d13ca..b83ecc6d8 100644
--- a/drmemory/slowpath.h
+++ b/drmemory/slowpath.h
@@ -37,6 +37,8 @@
 # define REG_FRAME_PTR DR_REG_XBP
 #elif defined(ARM)
 # define REG_FRAME_PTR DR_REG_FP
+#elif defined(AARCH64)
+# define REG_FRAME_PTR DR_REG_R29
 #endif
 
 /* we only need a little over 2 pages for whole_bb_spills_enabled(): could get
@@ -236,7 +238,7 @@ slowpath_module_unload(void *drcontext, const module_data_t *mod);
  */
 # define CMP_IMMED_OPCODE 0x81
 # define RET_NOIMM_OPCODE 0xc3
-#elif defined(ARM)
+#elif defined(ARM) || defined(AARCH64)
 # define UDF_THUMB_OPCODE 0xde00
 # define UDF_THUMB_LENGTH 2
 # define UDF_ARM_OPCODE 0xe7f000f0
@@ -262,12 +264,31 @@ reg_is_16bit(reg_id_t reg);
 bool
 reg_offs_in_dword(reg_id_t reg);
 
+#ifdef AARCH64
+opnd_t
+get_pushpop_offset(instr_t *inst);
+
 bool
 opc_is_push(uint opc);
 
+bool
+instr_is_push(instr_t *instr);
+#else
+bool
+opc_is_push(uint opc);
+#endif
+
+#ifdef AARCH64
 bool
 opc_is_pop(uint opc);
 
+bool
+instr_is_pop(instr_t *instr);
+#else
+bool
+opc_is_pop(uint opc);
+#endif
+
 bool
 opc_is_stringop(uint opc);
 
diff --git a/drmemory/slowpath_arch.h b/drmemory/slowpath_arch.h
index 0340fe0d8..bd3b40e1e 100644
--- a/drmemory/slowpath_arch.h
+++ b/drmemory/slowpath_arch.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -134,22 +134,22 @@ register_shadow_mark_defined(reg_id_t reg, size_t sz);
  * what's already there.
  */
 void
-map_src_to_dst(shadow_combine_t *comb INOUT, int opnum, int src_bytenum, uint shadow);
+map_src_to_dst(shadow_combine_t *comb DR_PARAM_INOUT, int opnum, int src_bytenum, uint shadow);
 
 /* Returns whether the definedness values changed at all */
 bool
 check_andor_sources(void *drcontext, dr_mcontext_t *mc, instr_t *inst,
-                    shadow_combine_t *comb INOUT, app_pc next_pc);
+                    shadow_combine_t *comb DR_PARAM_INOUT, app_pc next_pc);
 
 /* Returns whether to skip the general integration */
 bool
-integrate_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum,
+integrate_register_shadow_arch(shadow_combine_t *comb DR_PARAM_INOUT, int opnum,
                                reg_id_t reg, uint shadow, bool pushpop);
 
 /* Returns whether to skip the general assignment code */
 bool
-assign_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum, opnd_t opnd,
-                            reg_id_t reg, bool pushpop, uint *shift INOUT);
+assign_register_shadow_arch(shadow_combine_t *comb DR_PARAM_INOUT, int opnum, opnd_t opnd,
+                            reg_id_t reg, bool pushpop, uint *shift DR_PARAM_INOUT);
 
 /* Returns whether it handled the instruction */
 bool
@@ -160,11 +160,11 @@ slowpath_update_app_loc_arch(uint opc, app_pc decode_pc, app_loc_t *loc);
 
 bool
 check_mem_opnd(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
-               dr_mcontext_t *mc, int opnum, shadow_combine_t *comb INOUT);
+               dr_mcontext_t *mc, int opnum, shadow_combine_t *comb DR_PARAM_INOUT);
 
 bool
 check_mem_opnd_arch(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
-                    dr_mcontext_t *mc, int opnum, shadow_combine_t *comb INOUT);
+                    dr_mcontext_t *mc, int opnum, shadow_combine_t *comb DR_PARAM_INOUT);
 
 bool
 check_undefined_exceptions(bool pushpop, bool write, app_loc_t *loc, app_pc addr,
diff --git a/drmemory/slowpath_arm.c b/drmemory/slowpath_arm.c
index 9563aa026..e32a2b9d5 100644
--- a/drmemory/slowpath_arm.c
+++ b/drmemory/slowpath_arm.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2015-2018 Google, Inc.  All rights reserved.
+ * Copyright (c) 2015-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -24,6 +24,10 @@
  */
 
 #include "dr_api.h"
+#include "dr_defines.h"
+#include "dr_ir_instr.h"
+#include "dr_ir_opcodes_aarch64.h"
+#include "dr_ir_opnd.h"
 #include "drutil.h"
 #include "drmemory.h"
 #include "instru.h"
@@ -76,20 +80,96 @@ reg_offs_in_dword(reg_id_t reg)
     return 0;
 }
 
+opnd_t
+get_pushpop_offset(instr_t *inst){
+    uint opc = instr_get_opcode(inst);
+        /* Call handle_esp_adjust */
+    opnd_t arg;
+    switch(opc){
+        case OP_sub:
+        case OP_add:
+            arg = instr_get_src(inst, 1);
+            break;
+        case OP_stp:
+
+            arg = instr_get_src(inst, 3);
+            break;
+        case OP_str:
+        case OP_ldr:
+        case OP_ldp:
+            arg = instr_get_src(inst, 2);
+            break;
+        default:
+            return opnd_create_null();
+    }
+    return arg;
+}
+
 bool
 opc_is_push(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    if ((opc == OP_str || opc == OP_strb || opc == OP_strh || opc == OP_stur || opc == OP_stp)){
+        return true;
+    }
+
+    return false;
+}
+
+bool
+instr_is_push(instr_t *instr)
+{
+    if (!opc_is_push(instr_get_opcode(instr)))
+        return false;
+
+    bool writes_to_stack = false;
+    uint num_dsts = instr_num_dsts(instr);
+    for (uint i =0;i<num_dsts;i++){
+        if (opnd_uses_reg(instr_get_dst(instr, i), DR_REG_XSP) && opnd_is_memory_reference(instr_get_dst(instr, i)))
+            writes_to_stack = true;
+    }
+    if (!writes_to_stack)
+        return false;
+
+    for (uint i =0;i<num_dsts;i++){
+        if (opnd_uses_reg(instr_get_dst(instr, i), DR_REG_XSP) && opnd_is_reg(instr_get_dst(instr, i)))
+            return true;
+    }
     return false;
 }
 
 bool
 opc_is_pop(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    if ((opc == OP_ldr || opc == OP_ldrb || opc == OP_ldrh || opc == OP_ldur || opc == OP_ldp)){
+        return true;
+    }
     return false;
 }
 
+bool
+instr_is_pop(instr_t *instr)
+{
+    if (!opc_is_pop(instr_get_opcode(instr)))
+        return false;
+
+    bool reads_off_stack = false;
+    uint num_srcs = instr_num_srcs(instr);
+    for (uint i =0;i<num_srcs;i++){
+        if (opnd_uses_reg(instr_get_src(instr, i), DR_REG_XSP) && opnd_is_memory_reference(instr_get_src(instr, i)))
+            reads_off_stack = true;
+    }
+    if (!reads_off_stack)
+        return false;
+
+    uint num_dsts = instr_num_dsts(instr);
+    for (uint i =0;i<num_dsts;i++){
+        if (opnd_uses_reg(instr_get_dst(instr, i), DR_REG_XSP) && opnd_is_reg(instr_get_dst(instr, i)))
+            return true;
+    }
+    return false;
+}
+
+
 bool
 opc_is_stringop_loop(uint opc)
 {
@@ -111,8 +191,8 @@ opc_is_loopcc(uint opc)
 bool
 opc_is_gpr_shift(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return false;
+    return (opc == OP_lslv || opc == OP_lsrv || opc == OP_asrv ||
+            opc == OP_rorv || opc == OP_ubfm || opc == OP_extr);
 }
 
 bool
@@ -124,14 +204,12 @@ instr_is_jcc(instr_t *inst)
 bool
 opc_is_cmovcc(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
 bool
 opc_is_fcmovcc(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
@@ -139,7 +217,6 @@ opc_is_fcmovcc(uint opc)
 bool
 opc_2nd_dst_is_extension(uint opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
@@ -165,7 +242,29 @@ adjust_memop_push_offs(instr_t *inst)
 opnd_t
 adjust_memop(instr_t *inst, opnd_t opnd, bool write, uint *opsz, bool *pushpop_stackop)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    /* DR's IR now properly encodes push sizes (DRi#164), except for OP_enter */
+    uint sz = opnd_size_in_bytes(opnd_get_size(opnd));
+    bool push = instr_is_push(inst);
+    bool pop = instr_is_pop(inst);
+    bool pushpop = false; /* is mem ref on stack for push/pop */
+    if (opnd_uses_reg(opnd, DR_REG_XSP)) {
+        if (write && push && opnd_is_base_disp(opnd)) {
+            uint extra_push_sz = adjust_memop_push_offs(inst);
+            pushpop = true;
+            if (extra_push_sz > 0) {
+                sz += extra_push_sz;
+                opnd_set_disp(&opnd, opnd_get_disp(opnd) - sz);
+            }
+        } else if (!write && pop && opnd_is_base_disp(opnd)) {
+            if (!instr_pop_into_esp(inst))
+                pushpop = true;
+        }
+    }
+    /* we assume only +w ref for push (-w for pop) is the stack adjust */
+    ASSERT(pushpop || ((!write || !push) && (write || !pop)) || instr_pop_into_esp(inst),
+           "internal stack op bad assumption");
+    *opsz = sz;
+    *pushpop_stackop = pushpop;
     return opnd;
 }
 
@@ -176,16 +275,45 @@ adjust_memop(instr_t *inst, opnd_t opnd, bool write, uint *opsz, bool *pushpop_s
 bool
 always_check_definedness(instr_t *inst, int opnum)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return false;
+    uint opc = instr_get_opcode(inst);
+    return (opc_is_gpr_shift(opc) && opnum == 0);
+}
+
+// TODO: make sub functions for checks like these, like instr_is_exclusive_store(instr_t *instr)
+static bool
+opc_is_move(uint opc)
+{
+    return (opc == OP_ldrb || opc == OP_ldrh || opc == OP_ldr || opc == OP_ldur || opc == OP_ldr ||
+            opc == OP_strb || opc == OP_strh || opc == OP_str || opc == OP_stur || opc == OP_str || opc == OP_swp ||
+            opc == OP_movz || opc == OP_movk || opc == OP_movn ||
+            opc == OP_add || opc == OP_orr);
 }
 
 /* For some instructions we check all source operands for definedness. */
 bool
 instr_check_definedness(instr_t *inst)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return false;
+    uint opc = instr_get_opcode(inst);
+    return
+        /* always check conditional jumps */
+        instr_is_cbr(inst) ||
+        (options.check_uninit_non_moves && !opc_is_move(opc)) ||
+        options.check_uninit_all ||
+        (options.check_uninit_cmps &&
+         /* a compare writes eflags but nothing else, or is a loop, cmps, or cmovcc.
+          * for cmpxchg* only some operands are compared: see always_check_definedness.
+          */
+         ((instr_num_dsts(inst) == 0 &&
+           TESTANY(EFLAGS_WRITE_ALL, instr_get_eflags(inst, DR_QUERY_INCLUDE_ALL))) ||
+          opc == OP_subs)) ||
+        (!instr_propagatable_dsts(inst) &&
+         !TESTANY(EFLAGS_WRITE_ALL, instr_get_eflags(inst, DR_QUERY_INCLUDE_ALL)) &&
+         /* though prefetch has nowhere to propagate uninit shadow vals to, we
+          * do not want to raise errors.  so we ignore, under the assumption
+          * that a real move will happen soon enough to propagate: if not,
+          * little harm done.  i#244.
+          */
+         !instr_is_prefetch(inst));
 }
 
 /***************************************************************************
@@ -195,16 +323,62 @@ instr_check_definedness(instr_t *inst)
 bool
 result_is_always_defined(instr_t *inst, bool natively)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    /* Even if source operands are undefined, don't consider this instr as
+     * reading undefined values if:
+     * 1) clearing/setting all bits via:
+     *   - and with 0
+     *   - or with ~0
+     *   - xor with self
+     *   - packed subtract with self
+     *   - sbb with self (PR 425498): now handled via num_true_srcs since must
+     *     propagate eflags (PR 425622)
+     */
+    int opc = instr_get_opcode(inst);
+
+#ifdef TOOL_DR_MEMORY
+    /* i#1529: mark an entire module defined */
+    if (!natively && options.check_uninit_blocklist[0] != '\0') {
+        /* Fastpath should have already checked the cached value in
+         * bb_info_t.mark_defined, so we should only be paying this
+         * cost for each slowpath entry.
+         */
+        app_pc pc = instr_get_app_pc(inst) != NULL ?
+            instr_get_app_pc(inst) : instr_get_raw_bits(inst);
+        if (module_is_on_check_uninit_blocklist(pc)) {
+            LOG(3, "module is on uninit blocklist: always defined\n");
+            return true;
+        }
+    }
+#endif
+
+    /* Though our general non-const per-byte 0/1 checking would cover this,
+     * we optimize by looking for entire-dword consts up front
+     */
+    if ((opc == OP_and &&
+         opnd_is_immed_int(instr_get_src(inst, 0)) &&
+         opnd_get_immed_int(instr_get_src(inst, 0)) == 0) ||
+        (opc == OP_ands &&
+         opnd_is_immed_int(instr_get_src(inst, 1)) &&
+         opnd_get_immed_int(instr_get_src(inst, 1)) == 0) ||
+        (opc == OP_orr &&
+         opnd_is_immed_int(instr_get_src(inst, 1)) &&
+         opnd_get_immed_int(instr_get_src(inst, 1)) == ~0) ||
+        ((opc == OP_eor) &&
+         opnd_same(instr_get_src(inst, 0), instr_get_src(inst, 1)))) {
+        STATS_INC(andor_exception);
+        return true;
+    }
     return false;
 }
 
 #ifdef TOOL_DR_MEMORY
+/* All current non-syscall uses already have inst decoded so we require it
+ * for efficiency
+ */
 bool
 check_undefined_reg_exceptions(void *drcontext, app_loc_t *loc, reg_id_t reg,
                                dr_mcontext_t *mc, instr_t *inst)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
@@ -212,50 +386,172 @@ bool
 check_undefined_exceptions(bool pushpop, bool write, app_loc_t *loc, app_pc addr,
                            uint sz, uint *shadow, dr_mcontext_t *mc, uint *idx)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
+
 /* Opcodes that write to subreg at locations not fixed in the low part of the reg */
 bool
 opc_dst_subreg_nonlow(int opc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    switch (opc) {
+    case OP_bfm:
+    case OP_sbfm:
+    case OP_ubfm:
+    case OP_lslv:
+    case OP_lsrv:
+    case OP_asrv:
+        return true;
+    }
     return false;
 }
 
+/* Same base interface as map_src_to_dst(), but this one takes in an
+ * arbitrary opcode that can differ from comb->opcode, a per-element
+ * src_bytenum, an offset for the dst bytenum, and a per-element opsz,
+ * allowing for use on packed shifts as well as GPR shifts.
+ */
+static bool
+map_src_to_dst_shift(shadow_combine_t *comb DR_PARAM_INOUT, uint opc, int opnum, int src_bytenum,
+                     uint src_offs, uint opsz, uint shadow)
+{
+    reg_t shift;
+    /* Be sure to use opsz, the element size, NOT comb->opsz; similarly, use
+     * the passed-in opc, NOT comb->opcode, for the operation.
+     */
+    ASSERT(comb->inst != NULL, "need inst for shifts");
+    ASSERT(opc_is_gpr_shift(comb->opcode),
+           "unknown shift");
+    if (!get_cur_src_value(dr_get_current_drcontext(), comb->inst, 0, &shift)) {
+        ASSERT(false, "failed to get shift amount");
+        /* graceful failure */
+        return false;
+    }
+    LOG(4, " src bytenum %d, offs %d, opsz %d, shift %d\n", src_bytenum, src_offs,
+        opsz, shift);
+    if (shift > opsz*8)
+        shift = opsz*8; /* XXX i#101: for a rotate we want shift % (opsz*8) */
+    if (shift == 0) {
+        /* no flags are changed for shift==0 */
+        accum_shadow(&comb->dst[src_offs + src_bytenum], shadow);
+        return true;
+    }
+    if (opc == OP_lslv) {
+        /* If shift % 8 != 0 we touch two bytes: */
+        int map1 = src_bytenum + shift/8;
+        int map2 = src_bytenum + (shift-1)/8 + 1;
+        if (map1 >= opsz) {
+            if (map1 == opsz) {
+                /* bit shifted off goes to CF */
+                LOG(4, "  accum eflags %d + %d\n", comb->eflags, shadow);
+                accum_shadow(&comb->eflags, shadow);
+            }
+            /* shifted off the end */
+            return true;
+        }
+        LOG(4, "  accum @%d %d + %d\n", src_offs + map1, comb->dst[src_offs + map1],
+            shadow);
+        accum_shadow(&comb->dst[src_offs + map1], shadow);
+        if (map1 != map2 && map2 < opsz) {
+            LOG(4, "  accum @%d %d + %d\n", src_offs + map2, comb->dst[src_offs + map2],
+                shadow);
+            accum_shadow(&comb->dst[src_offs + map2], shadow);
+        }
+        accum_shadow(&comb->eflags, shadow);
+        return true;
+    } else if (opc == OP_lsrv || opc == OP_asrv) {
+        /* If shift % 8 != 0 we touch two bytes: */
+        int map1 = src_bytenum - shift/8;
+        int map2 = src_bytenum - ((shift-1)/8 + 1);
+        if (opc == OP_asrv && src_bytenum == opsz - 1) {
+            /* Top bit is what's shifted in */
+            int i;
+            for (i = 0; i <= shift/8 && i < opsz; i ++)
+                accum_shadow(&comb->dst[src_offs + opsz - 1 - i], shadow);
+            accum_shadow(&comb->eflags, shadow);
+            return true;
+        }
+        if (map1 >= 0) { /* if not shifted off the end */
+            LOG(4, "  accum @%d %d + %d\n", src_offs + map1, comb->dst[src_offs + map1],
+                shadow);
+            accum_shadow(&comb->dst[src_offs + map1], shadow);
+        }
+        if (map1 != map2 && map2 >= 0) {
+            LOG(4, "  accum @%d %d + %d\n", src_offs + map2, comb->dst[src_offs + map2],
+                shadow);
+            accum_shadow(&comb->dst[src_offs + map2], shadow);
+        }
+        accum_shadow(&comb->eflags, shadow);
+        /* We assume we don't need to proactively mark the top now-0 bits
+         * as defined for OP_shr b/c our method of combining starts w/ defined
+         */
+        return true;
+    } else {
+        /* FIXME i#101: add rotate opcodes + shrd/shld */
+    }
+    return false; /* unhandled */
+}
+
 /* Takes the shadow value \p shadow for the \p src_bytenum-th byte in
  * the source operand ordinal \p opnum of instruction \p inst and
  * places it into comb's dst and eflags repositories, combining with
  * what's already there.
  */
 void
-map_src_to_dst(shadow_combine_t *comb INOUT, int opnum, int src_bytenum, uint shadow)
-{
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+map_src_to_dst(shadow_combine_t *comb DR_PARAM_INOUT, int opnum, int src_bytenum, uint shadow)
+{
+    int opc = comb->opcode;
+
+    if (opc_is_gpr_shift(opc)) {
+        if (map_src_to_dst_shift(comb, comb->opcode, opnum, src_bytenum, 0,
+                                 comb->opsz, shadow)) {
+            SHADOW_COMBINE_CHECK_OPND(comb, src_bytenum);
+            return; /* handled */
+        }
+    }
+
+    switch (opc) {
+    default:
+        accum_shadow(&comb->dst[src_bytenum], shadow);
+       break;
+    }
+
+    /* By default all source bytes influence eflags.  If an opcode wants to do
+     * otherwise it needs to return prior to here.
+     */
+    if (comb->inst != NULL &&
+        TESTANY(EFLAGS_WRITE_ALL, instr_get_eflags(comb->inst, DR_QUERY_INCLUDE_ALL)))
+        accum_shadow(&comb->eflags, shadow);
+    return;
 }
 #endif /* TOOL_DR_MEMORY */
 
 bool
 instr_needs_all_srcs_and_vals(instr_t *inst)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return false;
+    /* For bitwise and + or we need to know the shadow value and the real value
+     * of all sources before we can decide whether any one source's
+     * undefinedness is an issue!
+     */
+    int opc = instr_get_opcode(inst);
+    return (opc == OP_and || opc == OP_ands || opc == OP_orr || opc == OP_eor);
 }
 
 #ifdef TOOL_DR_MEMORY
+
+/* Caller has already checked that "val" is defined */
+
 /* Returns whether the definedness values changed at all */
 bool
 check_andor_sources(void *drcontext, dr_mcontext_t *mc, instr_t *inst,
-                    shadow_combine_t *comb INOUT, app_pc next_pc)
+                    shadow_combine_t *comb DR_PARAM_INOUT, app_pc next_pc)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return false;
 }
 
 /* Returns whether to skip the general integration */
 bool
-integrate_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum,
+integrate_register_shadow_arch(shadow_combine_t *comb DR_PARAM_INOUT, int opnum,
                                reg_id_t reg, uint shadow, bool pushpop)
 {
     return false;
@@ -263,8 +559,8 @@ integrate_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum,
 
 /* Returns whether to skip the general assignment code */
 bool
-assign_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum, opnd_t opnd,
-                            reg_id_t reg, bool pushpop, uint *shift INOUT)
+assign_register_shadow_arch(shadow_combine_t *comb DR_PARAM_INOUT, int opnum, opnd_t opnd,
+                            reg_id_t reg, bool pushpop, uint *shift DR_PARAM_INOUT)
 {
     return false;
 }
@@ -273,14 +569,19 @@ assign_register_shadow_arch(shadow_combine_t *comb INOUT, int opnum, opnd_t opnd
 int
 num_true_srcs(instr_t *inst, dr_mcontext_t *mc /*optional*/)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    int opc = instr_get_opcode(inst);
+    /* sbc with self should consider all srcs except eflags defined (thus can't
+     * be in result_is_always_defined) (PR 425498, PR 425622)
+     */
+    if (opc == OP_sbc && opnd_same(instr_get_src(inst, 0), instr_get_src(inst, 1)))
+        return 0;
+
     return instr_num_srcs(inst);
 }
 
 int
 num_true_dsts(instr_t *inst, dr_mcontext_t *mc /*optional*/)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
     return instr_num_dsts(inst);
 }
 
@@ -300,7 +601,7 @@ slowpath_update_app_loc_arch(uint opc, app_pc decode_pc, app_loc_t *loc)
 
 bool
 check_mem_opnd_arch(uint opc, uint flags, app_loc_t *loc, opnd_t opnd, uint sz,
-                    dr_mcontext_t *mc, int opnum, shadow_combine_t *comb INOUT)
+                    dr_mcontext_t *mc, int opnum, shadow_combine_t *comb DR_PARAM_INOUT)
 {
     return false;
 }
diff --git a/drmemory/spill.c b/drmemory/spill.c
index ca57cc52e..f6ab2d271 100644
--- a/drmemory/spill.c
+++ b/drmemory/spill.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -87,7 +87,7 @@ handle_drreg_error(drreg_status_t status)
 void
 instru_tls_init(void)
 {
-    if (options.pattern != 0) {
+    if (options.pattern != 0 IF_AARCH64(|| true)) {
         drreg_options_t ops = {
             sizeof(ops), options.num_spill_slots, options.conservative,
             handle_drreg_error,
@@ -119,11 +119,9 @@ instru_tls_init(void)
             seg_tls = DR_SEG_FS;
 # endif
 #elif defined(ARM)
-# ifdef X64
-            seg_tls = DR_REG_TPIDRURO;
-# else
             seg_tls = DR_REG_TPIDRURW;
-# endif
+#elif defined(AARCH64)
+            seg_tls = DR_REG_TPIDRRO_EL0;
 #endif
         }
     }
@@ -138,7 +136,7 @@ instru_tls_exit(void)
         ASSERT(ok, "WARNING: unable to free tls slots");
         drmgr_unregister_tls_field(tls_idx_instru);
     }
-    if (options.pattern != 0) {
+    if (options.pattern != 0 IF_AARCH64(|| true)) {
         IF_DEBUG(drreg_status_t res =)
             drreg_exit();
         ASSERT(res == DRREG_SUCCESS, "WARNING: drreg failed on exit");
@@ -176,11 +174,13 @@ num_own_spill_slots(void)
     return options.num_spill_slots;
 }
 
+
 static opnd_t
 opnd_create_own_spill_slot(uint index)
 {
     ASSERT(index < options.num_spill_slots, "spill slot index overflow");
     ASSERT(INSTRUMENT_MEMREFS(), "incorrectly called");
+#ifdef X86
     return opnd_create_far_base_disp_ex
         /* must use 0 scale to match what DR decodes for opnd_same */
         (seg_tls, REG_NULL, REG_NULL, 0,
@@ -188,6 +188,13 @@ opnd_create_own_spill_slot(uint index)
          /* we do NOT want an addr16 prefix since most likely going to run on
           * Core or Core2, and P4 doesn't care that much */
          false, true, false);
+#elif defined(AARCH64)
+    return opnd_create_base_disp_aarch64
+        (seg_tls, REG_NULL, 0, false,
+        tls_instru_base + (NUM_INSTRU_TLS_SLOTS + index)*sizeof(ptr_uint_t), DR_OPND_MULTI_PART, OPSZ_PTR);
+#else
+    return opnd_create_null();
+#endif
 }
 
 ptr_uint_t
@@ -195,9 +202,15 @@ get_own_tls_value(uint index)
 {
     ASSERT(NUM_TLS_SLOTS > 0, "should not get here if we have no slots");
     if (index < options.num_spill_slots) {
+#ifdef AARCH64
+        byte *seg_base = get_own_seg_base();
+        return *(ptr_uint_t *) (tls_instru_base + seg_base +
+                                (NUM_INSTRU_TLS_SLOTS + index)*sizeof(ptr_uint_t));
+#else
         byte *seg_base = get_own_seg_base();
         return *(ptr_uint_t *) (seg_base + tls_instru_base +
                                 (NUM_INSTRU_TLS_SLOTS + index)*sizeof(ptr_uint_t));
+#endif
     } else {
         dr_spill_slot_t DR_slot = index - options.num_spill_slots;
         return dr_read_saved_reg(dr_get_current_drcontext(), DR_slot);
@@ -209,9 +222,15 @@ set_own_tls_value(uint index, ptr_uint_t val)
 {
     ASSERT(NUM_TLS_SLOTS > 0, "should not get here if we have no slots");
     if (index < options.num_spill_slots) {
+#ifdef AARCH64
+        byte *seg_base = get_own_seg_base();
+        *(ptr_uint_t *)(tls_instru_base + seg_base +
+                        (NUM_INSTRU_TLS_SLOTS + index)*sizeof(ptr_uint_t)) = val;
+#else
         byte *seg_base = get_own_seg_base();
         *(ptr_uint_t *)(seg_base + tls_instru_base +
                         (NUM_INSTRU_TLS_SLOTS + index)*sizeof(ptr_uint_t)) = val;
+#endif
     } else {
         dr_spill_slot_t DR_slot = index - options.num_spill_slots;
         dr_write_saved_reg(dr_get_current_drcontext(), DR_slot, val);
@@ -327,7 +346,7 @@ restore_reg(void *drcontext, instrlist_t *ilist, instr_t *where, reg_id_t reg,
 opnd_t
 spill_slot_opnd(void *drcontext, dr_spill_slot_t slot)
 {
-    ASSERT(options.pattern == 0, "not converted to drreg yet");
+    ASSERT(options.pattern == 0 IF_AARCH64(|| true), "not converted to drreg yet");
     if (slot < options.num_spill_slots) {
         return opnd_create_own_spill_slot(slot);
     } else {
@@ -336,6 +355,7 @@ spill_slot_opnd(void *drcontext, dr_spill_slot_t slot)
     }
 }
 
+#ifndef AARCH64
 static bool
 is_spill_slot_opnd(void *drcontext, opnd_t op)
 {
@@ -359,6 +379,28 @@ is_spill_slot_opnd(void *drcontext, opnd_t op)
     }
     return false;
 }
+#endif
+
+void
+reserve_aflags(void *drcontext, instrlist_t *ilist, instr_t *where)
+{
+    IF_DEBUG(drreg_status_t res =)
+        drreg_reserve_aflags(drcontext, ilist, where);
+    /* We're ok with IN_USE b/c of our "lazy spill, single restore" strategy. */
+    ASSERT(res == DRREG_SUCCESS || res == DRREG_ERROR_IN_USE, "failed to reserve aflags");
+    LOG(4, "\t%s @"PFX"\n", __FUNCTION__, instr_get_app_pc(where));
+}
+
+void
+unreserve_aflags(void *drcontext, instrlist_t *ilist, instr_t *where)
+{
+    IF_DEBUG(drreg_status_t res =)
+        drreg_unreserve_aflags(drcontext, ilist, where);
+    /* We're ok with INVALID b/c of our "lazy spill, single restore" strategy. */
+    ASSERT(res == DRREG_SUCCESS || res == DRREG_ERROR_INVALID_PARAMETER,
+           "failed to unreserve aflags");
+    LOG(4, "\t%s @"PFX"\n", __FUNCTION__, instr_get_app_pc(where));
+}
 
 /***************************************************************************
  * STATE RESTORATION
@@ -553,7 +595,7 @@ event_restore_state(void *drcontext, bool restore_memory, dr_restore_state_info_
  * SCRATCH REGISTER SELECTION
  */
 
-#ifdef X86 /* ARM uses drreg's state restoration */
+#ifdef X86/* ARM uses drreg's state restoration */
 
 # ifdef DEBUG
 static void
@@ -1425,6 +1467,105 @@ fastpath_pre_instrument(void *drcontext, instrlist_t *bb, instr_t *inst, bb_info
 #endif
 }
 
+
+reg_id_t
+reserve_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                 drvector_t *reg_allowed,
+                 DR_PARAM_INOUT fastpath_info_t *mi, DR_PARAM_OUT reg_id_t *reg_out)
+{
+    reg_id_t reg;
+    IF_DEBUG(drreg_status_t res =)
+        drreg_reserve_register(drcontext, ilist, where, reg_allowed, &reg);
+    ASSERT(res == DRREG_SUCCESS, "failed to reserve scratch register");
+    return reg;
+}
+
+void
+unreserve_register(void *drcontext, instrlist_t *ilist, instr_t *where, reg_id_t reg,
+                   DR_PARAM_INOUT fastpath_info_t *mi, bool force_restore_now)
+{
+    IF_DEBUG(drreg_status_t res =)
+        drreg_unreserve_register(drcontext, ilist, where, reg);
+    if (force_restore_now)
+        drreg_get_app_value(drcontext, ilist, where, reg, reg);
+    ASSERT(res == DRREG_SUCCESS, "failed to unreserve scratch register");
+    if (mi != NULL) {
+        if (reg == mi->reg1.reg) {
+            mi->reg1.reg = DR_REG_NULL;
+        } else if (reg == mi->reg2.reg) {
+            mi->reg2.reg = DR_REG_NULL;
+        } else if (reg == mi->reg3.reg) {
+            mi->reg3.reg = DR_REG_NULL;
+        }
+    }
+}
+
+void
+reserve_shared_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                        drvector_t *reg_allowed, DR_PARAM_INOUT fastpath_info_t *mi)
+{
+    ASSERT(mi != NULL && mi->bb != NULL, "shared register requires fastpath & bb info");
+    if (mi->reg1.reg == DR_REG_NULL) {
+        if (mi->bb->shared_reg != DR_REG_NULL)
+            mi->reg1.reg = mi->bb->shared_reg;
+        else {
+            mi->reg1.reg = reserve_register(drcontext, ilist, where, reg_allowed, mi,
+                                        &mi->reg1.reg);
+            mi->bb->shared_reg = mi->reg1.reg;
+        }
+    } else
+        ASSERT(mi->reg1.reg == mi->bb->shared_reg, "shared register inconsistency");
+}
+
+void
+unreserve_shared_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                          DR_PARAM_INOUT fastpath_info_t *mi, DR_PARAM_INOUT bb_info_t *bi)
+{
+    ASSERT(bi != NULL, "shared register requires fastpath && bb info");
+    if (bi->shared_reg != DR_REG_NULL) {
+        unreserve_register(drcontext, ilist, where, bi->shared_reg, NULL, false);
+        bi->shared_reg = DR_REG_NULL;
+        if (mi != NULL) {
+            ASSERT(bi->shared_reg == mi->reg1.reg, "shared register inconsistency");
+            mi->reg1.reg = DR_REG_NULL;
+        }
+    }
+}
+
+#ifdef AARCH64
+bool
+instr_is_spill(void *drcontext, instr_t *inst, reg_id_t *reg_spilled DR_PARAM_OUT)
+{
+    bool spill;
+    drreg_status_t res = drreg_is_instr_spill_or_restore(drcontext, inst, &spill,
+                                                         NULL, reg_spilled);
+    ASSERT(res == DRREG_SUCCESS, "failed to query drreg for spill info");
+    return spill;
+}
+
+bool
+instr_is_restore(void *drcontext, instr_t *inst, reg_id_t *reg_restored DR_PARAM_OUT)
+{
+    bool restore;
+    drreg_status_t res = drreg_is_instr_spill_or_restore(drcontext, inst, NULL,
+                                                         &restore, reg_restored);
+    ASSERT(res == DRREG_SUCCESS, "failed to query drreg for spill info");
+    return restore;
+}
+
+bool
+instr_at_pc_is_restore(void *drcontext, byte *pc)
+{
+    instr_t inst;
+    bool res;
+    instr_init(drcontext, &inst);
+    res = (decode(drcontext, pc, &inst) != NULL &&
+           instr_is_restore(drcontext, &inst, NULL));
+    instr_free(drcontext, &inst);
+    return res;
+}
+#else
+
 bool
 instr_is_spill(instr_t *inst)
 {
@@ -1452,7 +1593,9 @@ instr_at_pc_is_restore(void *drcontext, byte *pc)
     instr_free(drcontext, &inst);
     return res;
 }
+#endif
 
+#ifndef AARCH64
 void
 mark_eflags_used(void *drcontext, instrlist_t *bb, bb_info_t *bi)
 {
@@ -1514,6 +1657,7 @@ mark_scratch_reg_used(void *drcontext, instrlist_t *bb,
     /* Even if global we have to mark the si copy as used too */
     si->used = true;
 }
+#endif
 
 bool
 instr_needs_eflags_restore(instr_t *inst, uint aflags_liveness)
@@ -1533,6 +1677,17 @@ void
 fastpath_pre_app_instr(void *drcontext, instrlist_t *bb, instr_t *inst,
                        bb_info_t *bi, fastpath_info_t *mi)
 {
+#ifdef AARCH64
+    if (!instr_is_app(inst))
+        return;
+    app_pc pc = instr_get_app_pc(inst);
+    if (pc != NULL) {
+        if (bi->first_app_pc == NULL)
+            bi->first_app_pc = pc;
+        bi->last_app_pc = pc;
+    }
+    return;
+#endif
     /* Preserve app semantics wrt global spilled registers */
     /* XXX i#777: gets next instr, and below does liveness analysis w/ forward scan.
      * should use stored info from reverse scan done during analysis phase.
@@ -1684,7 +1839,7 @@ fastpath_pre_app_instr(void *drcontext, instrlist_t *bb, instr_t *inst,
             save_aflags_if_live(drcontext, bb, next, mi, bi);
         }
     }
-#endif /* X86 */
+#endif
 }
 
 void
@@ -1692,6 +1847,50 @@ fastpath_bottom_of_bb(void *drcontext, void *tag, instrlist_t *bb,
                       bb_info_t *bi, bool added_instru, bool translating,
                       bool check_ignore_unaddr)
 {
+#ifdef AARCH64
+    bb_saved_info_t *save;
+    ASSERT(!added_instru || instrlist_first(bb) != NULL, "can't add instru w/o instrs");
+
+    if (!translating) {
+        /* Add to table so we can restore on slowpath or a fault */
+        save = (bb_saved_info_t *) global_alloc(sizeof(*save), HEAPSTAT_PERBB);
+        memset(save, 0, sizeof(*save));
+        save->check_ignore_unaddr = check_ignore_unaddr;
+        /* i#826: share_xl8_max_diff can change, save it. */
+        save->share_xl8_max_diff = bi->share_xl8_max_diff;
+        /* store style of instru rather than ask DR to store xl8.
+         * XXX DRi#772: could add flush callback and avoid this save
+         */
+        save->pattern_4byte_check_only = bi->pattern_4byte_check_only;
+
+        /* we store the size and assume bbs are contiguous so we can free (i#260) */
+        ASSERT(bi->first_app_pc != NULL, "first instr should have app pc");
+        ASSERT(bi->last_app_pc != NULL, "last instr should have app pc");
+        if (bi->is_repstr_to_loop) /* first is +1 hack */
+            bi->first_app_pc = bi->last_app_pc;
+        else {
+            ASSERT(bi->last_app_pc >= bi->first_app_pc,
+                   "bb should be contiguous w/ increasing pcs");
+        }
+        save->bb_size = decode_next_pc(drcontext, bi->last_app_pc) - bi->first_app_pc;
+
+        /* PR 495787: Due to non-precise flushing we can have a flushed bb
+         * removed from the htables and then a new bb created before we received
+         * the deletion event.  We can't tell this apart from duplication due to
+         * thread-private copies: but this mechanism should handle that as well,
+         * since our saved info should be deterministic and identical for each
+         * copy.  Note that we do not want a new "unreachable event" b/c we need
+         * to keep our bb info around in case the semi-flushed bb hits a fault.
+         */
+        hashtable_lock(&bb_table);
+        bb_save_add_entry(tag, save);
+        hashtable_unlock(&bb_table);
+    }
+
+    if (options.pattern == 0)
+        unreserve_shared_register(drcontext, bb, instrlist_last(bb), NULL, bi);
+    return;
+#elif defined(X86)
     instr_t *last = instrlist_last(bb);
     bb_saved_info_t *save;
     if (!whole_bb_spills_enabled())
@@ -1777,4 +1976,5 @@ fastpath_bottom_of_bb(void *drcontext, void *tag, instrlist_t *bb,
         if (bi->reg2.reg != DR_REG_NULL)
             insert_spill_global(drcontext, bb, last, &bi->reg2, false/*restore*/);
     }
+#endif
 }
diff --git a/drmemory/spill.h b/drmemory/spill.h
index 16fe5b4fa..51b9f8670 100644
--- a/drmemory/spill.h
+++ b/drmemory/spill.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -27,13 +27,14 @@
 #ifndef _SPILL_H_
 #define _SPILL_H_ 1
 
+#include "drvector.h"
 #include "fastpath.h"
 
 #ifdef DEBUG
 # ifdef X86
 /* use seg_tls for actual code */
 #  define EXPECTED_SEG_TLS IF_X64_ELSE(SEG_GS, SEG_FS)
-# elif defined(ARM)
+# elif defined(ARM) || defined(AARCH64)
 #  define EXPECTED_SEG_TLS dr_get_stolen_reg()
 # endif /* X86 */
 #endif /* DEBUG */
@@ -50,13 +51,38 @@ extern reg_id_t seg_tls;
 
 /* We separate the TLS slots we use to send params to the slowpath from those
  * used for reg preservation, to make using drreg simpler.
+ * These are slots within our own TLS.
  */
-#define SPILL_SLOT_SLOW_PARAM SPILL_SLOT_5
-#define SPILL_SLOT_SLOW_RET   SPILL_SLOT_6
+#define SPILL_SLOT_SLOW_PARAM SPILL_SLOT_1
+#define SPILL_SLOT_SLOW_RET   SPILL_SLOT_2
+
+void
+reserve_aflags(void *drcontext, instrlist_t *ilist, instr_t *where);
+
+void
+unreserve_aflags(void *drcontext, instrlist_t *ilist, instr_t *where);
 
 int
 spill_reg3_slot(bool eflags_dead, bool eax_dead, bool r1_dead, bool r2_dead);
 
+reg_id_t
+reserve_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                 drvector_t *reg_allowed,
+                 DR_PARAM_INOUT fastpath_info_t *mi, DR_PARAM_OUT reg_id_t *reg_out);
+
+void
+unreserve_register(void *drcontext, instrlist_t *ilist, instr_t *where, reg_id_t reg,
+                   DR_PARAM_INOUT fastpath_info_t *mi, bool force_restore_now);
+
+/* For translation sharing we reserve the same register across the whole bb. */
+void
+reserve_shared_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                        drvector_t *reg_allowed, DR_PARAM_INOUT fastpath_info_t *mi);
+
+void
+unreserve_shared_register(void *drcontext, instrlist_t *ilist, instr_t *where,
+                          DR_PARAM_INOUT fastpath_info_t *mi, DR_PARAM_INOUT bb_info_t *bi);
+
 void
 spill_reg(void *drcontext, instrlist_t *ilist, instr_t *where, reg_id_t reg,
           dr_spill_slot_t slot);
@@ -150,4 +176,12 @@ void
 restore_aflags_if_live(void *drcontext, instrlist_t *bb, instr_t *inst,
                        fastpath_info_t *mi, bb_info_t *bi);
 
+#ifdef AARCH64
+bool
+instr_is_spill(void *drcontext, instr_t *inst, reg_id_t *reg_spilled DR_PARAM_OUT);
+
+bool
+instr_is_restore(void *drcontext, instr_t *inst, reg_id_t *reg_restored DR_PARAM_OUT);
+#endif
+
 #endif /* _SPILL_H_ */
diff --git a/drmemory/stack.c b/drmemory/stack.c
index d114ee6d1..4c1327f9b 100644
--- a/drmemory/stack.c
+++ b/drmemory/stack.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2019 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2008-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -24,7 +24,9 @@
  * STACK ADJUSTMENT HANDLING
  */
 
+#include "instru.h"
 #include "dr_api.h"
+#include "drreg.h"
 #include "drmemory.h"
 #include "slowpath.h"
 #include "spill.h"
@@ -100,7 +102,7 @@ check_stack_size_vs_threshold(void *drcontext, size_t stack_size)
  * If addr is in a small malloc this routine will fail.
  */
 static bool
-get_stack_region_bounds(byte *addr, byte **base OUT, size_t *size OUT)
+get_stack_region_bounds(byte *addr, byte **base DR_PARAM_OUT, size_t *size DR_PARAM_OUT)
 {
     if (is_in_heap_region(addr)) {
         return malloc_large_lookup(addr, base, size);
@@ -346,8 +348,9 @@ handle_esp_adjust(esp_adjust_t type, reg_t val/*either relative delta, or absolu
             }
         } else {
             app_pc sp = (app_pc)mc.xsp - BEYOND_TOS_REDZONE_SIZE;
-            shadow_set_range(delta > 0 ? sp : (sp + delta),
-                             delta > 0 ? (sp + delta) : sp,
+            // TODO: +-16 is right for ldp/ldr, but are there other push pop AArch64 operations?
+            shadow_set_range(delta > 0 ? sp : (sp + delta) ,//IF_AARCH64(+ 16),
+                             delta > 0 ? (sp + delta) : sp, //IF_AARCH64(- 16) : sp,
                              (delta > 0 ? SHADOW_UNADDRESSABLE :
                               ((sp_action == SP_ADJUST_ACTION_DEFINED) ?
                                SHADOW_DEFINED : SHADOW_UNDEFINED)));
@@ -457,14 +460,29 @@ generate_shared_esp_slowpath_helper(void *drcontext, instrlist_t *ilist, app_pc
      *   - scratch2 holds the return address
      * Need retaddr in persistent storage: slot5 is guaranteed free.
      */
+
     PRE(ilist, NULL, XINST_CREATE_store
         (drcontext, spill_slot_opnd(drcontext, esp_spill_slot_base(sp_action)),
          opnd_create_reg(ESP_SLOW_SCRATCH2)));
+
     dr_insert_clean_call(drcontext, ilist, NULL,
                          (void *)handle_esp_adjust_shared_slowpath, false, 2,
                          opnd_create_reg(ESP_SLOW_SCRATCH1), OPND_CREATE_INT32(sp_action));
+
+#ifdef AARCH64
+    /* XXX i#2016: Shared slowpath is not supported for AArch64. */
+    /* XXX: There is no OP_udf support in DR so we build a zero-bit instr. */
+    instr_t *udf = instr_build_bits(drcontext, OP_INVALID, 4);
+    instr_set_raw_byte(udf, 0, 0);
+    instr_set_raw_byte(udf, 1, 0);
+    instr_set_raw_byte(udf, 2, 0);
+    instr_set_raw_byte(udf, 3, 0);
+    instr_set_operands_valid(udf, true);
+    PRE(ilist, NULL, udf);
+#else
     PRE(ilist, NULL, XINST_CREATE_jump_mem
         (drcontext, spill_slot_opnd(drcontext, esp_spill_slot_base(sp_action))));
+#endif
 
     pc = instrlist_encode(drcontext, ilist, pc, false);
     instrlist_clear(drcontext, ilist);
diff --git a/drmemory/stack_arch.h b/drmemory/stack_arch.h
index 2734686d7..b76bff7ab 100644
--- a/drmemory/stack_arch.h
+++ b/drmemory/stack_arch.h
@@ -49,6 +49,9 @@ shared_esp_fastpath[SP_ADJUST_ACTION_FASTPATH_MAX+1][2][ESP_ADJUST_FAST_LAST+1];
 #ifdef X86
 # define ESP_SLOW_SCRATCH1 DR_REG_XCX
 # define ESP_SLOW_SCRATCH2 DR_REG_XDX
+#elif defined(AARCH64)
+# define ESP_SLOW_SCRATCH1 DR_REG_R0
+# define ESP_SLOW_SCRATCH2 DR_REG_R1
 #else
 # define ESP_SLOW_SCRATCH1 DR_REG_R0
 # define ESP_SLOW_SCRATCH2 DR_REG_R1
diff --git a/drmemory/stack_arm.c b/drmemory/stack_arm.c
index b206b5c0b..fc7fda372 100644
--- a/drmemory/stack_arm.c
+++ b/drmemory/stack_arm.c
@@ -34,6 +34,7 @@
 #include "heap.h"
 #include "alloc.h"
 #include "alloc_drmem.h"
+#include "utils.h"
 
 /***************************************************************************/
 
@@ -41,23 +42,89 @@
 bool
 instr_pop_into_esp(instr_t *inst)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
+    if (instr_is_pop(inst)) {
+        bool writes_to_sp = instr_reg_in_dst(inst, DR_REG_XSP);
+
+        if (writes_to_sp)
+            return true;
+    }
     return false;
 }
 
 esp_adjust_t
 get_esp_adjust_type(instr_t *inst, bool mangled)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return ESP_ADJUST_INVALID;
+    uint opc = instr_get_opcode(inst);
+
+    if (!instr_reg_in_dst(inst, DR_REG_XSP))
+        return ESP_ADJUST_INVALID;
+
+    switch (opc) {
+    case OP_movz:
+    case OP_orr:
+    case OP_swp:
+        return ESP_ADJUST_ABSOLUTE;
+    case OP_ret:
+        return ESP_ADJUST_RET_IMMED;
+    case OP_str:
+    case OP_stp:
+    case OP_ldr:
+    case OP_ldp:
+    case OP_ldur:
+        if (instr_reg_in_src(inst, DR_REG_XSP))
+            return ESP_ADJUST_POSITIVE;
+        else
+            return ESP_ADJUST_ABSOLUTE;
+    case OP_add:
+        if (instr_reg_in_src(inst, DR_REG_XSP))
+            return ESP_ADJUST_POSITIVE;
+        else
+            return ESP_ADJUST_ABSOLUTE;
+    case OP_sub:
+        if (instr_reg_in_src(inst, DR_REG_XSP))
+            return ESP_ADJUST_NEGATIVE;
+        else
+            return ESP_ADJUST_ABSOLUTE;
+    case OP_and:
+        if (instr_reg_in_src(inst, DR_REG_XSP))
+            return ESP_ADJUST_AND;
+        else
+            return ESP_ADJUST_ABSOLUTE;
+    default:
+        return ESP_ADJUST_INVALID;
+    }
 }
 
 /* assumes that inst does write to esp */
 bool
 needs_esp_adjust(instr_t *inst, sp_adjust_action_t sp_action)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    return false;
+    /* implicit esp changes (e.g., push and pop) are handled during
+     * the read/write: this is for explicit esp changes.
+     * -leaks_only doesn't care about push, since it writes, or about pop,
+     * since shrinking the stack is ignored there.
+     */
+    uint opc = instr_get_opcode(inst);
+    /* -leaks_only doesn't care about shrinking the stack
+     * technically OP_leave doesn't have to shrink it: we assume it does
+     * (just checking leaks: not huge risk)
+     */
+    if ((sp_action == SP_ADJUST_ACTION_ZERO) &&
+        (opc == OP_ret ||
+         (opc == OP_add && opnd_is_immed_int(instr_get_src(inst, 0)) &&
+          opnd_get_immed_int(instr_get_src(inst, 0)) >= 0) ||
+         (opc == OP_sub && opnd_is_immed_int(instr_get_src(inst, 0)) &&
+          opnd_get_immed_int(instr_get_src(inst, 0)) <= 0)))
+        return false;
+
+
+    /* Ignore "or esp,esp" (PR ) */
+    if (opc == OP_orr && opnd_is_reg(instr_get_src(inst, 0)) &&
+        opnd_is_reg(instr_get_dst(inst, 0)) &&
+        opnd_get_reg(instr_get_src(inst, 0)) == REG_XSP &&
+        opnd_get_reg(instr_get_dst(inst, 0)) == REG_XSP)
+        return false;
+    return true;
 }
 
 /* Instrument an esp modification that is not also a read or write.
@@ -67,60 +134,68 @@ bool
 instrument_esp_adjust_slowpath(void *drcontext, instrlist_t *bb, instr_t *inst,
                                bb_info_t *bi, sp_adjust_action_t sp_action)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    /* Probably a lot of code can be shared with stack_x86.c: it
-     * needs further refactoring.
-     */
-    return false;
-}
 
-/* Handle a fault while zeroing the app stack (PR 570843) */
-bool
-handle_zeroing_fault(void *drcontext, byte *target, dr_mcontext_t *raw_mc,
-                     dr_mcontext_t *mc)
-{
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    /* Probably a lot of code can be shared with stack_x86.c: it
-     * needs further refactoring.
+    /* implicit esp changes (e.g., push and pop) are handled during
+     * the read/write: this is for explicit esp changes
      */
-    return false;
+    int opc = instr_get_opcode(inst);
+    opnd_t arg;
+    esp_adjust_t type;
+    instr_t *skip;
+
+    if (!needs_esp_adjust(inst, sp_action))
+        return false;
+
+    skip = INSTR_CREATE_label(drcontext);
+
+    arg = get_pushpop_offset(inst);
+
+    if (opnd_is_null(arg))
+        ASSERT_NOT_REACHED();
+
+    type = get_esp_adjust_type(inst, false/*!mangled*/);
+    if (type == ESP_ADJUST_INVALID) {
+        tls_util_t *pt = PT_GET(drcontext);
+        ELOGPT(0, pt, "ERROR: new stack-adjusting instr: ");
+        instr_disassemble(drcontext, inst, pt->f);
+        ELOGPT(0, pt, "\n");
+        ASSERT(false, "unhandled stack adjustment");
+    }
+
+    if (opc == OP_stp) {
+        int64 imm = opnd_get_immed_int(arg);
+        imm = imm + ((imm > 0) ? -16 : 16);
+        arg = OPND_CREATE_INT64(imm);
+    }
+
+    dr_insert_clean_call(drcontext, bb, inst,
+                            (void *) handle_esp_adjust,
+                            false, 3, OPND_CREATE_INT32(type), arg, OPND_CREATE_INT32(sp_action));
+
+    PRE(bb, inst, skip);
+    return true;
 }
 
-/* Instrument an esp modification that is not also a read or write
- * Returns whether instrumented
- */
-bool
-instrument_esp_adjust_fastpath(void *drcontext, instrlist_t *bb, instr_t *inst,
-                               bb_info_t *bi, sp_adjust_action_t sp_action)
+
+void
+esp_fastpath_update_swap_threshold(void *drcontext, int new_threshold)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    /* Probably a lot of code can be shared with stack_x86.c: it
-     * needs further refactoring.
-     */
-    return false;
+    ASSERT_NOT_IMPLEMENTED();
 }
 
-/* Note that handle_special_shadow_fault() makes assumptions about the exact
- * instr sequence here so it can find the slowpath entry point
- */
 void
 generate_shared_esp_fastpath_helper(void *drcontext, instrlist_t *bb,
                                     bool eflags_live,
                                     sp_adjust_action_t sp_action,
                                     esp_adjust_t type)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    /* Probably a lot of code can be shared with stack_x86.c: it
-     * needs further refactoring.
-     */
+    ASSERT_NOT_IMPLEMENTED();
 }
 
-/* Caller has made the memory writable and holds a lock */
-void
-esp_fastpath_update_swap_threshold(void *drcontext, int new_threshold)
+bool
+instrument_esp_adjust_fastpath(void *drcontext, instrlist_t *bb, instr_t *inst,
+                               bb_info_t *bi, sp_adjust_action_t sp_action)
 {
-    ASSERT_NOT_IMPLEMENTED(); /* FIXME i#1726: NYI */
-    /* Probably a lot of code can be shared with stack_x86.c: it
-     * needs further refactoring.
-     */
-}
+    ASSERT_NOT_IMPLEMENTED();
+    return false;
+}
\ No newline at end of file
diff --git a/drmemory/syscall_linux.c b/drmemory/syscall_linux.c
index 739364d51..4d95ac5bb 100644
--- a/drmemory/syscall_linux.c
+++ b/drmemory/syscall_linux.c
@@ -118,7 +118,8 @@ handle_clone(void *drcontext, dr_mcontext_t *mc)
                 /* Should be rare so we just do brute force and slow */
                 pc = shadow_prev_dword(newsp, newsp - options.stack_swap_threshold,
                                        SHADOW_UNADDRESSABLE);
-                sz = malloc_chunk_size(pc+1);
+                //unsure about this change
+                sz = malloc_chunk_size(pc+IF_AARCH64_ELSE(4, 1));
                 if (sz > 0) { /* returns -1 on failure */
                     stack_base = pc + 1;
                     stack_size = sz;
diff --git a/drsymcache/drsymcache.c b/drsymcache/drsymcache.c
index 8f0ebe4f3..9d2288796 100644
--- a/drsymcache/drsymcache.c
+++ b/drsymcache/drsymcache.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -706,7 +706,7 @@ drsymcache_init(client_id_t client_id,
 
 DR_EXPORT
 drmf_status_t
-drsymcache_is_initialized(bool *is_initialized OUT)
+drsymcache_is_initialized(bool *is_initialized DR_PARAM_OUT)
 {
     if (is_initialized == NULL)
         return DRMF_ERROR_INVALID_PARAMETER;
@@ -954,7 +954,8 @@ drsymcache_add(const module_data_t *mod, const char *symbol, size_t offs)
 DR_EXPORT
 drmf_status_t
 drsymcache_lookup(const module_data_t *mod, const char *symbol,
-                  size_t **offs_array OUT, uint *num_entries OUT, size_t *offs_single OUT)
+                  size_t **offs_array DR_PARAM_OUT, uint *num_entries DR_PARAM_OUT,
+                  size_t *offs_single DR_PARAM_OUT)
 {
     offset_list_t *olist;
     offset_entry_t *e;
diff --git a/drsymcache/drsymcache.h b/drsymcache/drsymcache.h
index 465be4ff3..3b634b8a3 100755
--- a/drsymcache/drsymcache.h
+++ b/drsymcache/drsymcache.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2011-2014 Google, Inc.  All rights reserved.
+ * Copyright (c) 2011-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -120,7 +120,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsymcache_is_initialized(OUT bool *initialized);
+drsymcache_is_initialized(DR_PARAM_OUT bool *initialized);
 
 DR_EXPORT
 /**
@@ -132,7 +132,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsymcache_module_is_cached(const module_data_t *mod, OUT bool *cached);
+drsymcache_module_is_cached(const module_data_t *mod, DR_PARAM_OUT bool *cached);
 
 DR_EXPORT
 /**
@@ -146,7 +146,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsymcache_module_has_debug_info(const module_data_t *mod, OUT bool *has_debug);
+drsymcache_module_has_debug_info(const module_data_t *mod, DR_PARAM_OUT bool *has_debug);
 
 DR_EXPORT
 /**
@@ -203,8 +203,8 @@ DR_EXPORT
  */
 drmf_status_t
 drsymcache_lookup(const module_data_t *mod, const char *symbol,
-                  OUT size_t **offs_array, OUT uint *num_entries,
-                  OUT size_t *offs_single);
+                  DR_PARAM_OUT size_t **offs_array, DR_PARAM_OUT uint *num_entries,
+                  DR_PARAM_OUT size_t *offs_single);
 
 DR_EXPORT
 /**
diff --git a/drsyscall/aarch64_syscall_num.h b/drsyscall/aarch64_syscall_num.h
new file mode 100644
index 000000000..76c798778
--- /dev/null
+++ b/drsyscall/aarch64_syscall_num.h
@@ -0,0 +1,338 @@
+/* Derived from /usr/include/asm-generic/unistd.h */
+
+#define AARCH64_ni -1
+
+#define AARCH64_io_setup 0
+#define AARCH64_io_destroy 1
+#define AARCH64_io_submit 2
+#define AARCH64_io_cancel 3
+#define AARCH64_io_getevents 4
+#define AARCH64_setxattr 5
+#define AARCH64_lsetxattr 6
+#define AARCH64_fsetxattr 7
+#define AARCH64_getxattr 8
+#define AARCH64_lgetxattr 9
+#define AARCH64_fgetxattr 10
+#define AARCH64_listxattr 11
+#define AARCH64_llistxattr 12
+#define AARCH64_flistxattr 13
+#define AARCH64_removexattr 14
+#define AARCH64_lremovexattr 15
+#define AARCH64_fremovexattr 16
+#define AARCH64_getcwd 17
+#define AARCH64_lookup_dcookie 18
+#define AARCH64_eventfd2 19
+#define AARCH64_epoll_create1 20
+#define AARCH64_epoll_ctl 21
+#define AARCH64_epoll_pwait 22
+#define AARCH64_dup 23
+#define AARCH64_dup3 24
+#define AARCH64_fcntl 25
+#define AARCH64_inotify_init1 26
+#define AARCH64_inotify_add_watch 27
+#define AARCH64_inotify_rm_watch 28
+#define AARCH64_ioctl 29
+#define AARCH64_ioprio_set 30
+#define AARCH64_ioprio_get 31
+#define AARCH64_flock 32
+#define AARCH64_mknodat 33
+#define AARCH64_mkdirat 34
+#define AARCH64_unlinkat 35
+#define AARCH64_symlinkat 36
+#define AARCH64_linkat 37
+#define AARCH64_renameat 38
+#define AARCH64_umount2 39
+#define AARCH64_mount 40
+#define AARCH64_pivot_root 41
+#define AARCH64_nfsservctl 42
+#define AARCH64_statfs 43
+#define AARCH64_fstatfs 44
+#define AARCH64_truncate 45
+#define AARCH64_ftruncate 46
+#define AARCH64_fallocate 47
+#define AARCH64_faccessat 48
+#define AARCH64_chdir 49
+#define AARCH64_fchdir 50
+#define AARCH64_chroot 51
+#define AARCH64_fchmod 52
+#define AARCH64_fchmodat 53
+#define AARCH64_fchownat 54
+#define AARCH64_fchown 55
+#define AARCH64_openat 56
+#define AARCH64_close 57
+#define AARCH64_vhangup 58
+#define AARCH64_pipe2 59
+#define AARCH64_quotactl 60
+#define AARCH64_getdents64 61
+#define AARCH64_lseek 62
+#define AARCH64_read 63
+#define AARCH64_write 64
+#define AARCH64_readv 65
+#define AARCH64_writev 66
+#define AARCH64_pread64 67
+#define AARCH64_pwrite64 68
+#define AARCH64_preadv 69
+#define AARCH64_pwritev 70
+#define AARCH64_sendfile 71
+#define AARCH64_pselect6 72
+#define AARCH64_ppoll 73
+#define AARCH64_signalfd4 74
+#define AARCH64_vmsplice 75
+#define AARCH64_splice 76
+#define AARCH64_tee 77
+#define AARCH64_readlinkat 78
+#define AARCH64_fstatat64 79
+#define AARCH64_fstat 80
+#define AARCH64_sync 81
+#define AARCH64_fsync 82
+#define AARCH64_fdatasync 83
+#define AARCH64_sync_file_range2 84
+#define AARCH64_sync_file_range 84
+#define AARCH64_timerfd_create 85
+#define AARCH64_timerfd_settime 86
+#define AARCH64_timerfd_gettime 87
+#define AARCH64_utimensat 88
+#define AARCH64_acct 89
+#define AARCH64_capget 90
+#define AARCH64_capset 91
+#define AARCH64_personality 92
+#define AARCH64_exit 93
+#define AARCH64_exit_group 94
+#define AARCH64_waitid 95
+#define AARCH64_set_tid_address 96
+#define AARCH64_unshare 97
+#define AARCH64_futex 98
+#define AARCH64_set_robust_list 99
+#define AARCH64_get_robust_list 100
+#define AARCH64_nanosleep 101
+#define AARCH64_getitimer 102
+#define AARCH64_setitimer 103
+#define AARCH64_kexec_load 104
+#define AARCH64_init_module 105
+#define AARCH64_delete_module 106
+#define AARCH64_timer_create 107
+#define AARCH64_timer_gettime 108
+#define AARCH64_timer_getoverrun 109
+#define AARCH64_timer_settime 110
+#define AARCH64_timer_delete 111
+#define AARCH64_clock_settime 112
+#define AARCH64_clock_gettime 113
+#define AARCH64_clock_getres 114
+#define AARCH64_clock_nanosleep 115
+#define AARCH64_syslog 116
+#define AARCH64_ptrace 117
+#define AARCH64_sched_setparam 118
+#define AARCH64_sched_setscheduler 119
+#define AARCH64_sched_getscheduler 120
+#define AARCH64_sched_getparam 121
+#define AARCH64_sched_setaffinity 122
+#define AARCH64_sched_getaffinity 123
+#define AARCH64_sched_yield 124
+#define AARCH64_sched_get_priority_max 125
+#define AARCH64_sched_get_priority_min 126
+#define AARCH64_sched_rr_get_interval 127
+#define AARCH64_restart_syscall 128
+#define AARCH64_kill 129
+#define AARCH64_tkill 130
+#define AARCH64_tgkill 131
+#define AARCH64_sigaltstack 132
+#define AARCH64_rt_sigsuspend 133
+#define AARCH64_rt_sigaction 134
+#define AARCH64_rt_sigprocmask 135
+#define AARCH64_rt_sigpending 136
+#define AARCH64_rt_sigtimedwait 137
+#define AARCH64_rt_sigqueueinfo 138
+#define AARCH64_rt_sigreturn 139
+#define AARCH64_setpriority 140
+#define AARCH64_getpriority 141
+#define AARCH64_reboot 142
+#define AARCH64_setregid 143
+#define AARCH64_setgid 144
+#define AARCH64_setreuid 145
+#define AARCH64_setuid 146
+#define AARCH64_setresuid 147
+#define AARCH64_getresuid 148
+#define AARCH64_setresgid 149
+#define AARCH64_getresgid 150
+#define AARCH64_setfsuid 151
+#define AARCH64_setfsgid 152
+#define AARCH64_times 153
+#define AARCH64_setpgid 154
+#define AARCH64_getpgid 155
+#define AARCH64_getsid 156
+#define AARCH64_setsid 157
+#define AARCH64_getgroups 158
+#define AARCH64_setgroups 159
+#define AARCH64_uname 160
+#define AARCH64_sethostname 161
+#define AARCH64_setdomainname 162
+#define AARCH64_getrlimit 163
+#define AARCH64_setrlimit 164
+#define AARCH64_getrusage 165
+#define AARCH64_umask 166
+#define AARCH64_prctl 167
+#define AARCH64_getcpu 168
+#define AARCH64_gettimeofday 169
+#define AARCH64_settimeofday 170
+#define AARCH64_adjtimex 171
+#define AARCH64_getpid 172
+#define AARCH64_getppid 173
+#define AARCH64_getuid 174
+#define AARCH64_geteuid 175
+#define AARCH64_getgid 176
+#define AARCH64_getegid 177
+#define AARCH64_gettid 178
+#define AARCH64_sysinfo 179
+#define AARCH64_mq_open 180
+#define AARCH64_mq_unlink 181
+#define AARCH64_mq_timedsend 182
+#define AARCH64_mq_timedreceive 183
+#define AARCH64_mq_notify 184
+#define AARCH64_mq_getsetattr 185
+#define AARCH64_msgget 186
+#define AARCH64_msgctl 187
+#define AARCH64_msgrcv 188
+#define AARCH64_msgsnd 189
+#define AARCH64_semget 190
+#define AARCH64_semctl 191
+#define AARCH64_semtimedop 192
+#define AARCH64_semop 193
+#define AARCH64_shmget 194
+#define AARCH64_shmctl 195
+#define AARCH64_shmat 196
+#define AARCH64_shmdt 197
+#define AARCH64_socket 198
+#define AARCH64_socketpair 199
+#define AARCH64_bind 200
+#define AARCH64_listen 201
+#define AARCH64_accept 202
+#define AARCH64_connect 203
+#define AARCH64_getsockname 204
+#define AARCH64_getpeername 205
+#define AARCH64_sendto 206
+#define AARCH64_recvfrom 207
+#define AARCH64_setsockopt 208
+#define AARCH64_getsockopt 209
+#define AARCH64_shutdown 210
+#define AARCH64_sendmsg 211
+#define AARCH64_recvmsg 212
+#define AARCH64_readahead 213
+#define AARCH64_brk 214
+#define AARCH64_munmap 215
+#define AARCH64_mremap 216
+#define AARCH64_add_key 217
+#define AARCH64_request_key 218
+#define AARCH64_keyctl 219
+#define AARCH64_clone 220
+#define AARCH64_execve 221
+#define AARCH64_mmap 222
+#define AARCH64_fadvise64 223
+#define AARCH64_swapon 224
+#define AARCH64_swapoff 225
+#define AARCH64_mprotect 226
+#define AARCH64_msync 227
+#define AARCH64_mlock 228
+#define AARCH64_munlock 229
+#define AARCH64_mlockall 230
+#define AARCH64_munlockall 231
+#define AARCH64_mincore 232
+#define AARCH64_madvise 233
+#define AARCH64_remap_file_pages 234
+#define AARCH64_mbind 235
+#define AARCH64_get_mempolicy 236
+#define AARCH64_set_mempolicy 237
+#define AARCH64_migrate_pages 238
+#define AARCH64_move_pages 239
+#define AARCH64_rt_tgsigqueueinfo 240
+#define AARCH64_perf_event_open 241
+#define AARCH64_accept4 242
+#define AARCH64_recvmmsg 243
+#define AARCH64_arch_specific_syscall 244
+#define AARCH64_wait4 260
+#define AARCH64_prlimit64 261
+#define AARCH64_fanotify_init 262
+#define AARCH64_fanotify_mark 263
+#define AARCH64_name_to_handle_at         264
+#define AARCH64_open_by_handle_at         265
+#define AARCH64_clock_adjtime 266
+#define AARCH64_syncfs 267
+#define AARCH64_setns 268
+#define AARCH64_sendmmsg 269
+#define AARCH64_process_vm_readv 270
+#define AARCH64_process_vm_writev 271
+#define AARCH64_kcmp 272
+#define AARCH64_finit_module 273
+#define AARCH64_sched_setattr 274
+#define AARCH64_sched_getattr 275
+#define AARCH64_renameat2 276
+#define AARCH64_seccomp 277
+#define AARCH64_getrandom 278
+#define AARCH64_memfd_create 279
+#define AARCH64_bpf 280
+#define AARCH64_execveat 281
+#define AARCH64_userfaultfd 282
+#define AARCH64_membarrier 283
+#define AARCH64_mlock2 284
+#define AARCH64_copy_file_range 285
+#define AARCH64_preadv2 286
+#define AARCH64_pwritev2 287
+#define AARCH64_pkey_mprotect 288
+#define AARCH64_pkey_alloc 289
+#define AARCH64_pkey_free 290
+#define AARCH64_statx 291
+#define AARCH64_open 1024
+#define AARCH64_link 1025
+#define AARCH64_unlink 1026
+#define AARCH64_mknod 1027
+#define AARCH64_chmod 1028
+#define AARCH64_chown 1029
+#define AARCH64_mkdir 1030
+#define AARCH64_rmdir 1031
+#define AARCH64_lchown 1032
+#define AARCH64_access 1033
+#define AARCH64_rename 1034
+#define AARCH64_readlink 1035
+#define AARCH64_symlink 1036
+#define AARCH64_utimes 1037
+#define AARCH64_stat 1038
+#define AARCH64_lstat 1039
+#define AARCH64_pipe 1040
+#define AARCH64_dup2 1041
+#define AARCH64_epoll_create 1042
+#define AARCH64_inotify_init 1043
+#define AARCH64_eventfd 1044
+#define AARCH64_signalfd 1045
+#define AARCH64_sendfile64 1046
+#define AARCH64_ftruncate64 1047
+#define AARCH64_truncate64 1048
+#define AARCH64_stat64 1049
+#define AARCH64_lstat64 1050
+#define AARCH64_fstat64 1051
+#define AARCH64_fcntl64 1052
+#define AARCH64_fadvise64_64 1053
+#define AARCH64_newfstatat 1054
+#define AARCH64_fstatfs64 1055
+#define AARCH64_statfs64 1056
+#define AARCH64_llseek 1057
+#define AARCH64_mmap2 1058
+#define AARCH64_alarm 1059
+#define AARCH64_getpgrp 1060
+#define AARCH64_pause 1061
+#define AARCH64_time 1062
+#define AARCH64_utime 1063
+#define AARCH64_creat 1064
+#define AARCH64_getdents 1065
+#define AARCH64_futimesat 1066
+#define AARCH64_select 1067
+#define AARCH64_poll 1068
+#define AARCH64_epoll_wait 1069
+#define AARCH64_ustat 1070
+#define AARCH64_vfork 1071
+#define AARCH64_oldwait4 1072
+#define AARCH64_recv 1073
+#define AARCH64_send 1074
+#define AARCH64_bdflush 1075
+#define AARCH64_umount 1076
+#define AARCH64_uselib 1077
+#define AARCH64_sysctl 1078
+#define AARCH64_fork 1079
diff --git a/drsyscall/drsyscall.c b/drsyscall/drsyscall.c
index 36ffd65de..7a212ce4e 100644
--- a/drsyscall/drsyscall.c
+++ b/drsyscall/drsyscall.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -122,7 +122,7 @@ static int drsys_init_count;
 void *systable_lock;
 
 static drsys_param_type_t
-map_to_exported_type(uint sysarg_type, size_t *sz_out OUT);
+map_to_exported_type(uint sysarg_type, size_t *sz_out DR_PARAM_OUT);
 
 /***************************************************************************
  * SYSTEM CALLS
@@ -216,7 +216,7 @@ check_syscall_gateway(instr_t *inst)
 
 DR_EXPORT
 drmf_status_t
-drsys_number_to_syscall(drsys_sysnum_t sysnum, drsys_syscall_t **syscall OUT)
+drsys_number_to_syscall(drsys_sysnum_t sysnum, drsys_syscall_t **syscall DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo = syscall_lookup(sysnum, true/*resolve 2ndary*/);
     if (syscall == NULL)
@@ -232,7 +232,7 @@ drsys_number_to_syscall(drsys_sysnum_t sysnum, drsys_syscall_t **syscall OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_name_to_syscall(const char *name, drsys_syscall_t **syscall OUT)
+drsys_name_to_syscall(const char *name, drsys_syscall_t **syscall DR_PARAM_OUT)
 {
     drsys_sysnum_t sysnum;
     syscall_info_t *sysinfo;
@@ -331,7 +331,7 @@ static const syscall_info_t unknown_info_template =
 
 DR_EXPORT
 drmf_status_t
-drsys_syscall_is_known(drsys_syscall_t *syscall, bool *known OUT)
+drsys_syscall_is_known(drsys_syscall_t *syscall, bool *known DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo = (syscall_info_t *) syscall;
     if (syscall == NULL || known == NULL)
@@ -418,7 +418,7 @@ handle_pre_unknown_syscall(void *drcontext, cls_syscall_t *cpt,
                 sysnum.number, sysnum.secondary, i, start);
             if (ALIGNED(start, 4) && is_byte_addressable(start)) {
                 /* This looks like a memory parameter.  It might contain OUT
-                 * values mixed with IN, so we do not stop at the first undefined
+                 * values mixed with DR_PARAM_IN, so we do not stop at the first undefined
                  * byte: instead we stop at an unaddr or at the max size.
                  * We need two passes to know how far we can safely read,
                  * so we go ahead and use dynamically sized memory as well.
@@ -621,7 +621,7 @@ get_cur_syscall(cls_syscall_t *pt)
 
 DR_EXPORT
 drmf_status_t
-drsys_cur_syscall(void *drcontext, drsys_syscall_t **syscall OUT)
+drsys_cur_syscall(void *drcontext, drsys_syscall_t **syscall DR_PARAM_OUT)
 {
     cls_syscall_t *pt = (cls_syscall_t *) drmgr_get_cls_field(drcontext, cls_idx_drsys);
     if (drcontext == NULL || syscall == NULL)
@@ -632,7 +632,7 @@ drsys_cur_syscall(void *drcontext, drsys_syscall_t **syscall OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_syscall_succeeded(drsys_syscall_t *syscall, reg_t result, bool *success OUT)
+drsys_syscall_succeeded(drsys_syscall_t *syscall, reg_t result, bool *success DR_PARAM_OUT)
 {
 #ifdef MACOS
     /* XXX: we actually could return a value for Mach syscalls */
@@ -651,7 +651,8 @@ drsys_syscall_succeeded(drsys_syscall_t *syscall, reg_t result, bool *success OU
 
 static void
 get_syscall_result(syscall_info_t *sysinfo, cls_syscall_t *pt,
-                   OUT bool *success, OUT uint64 *value, OUT uint *error_code)
+                   DR_PARAM_OUT bool *success, DR_PARAM_OUT uint64 *value,
+                   DR_PARAM_OUT uint *error_code)
 {
     bool res = os_syscall_succeeded(sysinfo->num, sysinfo, pt);
     dr_mcontext_t *mc = &pt->mc;
@@ -684,8 +685,8 @@ get_syscall_result(syscall_info_t *sysinfo, cls_syscall_t *pt,
 
 DR_EXPORT
 drmf_status_t
-drsys_cur_syscall_result(void *drcontext, OUT bool *success, OUT uint64 *value,
-                         OUT uint *error_code)
+drsys_cur_syscall_result(void *drcontext, DR_PARAM_OUT bool *success,
+                         DR_PARAM_OUT uint64 *value, DR_PARAM_OUT uint *error_code)
 {
     cls_syscall_t *pt;
     syscall_info_t *sysinfo;
@@ -699,7 +700,7 @@ drsys_cur_syscall_result(void *drcontext, OUT bool *success, OUT uint64 *value,
 
 DR_EXPORT
 drmf_status_t
-drsys_pre_syscall_arg(void *drcontext, uint argnum, ptr_uint_t *value OUT)
+drsys_pre_syscall_arg(void *drcontext, uint argnum, ptr_uint_t *value DR_PARAM_OUT)
 {
     cls_syscall_t *pt = (cls_syscall_t *) drmgr_get_cls_field(drcontext, cls_idx_drsys);
     if (value == NULL || argnum >= SYSCALL_NUM_ARG_STORE)
@@ -710,7 +711,7 @@ drsys_pre_syscall_arg(void *drcontext, uint argnum, ptr_uint_t *value OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_pre_syscall_arg64(void *drcontext, uint argnum, uint64 *value OUT)
+drsys_pre_syscall_arg64(void *drcontext, uint argnum, uint64 *value DR_PARAM_OUT)
 {
     cls_syscall_t *pt = (cls_syscall_t *) drmgr_get_cls_field(drcontext, cls_idx_drsys);
     if (value == NULL || argnum >= SYSCALL_NUM_ARG_STORE)
@@ -721,7 +722,7 @@ drsys_pre_syscall_arg64(void *drcontext, uint argnum, uint64 *value OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_syscall_name(drsys_syscall_t *syscall, const char **name OUT)
+drsys_syscall_name(drsys_syscall_t *syscall, const char **name DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo = (syscall_info_t *) syscall;
     if (syscall == NULL || name == NULL)
@@ -732,7 +733,7 @@ drsys_syscall_name(drsys_syscall_t *syscall, const char **name OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_syscall_number(drsys_syscall_t *syscall, drsys_sysnum_t *sysnum OUT)
+drsys_syscall_number(drsys_syscall_t *syscall, drsys_sysnum_t *sysnum DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo = (syscall_info_t *) syscall;
     if (syscall == NULL || sysnum == NULL)
@@ -743,7 +744,7 @@ drsys_syscall_number(drsys_syscall_t *syscall, drsys_sysnum_t *sysnum OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_get_mcontext(void *drcontext, dr_mcontext_t **mc OUT)
+drsys_get_mcontext(void *drcontext, dr_mcontext_t **mc DR_PARAM_OUT)
 {
     cls_syscall_t *pt = (cls_syscall_t *) drmgr_get_cls_field(drcontext, cls_idx_drsys);
     if (mc == NULL)
@@ -754,7 +755,7 @@ drsys_get_mcontext(void *drcontext, dr_mcontext_t **mc OUT)
 
 DR_EXPORT
 drmf_status_t
-drsys_syscall_return_type(drsys_syscall_t *syscall, drsys_param_type_t *type OUT)
+drsys_syscall_return_type(drsys_syscall_t *syscall, drsys_param_type_t *type DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo = (syscall_info_t *) syscall;
     if (syscall == NULL || type == NULL)
@@ -851,7 +852,7 @@ mode_from_flags(uint arg_flags)
 }
 
 static drsys_param_type_t
-map_to_exported_type(uint sysarg_type, size_t *sz_out OUT)
+map_to_exported_type(uint sysarg_type, size_t *sz_out DR_PARAM_OUT)
 {
     size_t sz = 0;
     drsys_param_type_t type = (drsys_param_type_t) sysarg_type;
@@ -1609,7 +1610,7 @@ process_post_syscall_reads_and_writes(cls_syscall_t *pt, sysarg_iter_info_t *ii)
 
 static syscall_info_t *
 get_sysinfo(void *drcontext, cls_syscall_t *pt, int initial_num,
-            drsys_sysnum_t *sysnum OUT)
+            drsys_sysnum_t *sysnum DR_PARAM_OUT)
 {
     syscall_info_t *sysinfo;
     ASSERT(sysnum != NULL, "invalid param");
diff --git a/drsyscall/drsyscall.h b/drsyscall/drsyscall.h
index 93ec1c3bd..a3c9759c3 100755
--- a/drsyscall/drsyscall.h
+++ b/drsyscall/drsyscall.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2019 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -551,7 +551,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_name_to_syscall(const char *name, OUT drsys_syscall_t **syscall);
+drsys_name_to_syscall(const char *name, DR_PARAM_OUT drsys_syscall_t **syscall);
 
 DR_EXPORT
 /**
@@ -567,7 +567,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_number_to_syscall(drsys_sysnum_t sysnum, OUT drsys_syscall_t **syscall);
+drsys_number_to_syscall(drsys_sysnum_t sysnum, DR_PARAM_OUT drsys_syscall_t **syscall);
 
 DR_EXPORT
 /**
@@ -582,7 +582,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_name(drsys_syscall_t *syscall, OUT const char **name);
+drsys_syscall_name(drsys_syscall_t *syscall, DR_PARAM_OUT const char **name);
 
 DR_EXPORT
 /**
@@ -597,7 +597,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_number(drsys_syscall_t *syscall, OUT drsys_sysnum_t *sysnum);
+drsys_syscall_number(drsys_syscall_t *syscall, DR_PARAM_OUT drsys_sysnum_t *sysnum);
 
 DR_EXPORT
 /**
@@ -612,7 +612,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_type(drsys_syscall_t *syscall, OUT drsys_syscall_type_t *type);
+drsys_syscall_type(drsys_syscall_t *syscall, DR_PARAM_OUT drsys_syscall_type_t *type);
 
 DR_EXPORT
 /**
@@ -627,7 +627,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_is_known(drsys_syscall_t *syscall, OUT bool *known);
+drsys_syscall_is_known(drsys_syscall_t *syscall, DR_PARAM_OUT bool *known);
 
 DR_EXPORT
 /**
@@ -657,7 +657,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_succeeded(drsys_syscall_t *syscall, reg_t result, OUT bool *success);
+drsys_syscall_succeeded(drsys_syscall_t *syscall, reg_t result, DR_PARAM_OUT bool *success);
 
 DR_EXPORT
 /**
@@ -678,7 +678,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_syscall_return_type(drsys_syscall_t *syscall, OUT drsys_param_type_t *type);
+drsys_syscall_return_type(drsys_syscall_t *syscall, DR_PARAM_OUT drsys_param_type_t *type);
 
 #ifdef WINDOWS
 DR_EXPORT
@@ -747,7 +747,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_cur_syscall(void *drcontext, OUT drsys_syscall_t **syscall);
+drsys_cur_syscall(void *drcontext, DR_PARAM_OUT drsys_syscall_t **syscall);
 
 DR_EXPORT
 /**
@@ -779,8 +779,8 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_cur_syscall_result(void *drcontext, OUT bool *success, OUT uint64 *value,
-                         OUT uint *error_code);
+drsys_cur_syscall_result(void *drcontext, DR_PARAM_OUT bool *success, DR_PARAM_OUT uint64 *value,
+                         DR_PARAM_OUT uint *error_code);
 
 DR_EXPORT
 /**
@@ -807,7 +807,7 @@ DR_EXPORT
  * slot.
  */
 drmf_status_t
-drsys_pre_syscall_arg(void *drcontext, uint argnum, OUT ptr_uint_t *value);
+drsys_pre_syscall_arg(void *drcontext, uint argnum, DR_PARAM_OUT ptr_uint_t *value);
 
 DR_EXPORT
 /**
@@ -829,7 +829,7 @@ DR_EXPORT
  * slot.
  */
 drmf_status_t
-drsys_pre_syscall_arg64(void *drcontext, uint argnum, OUT uint64 *value);
+drsys_pre_syscall_arg64(void *drcontext, uint argnum, DR_PARAM_OUT uint64 *value);
 
 DR_EXPORT
 /**
@@ -851,7 +851,7 @@ DR_EXPORT
  * \return success code.
  */
 drmf_status_t
-drsys_get_mcontext(void *drcontext, OUT dr_mcontext_t **mc);
+drsys_get_mcontext(void *drcontext, DR_PARAM_OUT dr_mcontext_t **mc);
 
 
 /***************************************************************************
@@ -1000,7 +1000,8 @@ DR_EXPORT
  * \note Windows-only.
  */
 drmf_status_t
-drsys_find_sysnum_libs(OUT char **sysnum_lib_paths, INOUT size_t *num_sysnum_libs);
+drsys_find_sysnum_libs(DR_PARAM_OUT char **sysnum_lib_paths,
+                       DR_PARAM_INOUT size_t *num_sysnum_libs);
 
 DR_EXPORT
 /**
diff --git a/drsyscall/drsyscall_linux.c b/drsyscall/drsyscall_linux.c
index fc79c3dd7..f8c3261cd 100644
--- a/drsyscall/drsyscall_linux.c
+++ b/drsyscall/drsyscall_linux.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2016 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2009-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -182,7 +182,7 @@ drsyscall_os_module_load(void *drcontext, const module_data_t *info, bool loaded
 }
 
 bool
-os_syscall_get_num(const char *name, drsys_sysnum_t *num_out OUT)
+os_syscall_get_num(const char *name, drsys_sysnum_t *num_out DR_PARAM_OUT)
 {
     drsys_sysnum_t *num = (drsys_sysnum_t *)
         hashtable_lookup(&name2num_table, (void *)name);
@@ -246,7 +246,7 @@ drsyscall_os_get_sysparam_location(cls_syscall_t *pt, uint argnum, drsys_arg_t *
 }
 
 drmf_status_t
-drsys_syscall_type(drsys_syscall_t *syscall, drsys_syscall_type_t *type OUT)
+drsys_syscall_type(drsys_syscall_t *syscall, drsys_syscall_type_t *type DR_PARAM_OUT)
 {
     if (syscall == NULL || type == NULL)
         return DRMF_ERROR_INVALID_PARAMETER;
diff --git a/drsyscall/drsyscall_os.h b/drsyscall/drsyscall_os.h
index 6553c6013..b203d27b3 100644
--- a/drsyscall/drsyscall_os.h
+++ b/drsyscall/drsyscall_os.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2010-2019 Google, Inc.  All rights reserved.
+ * Copyright (c) 2010-2024 Google, Inc.  All rights reserved.
  * Copyright (c) 2007-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
@@ -449,7 +449,7 @@ os_syscall_ret_small_write_last(syscall_info_t *info, ptr_int_t res);
 #endif
 
 bool
-os_syscall_get_num(const char *name, drsys_sysnum_t *num OUT);
+os_syscall_get_num(const char *name, drsys_sysnum_t *num DR_PARAM_OUT);
 
 uint
 sysnum_hash(void *val);
diff --git a/dynamorio b/dynamorio
index 44312ad1c..560092b24 160000
--- a/dynamorio
+++ b/dynamorio
@@ -1 +1 @@
-Subproject commit 44312ad1c80eb194bf426b317e26342fcb97f086
+Subproject commit 560092b24062fd6227a1f2c22c7b3d9a373b720e
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index d82c5f351..cadc0a36b 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -142,16 +142,6 @@ function(set_props target)
   endif ()
 endfunction(set_props)
 
-function(append_link_flags target newflags)
-  get_target_property(cur_ldflags ${target} LINK_FLAGS)
-  # cmake should add an APPEND option
-  if (NOT cur_ldflags)
-    set(cur_ldflags "")
-  endif (NOT cur_ldflags)
-  set_target_properties(${target} PROPERTIES
-    LINK_FLAGS "${cur_ldflags} ${newflags}")
-endfunction(append_link_flags)
-
 function(tobuild name source)
   set(srcs ${source} ${ARGN})
 
@@ -167,12 +157,6 @@ function(tobuild name source)
 
   add_executable(${name} ${srcs})
   set_props(${name})
-  if (UNIX)
-    # Older CMake would add this for us, but no longer.  We want global syms
-    # in .dynsym for all our executables, so our tests can use dr_get_proc_address()
-    # to find them.
-    append_link_flags(${name} "-rdynamic")
-  endif ()
 
   if ("${srccode}" MATCHES "ifndef ASM_CODE_ONLY")
     if ("${CMAKE_GENERATOR}" MATCHES "Visual Studio")
@@ -182,6 +166,16 @@ function(tobuild name source)
   copy_target_to_device(${name})
 endfunction(tobuild)
 
+function(append_link_flags target newflags)
+  get_target_property(cur_ldflags ${target} LINK_FLAGS)
+  # cmake should add an APPEND option
+  if (NOT cur_ldflags)
+    set(cur_ldflags "")
+  endif (NOT cur_ldflags)
+  set_target_properties(${target} PROPERTIES
+    LINK_FLAGS "${cur_ldflags} ${newflags}")
+endfunction(append_link_flags)
+
 function(tobuild_lib name source cust_flags cust_link)
   add_library(${name} SHARED ${source})
   set_props(${name})
@@ -228,7 +222,11 @@ if (NOT UNIX)
   # We also avoid msvcrt*.dll differences by using static libc (/MT).
   # But for cygwin to find operators we need /MD (until we have online
   # syms)
-  set(LIBC_FLAG "/MT")
+  if (USE_DRSYMS)
+    set(LIBC_FLAG "/MT")
+  else (USE_DRSYMS)
+    set(LIBC_FLAG "/MD")
+  endif (USE_DRSYMS)
   string(TOUPPER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_UPPER)
   string(REGEX REPLACE "/MDd?" "${LIBC_FLAG}" CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE_UPPER}
     "${CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE_UPPER}}")
@@ -310,7 +308,11 @@ function(newtest_nobuild_allparams test exe test_ops drmem_ops dr_ops postproces
   # script ops last since using as hack for nudge test app
   # we request callstacks w/ file:line on separate line for matching our templates
   # we include absaddr and mod+offs for easier debugging of problems
-  set(drmem_ops -callstack_style 0x27 -no_results_to_stderr ${drmem_ops})
+  if (USE_DRSYMS)
+    set(drmem_ops -callstack_style 0x27 -no_results_to_stderr ${drmem_ops})
+  else (USE_DRSYMS)
+    set(drmem_ops -callstack_style 0x27 ${drmem_ops})
+  endif (USE_DRSYMS)
   if (NOT "${drmem_ops}" STREQUAL "")
     set(cmd ${cmd} ${drmem_ops})
   endif ()
@@ -380,6 +382,7 @@ function(newtest_nobuild_allparams test exe test_ops drmem_ops dr_ops postproces
     -D resmark:STRING=${resmark}
     -D nudge:STRING=${nudge}
     -D VMKERNEL:BOOL=${VMKERNEL}
+    -D USE_DRSYMS:BOOL=${USE_DRSYMS}
     -D X64:BOOL=${X64}
     -D ARM:BOOL=${ARM}
     -D ANDROID:BOOL=${ANDROID}
@@ -521,10 +524,6 @@ newtest_ex(operators operators.cpp "" "${operators_drm_ops}" "${operators_dr_ops
   "ANY")
 newtest(float float.c)
 newtest(selfmod selfmod.c)
-if (LINUX)
-  newtest(mmap mmap.c)
-  target_link_libraries(mmap drmemory_annotations)
-endif ()
 newtest(patterns patterns.c)
 newtest_ex(state state.c "" "" "" OFF "" "ANY")
 
@@ -684,9 +683,11 @@ if (TOOL_DR_MEMORY)
   newtest_nobuild(reachable cs2bug "" "-show_reachable" "" OFF "")
   newtest_nobuild(malloc_callstacks cs2bug "" "-light;-malloc_callstacks" ""
     OFF "cs2bug.light")
-  if (NOT X64) # FIXME i#111: failing on Travis
-    newtest_nobuild(nosymcache malloc "" "-no_use_symcache" "" OFF malloc)
-  endif ()
+  if (USE_DRSYMS)
+    if (NOT X64) # FIXME i#111: failing on Travis
+      newtest_nobuild(nosymcache malloc "" "-no_use_symcache" "" OFF malloc)
+    endif ()
+  endif (USE_DRSYMS)
   if (NOT ARM AND NOT AARCH64) # XXX i#1726: port to ARM + i#2016 port to AArch64
     newtest_nobuild(strict_bitops bitfield "" "-strict_bitops" "" OFF "bitfield.strict")
   endif ()
@@ -770,22 +771,38 @@ if (TOOL_DR_MEMORY)
     set(supp_fileB "{DRMEMORY_CTEST_SRC_DIR}/suppressB.win.suppress")
   endif (UNIX)
   # test multiple supp files (i#574)
-  newtest_nobuild(suppress suppress ""
-    "-suppress;${supp_fileA};-suppress;${supp_fileB};-no_callstack_exe_hide;-callstack_modname_hide;;"
-    "" OFF "")
+  if (USE_DRSYMS)
+    newtest_nobuild(suppress suppress ""
+      "-suppress;${supp_fileA};-suppress;${supp_fileB};-no_callstack_exe_hide;-callstack_modname_hide;;"
+      "" OFF "")
+  else (USE_DRSYMS)
+    newtest_nobuild(suppress suppress ""
+      "-suppress;${supp_fileA};-suppress;${supp_fileB}" "" OFF "")
+  endif (USE_DRSYMS)
 
   # i#80: test suppression file generation and use via multiple runs
   # since we need the name of the suppress file, runtest.cmake must do
   # the second run.  it looks for "suppress" with no "-suppress" option,
   # rather than taking explicit params, and for the 2nd run uses the
   # suppress output files
-  newtest_nobuild(suppress-genoffs suppress ""
-    "-no_gen_suppress_syms;-no_callstack_exe_hide;-callstack_modname_hide;;" "" OFF "")
-  newtest_nobuild(suppress-gensyms suppress ""
-    "-no_gen_suppress_offs;-no_callstack_exe_hide;-callstack_modname_hide;;" "" OFF "")
+  if (USE_DRSYMS)
+    newtest_nobuild(suppress-genoffs suppress ""
+      "-no_gen_suppress_syms;-no_callstack_exe_hide;-callstack_modname_hide;;" "" OFF "")
+    newtest_nobuild(suppress-gensyms suppress ""
+      "-no_gen_suppress_offs;-no_callstack_exe_hide;-callstack_modname_hide;;" "" OFF "")
+  else (USE_DRSYMS)
+    newtest_nobuild(suppress-genoffs suppress "" "-no_gen_suppress_syms" "" OFF "")
+    newtest_nobuild(suppress-gensyms suppress "" "-no_gen_suppress_offs" "" OFF "")
+  endif (USE_DRSYMS)
 
   set(nudge_test_args "")
 
+  # FIXME i#446: no support yet for post-process w/ drsyms
+  if (UNIX AND NOT USE_DRSYMS)
+    # test -skip_results + -results (PR 575481)
+    newtest_nobuild(skip-results malloc "" "-skip_results" "" ON "")
+  endif ()
+
   # For -perturb_only we do not have a .res file so that runtest.cmake
   # won't wait for a message showing that results are ready
   # FIXME i#715: perturb is flaky on the bots.
@@ -1080,7 +1097,7 @@ else ()
       "procterm.addronly" 0)
   endif (WIN32)
 
-  if (NOT ARM) # i#1726: no shadow yet on ARM
+  if (NOT ARM AND NOT AARCH64) # i#1726: no shadow yet on ARM
     # shadow light testing
     newtest_nobuild_ex(hello.shadow hello "" "-pattern;0" "" OFF "hello" 0 "")
     newtest_nobuild_ex(free.shadow free "" "-pattern;0" "" OFF "free" 0 "")
diff --git a/tests/framework/drsyscall_client.c b/tests/framework/drsyscall_client.c
index 65d50bf92..198ad2f9f 100644
--- a/tests/framework/drsyscall_client.c
+++ b/tests/framework/drsyscall_client.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2020 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2022 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -70,7 +70,7 @@ check_mcontext(void *drcontext)
     mc_DR.size = sizeof(mc_DR);
     mc_DR.flags = DR_MC_INTEGER|DR_MC_CONTROL;
     dr_get_mcontext(drcontext, &mc_DR);
-    /* i#2016 aarch64: TODO: add more asserts for aarch64? */
+    /* XXX i#2016: Add more asserts for aarch64? */
     ASSERT(mc->IF_AARCHXX_ELSE(r7,xdi) == mc_DR.IF_AARCHXX_ELSE(r7,xdi), "mc check");
     ASSERT(mc->IF_AARCHXX_ELSE(r6,xsi) == mc_DR.IF_AARCHXX_ELSE(r6,xsi), "mc check");
     ASSERT(mc->IF_AARCHXX_ELSE(r5,xbp) == mc_DR.IF_AARCHXX_ELSE(r5,xbp), "mc check");
diff --git a/tests/framework/umbra_client_consistency.c b/tests/framework/umbra_client_consistency.c
index a97976598..e0557836a 100644
--- a/tests/framework/umbra_client_consistency.c
+++ b/tests/framework/umbra_client_consistency.c
@@ -1,5 +1,5 @@
 /* **************************************************************
- * Copyright (c) 2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2017-2024 Google, Inc.  All rights reserved.
  * **************************************************************/
 
 /*
@@ -48,7 +48,7 @@ static umbra_map_t *umbra_map;
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                   bool for_trace, bool translating, OUT void **user_data);
+                   bool for_trace, bool translating, DR_PARAM_OUT void **user_data);
 
 static dr_emit_flags_t
 event_app_instruction(void *drcontext, void *tag, instrlist_t *ilist, instr_t *where,
@@ -134,7 +134,7 @@ instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where, opnd_t ref,
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                   bool for_trace, bool translating, OUT void **user_data)
+                   bool for_trace, bool translating, DR_PARAM_OUT void **user_data)
 {
     instr_t *inst;
     bool prev_was_mov_const = false;
diff --git a/tests/framework/umbra_client_insert_app_to_shadow.c b/tests/framework/umbra_client_insert_app_to_shadow.c
index de45c733f..84f017c1d 100644
--- a/tests/framework/umbra_client_insert_app_to_shadow.c
+++ b/tests/framework/umbra_client_insert_app_to_shadow.c
@@ -52,7 +52,7 @@ static umbra_map_t *umbra_map;
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb, bool for_trace,
-                   bool translating, OUT void **user_data);
+                   bool translating, DR_PARAM_OUT void **user_data);
 
 static dr_emit_flags_t
 event_app_instruction(void *drcontext, void *tag, instrlist_t *ilist, instr_t *where,
@@ -228,7 +228,7 @@ instrument_read_shadow(void *drcontext, instrlist_t *ilist, instr_t *where,
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb, bool for_trace,
-                   bool translating, OUT void **user_data)
+                   bool translating, DR_PARAM_OUT void **user_data)
 {
     instr_t *inst;
     bool prev_was_mov_const = false;
diff --git a/tests/framework/umbra_client_shadow_mem.c b/tests/framework/umbra_client_shadow_mem.c
index 0d51dc415..dbc70219e 100644
--- a/tests/framework/umbra_client_shadow_mem.c
+++ b/tests/framework/umbra_client_shadow_mem.c
@@ -1,5 +1,5 @@
 /* **************************************************************
- * Copyright (c) 2017 Google, Inc.  All rights reserved.
+ * Copyright (c) 2017-2024 Google, Inc.  All rights reserved.
  * **************************************************************/
 
 /*
@@ -48,7 +48,7 @@ static umbra_map_t *umbra_map;
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                   bool for_trace, bool translating, OUT void **user_data);
+                   bool for_trace, bool translating, DR_PARAM_OUT void **user_data);
 
 static dr_emit_flags_t
 event_app_instruction(void *drcontext, void *tag, instrlist_t *ilist, instr_t *where,
@@ -144,7 +144,7 @@ instrument_mem(void *drcontext, instrlist_t *ilist, instr_t *where, opnd_t ref,
 
 static dr_emit_flags_t
 event_app_analysis(void *drcontext, void *tag, instrlist_t *bb,
-                   bool for_trace, bool translating, OUT void **user_data)
+                   bool for_trace, bool translating, DR_PARAM_OUT void **user_data)
 {
     instr_t *inst;
     bool prev_was_mov_const = false;
diff --git a/tests/fuzz/custom_mutator.c b/tests/fuzz/custom_mutator.c
index 85956c4f1..09719ba3a 100644
--- a/tests/fuzz/custom_mutator.c
+++ b/tests/fuzz/custom_mutator.c
@@ -46,8 +46,10 @@ typedef struct _mutator_t {
 #define DEFAULT_TOADD 0xf0f00a0a
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_start(OUT drfuzz_mutator_t **mutator_out, IN void *input_seed,
-                     IN size_t size, IN int argc, IN const char *argv[])
+drfuzz_mutator_start(DR_PARAM_OUT drfuzz_mutator_t **mutator_out,
+                     DR_PARAM_IN void *input_seed,
+                     DR_PARAM_IN size_t size, DR_PARAM_IN int argc,
+                     DR_PARAM_IN const char *argv[])
 {
     mutator_t *mutator;
     int i;
@@ -94,7 +96,8 @@ drfuzz_mutator_has_next_value(drfuzz_mutator_t *mutator_in)
 }
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_get_current_value(IN drfuzz_mutator_t *mutator_in, OUT void *buffer)
+drfuzz_mutator_get_current_value(DR_PARAM_IN drfuzz_mutator_t *mutator_in,
+                                 DR_PARAM_OUT void *buffer)
 {
     mutator_t *mutator = (mutator_t *) mutator_in;
     memcpy(buffer, mutator->current_value, mutator->size);
@@ -102,7 +105,7 @@ drfuzz_mutator_get_current_value(IN drfuzz_mutator_t *mutator_in, OUT void *buff
 }
 
 LIB_EXPORT drmf_status_t
-drfuzz_mutator_get_next_value(drfuzz_mutator_t *mutator_in, IN void *buffer)
+drfuzz_mutator_get_next_value(drfuzz_mutator_t *mutator_in, DR_PARAM_IN void *buffer)
 {
     mutator_t *mutator = (mutator_t *) mutator_in;
     int val = *(int *)mutator->current_value;
diff --git a/tests/suppress.c b/tests/suppress.c
index 221e3e02b..277c5ec72 100644
--- a/tests/suppress.c
+++ b/tests/suppress.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2015 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2022 Google, Inc.  All rights reserved.
  * Copyright (c) 2009-2010 VMware, Inc.  All rights reserved.
  * **********************************************************/
 
diff --git a/umbra/umbra.c b/umbra/umbra.c
index 21ffe4226..3ce19accb 100644
--- a/umbra/umbra.c
+++ b/umbra/umbra.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -373,8 +373,8 @@ umbra_exit(void)
 
 DR_EXPORT
 drmf_status_t
-umbra_create_mapping(IN  umbra_map_options_t *ops,
-                     OUT umbra_map_t **map_out)
+umbra_create_mapping(DR_PARAM_IN  umbra_map_options_t *ops,
+                     DR_PARAM_OUT umbra_map_t **map_out)
 {
     drmf_status_t res;
     if (!umbra_initialized)
@@ -389,7 +389,7 @@ umbra_create_mapping(IN  umbra_map_options_t *ops,
 
 DR_EXPORT
 drmf_status_t
-umbra_destroy_mapping(IN  umbra_map_t *map)
+umbra_destroy_mapping(DR_PARAM_IN  umbra_map_t *map)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -415,12 +415,12 @@ umbra_destroy_mapping(IN  umbra_map_t *map)
  */
 DR_EXPORT
 drmf_status_t
-umbra_create_shadow_memory(IN  umbra_map_t *map,
-                           IN  uint         flags,
-                           IN  app_pc       app_addr,
-                           IN  size_t       app_size,
-                           IN  ptr_uint_t   value,
-                           IN  size_t       value_size)
+umbra_create_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  umbra_shadow_memory_flags_t flags,
+                           DR_PARAM_IN  app_pc       app_addr,
+                           DR_PARAM_IN  size_t       app_size,
+                           DR_PARAM_IN  ptr_uint_t   value,
+                           DR_PARAM_IN  size_t       value_size)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -438,9 +438,9 @@ umbra_create_shadow_memory(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_delete_shadow_memory(IN  umbra_map_t *map,
-                           IN  app_pc       app_addr,
-                           IN  size_t       app_size)
+umbra_delete_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  app_pc       app_addr,
+                           DR_PARAM_IN  size_t       app_size)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -453,7 +453,7 @@ umbra_delete_shadow_memory(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_num_scratch_regs_for_translation(OUT  int *num_regs)
+umbra_num_scratch_regs_for_translation(DR_PARAM_OUT  int *num_regs)
 {
     if (num_regs == NULL) {
         ASSERT(false, "num_regs must not be NULL");
@@ -465,13 +465,13 @@ umbra_num_scratch_regs_for_translation(OUT  int *num_regs)
 
 DR_EXPORT
 drmf_status_t
-umbra_insert_app_to_shadow(IN  void        *drcontext,
-                           IN  umbra_map_t *map,
-                           IN  instrlist_t *ilist,
-                           IN  instr_t     *where,
-                           IN  reg_id_t     addr_reg,
-                           IN  reg_id_t    *scratch_regs,
-                           IN  int          num_scratch_regs)
+umbra_insert_app_to_shadow(DR_PARAM_IN  void        *drcontext,
+                           DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  instrlist_t *ilist,
+                           DR_PARAM_IN  instr_t     *where,
+                           DR_PARAM_IN  reg_id_t     addr_reg,
+                           DR_PARAM_IN  reg_id_t    *scratch_regs,
+                           DR_PARAM_IN  int          num_scratch_regs)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -487,11 +487,11 @@ umbra_insert_app_to_shadow(IN  void        *drcontext,
 
 DR_EXPORT
 drmf_status_t
-umbra_read_shadow_memory(IN  umbra_map_t *map,
-                         IN  app_pc  app_addr,
-                         IN  size_t  app_size,
-                         OUT size_t *shadow_size,
-                         IN  byte    *buffer)
+umbra_read_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                         DR_PARAM_IN  app_pc  app_addr,
+                         DR_PARAM_IN  size_t  app_size,
+                         DR_PARAM_OUT size_t *shadow_size,
+                         DR_PARAM_IN  byte    *buffer)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -513,11 +513,11 @@ umbra_read_shadow_memory(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_write_shadow_memory(IN  umbra_map_t *map,
-                          IN  app_pc  app_addr,
-                          IN  size_t  app_size,
-                          OUT size_t *shadow_size,
-                          IN  byte   *buffer)
+umbra_write_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                          DR_PARAM_IN  app_pc  app_addr,
+                          DR_PARAM_IN  size_t  app_size,
+                          DR_PARAM_OUT size_t *shadow_size,
+                          DR_PARAM_IN  byte   *buffer)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -536,12 +536,12 @@ umbra_write_shadow_memory(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_shadow_set_range(IN   umbra_map_t *map,
-                       IN   app_pc       app_addr,
-                       IN   size_t       app_size,
-                       OUT  size_t      *shadow_size,
-                       IN   ptr_uint_t   value,
-                       IN   size_t       value_size)
+umbra_shadow_set_range(DR_PARAM_IN   umbra_map_t *map,
+                       DR_PARAM_IN   app_pc       app_addr,
+                       DR_PARAM_IN   size_t       app_size,
+                       DR_PARAM_OUT  size_t      *shadow_size,
+                       DR_PARAM_IN   ptr_uint_t   value,
+                       DR_PARAM_IN   size_t       value_size)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -562,11 +562,11 @@ umbra_shadow_set_range(IN   umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_shadow_copy_range(IN  umbra_map_t *map,
-                        IN  app_pc  app_src,
-                        IN  app_pc  app_dst,
-                        IN  size_t  app_size,
-                        OUT size_t *shadow_size)
+umbra_shadow_copy_range(DR_PARAM_IN  umbra_map_t *map,
+                        DR_PARAM_IN  app_pc  app_src,
+                        DR_PARAM_IN  app_pc  app_dst,
+                        DR_PARAM_IN  size_t  app_size,
+                        DR_PARAM_OUT size_t *shadow_size)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -584,12 +584,12 @@ umbra_shadow_copy_range(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_value_in_shadow_memory(IN    umbra_map_t *map,
-                             INOUT app_pc *app_addr,
-                             IN    size_t  app_size,
-                             IN    ptr_uint_t value,
-                             IN    size_t value_size,
-                             OUT   bool   *found)
+umbra_value_in_shadow_memory(DR_PARAM_IN    umbra_map_t *map,
+                             DR_PARAM_INOUT app_pc *app_addr,
+                             DR_PARAM_IN    size_t  app_size,
+                             DR_PARAM_IN    ptr_uint_t value,
+                             DR_PARAM_IN    size_t value_size,
+                             DR_PARAM_OUT   bool   *found)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -607,8 +607,8 @@ umbra_value_in_shadow_memory(IN    umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_get_shadow_block_size(IN  umbra_map_t *map,
-                            OUT size_t *size)
+umbra_get_shadow_block_size(DR_PARAM_IN  umbra_map_t *map,
+                            DR_PARAM_OUT size_t *size)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -621,9 +621,9 @@ umbra_get_shadow_block_size(IN  umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_iterate_app_memory(IN  umbra_map_t *map,
-                         IN  void *user_data,
-                         IN  bool (*iter_func)(umbra_map_t *map,
+umbra_iterate_app_memory(DR_PARAM_IN  umbra_map_t *map,
+                         DR_PARAM_IN  void *user_data,
+                         DR_PARAM_IN  bool (*iter_func)(umbra_map_t *map,
                                                const dr_mem_info_t *info,
                                                void  *user_data))
 {
@@ -668,9 +668,9 @@ umbra_iterate_shadow_memory(umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_get_shadow_memory_type(IN  umbra_map_t *map,
-                             IN  byte *shadow_addr,
-                             OUT umbra_shadow_memory_type_t *shadow_type)
+umbra_get_shadow_memory_type(DR_PARAM_IN  umbra_map_t *map,
+                             DR_PARAM_IN  byte *shadow_addr,
+                             DR_PARAM_OUT umbra_shadow_memory_type_t *shadow_type)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -682,9 +682,9 @@ umbra_get_shadow_memory_type(IN  umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_shadow_memory_is_shared(IN  umbra_map_t *map,
-                              IN  byte *shadow_addr,
-                              OUT umbra_shadow_memory_type_t *shadow_type)
+umbra_shadow_memory_is_shared(DR_PARAM_IN  umbra_map_t *map,
+                              DR_PARAM_IN  byte *shadow_addr,
+                              DR_PARAM_OUT umbra_shadow_memory_type_t *shadow_type)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -697,10 +697,10 @@ umbra_shadow_memory_is_shared(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_get_shadow_memory(IN    umbra_map_t *map,
-                        IN    app_pc app_addr,
-                        OUT   byte **shadow_addr,
-                        INOUT umbra_shadow_memory_info_t *shadow_info)
+umbra_get_shadow_memory(DR_PARAM_IN    umbra_map_t *map,
+                        DR_PARAM_IN    app_pc app_addr,
+                        DR_PARAM_OUT   byte **shadow_addr,
+                        DR_PARAM_INOUT umbra_shadow_memory_info_t *shadow_info)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -731,10 +731,10 @@ umbra_replace_shared_shadow_memory(umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_create_shared_shadow_block(IN  umbra_map_t *map,
-                                 IN  ptr_uint_t   value,
-                                 IN  size_t       value_size,
-                                 OUT byte       **block)
+umbra_create_shared_shadow_block(DR_PARAM_IN  umbra_map_t *map,
+                                 DR_PARAM_IN  ptr_uint_t   value,
+                                 DR_PARAM_IN  size_t       value_size,
+                                 DR_PARAM_OUT byte       **block)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -747,10 +747,10 @@ umbra_create_shared_shadow_block(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_get_shared_shadow_block(IN  umbra_map_t *map,
-                              IN  ptr_uint_t   value,
-                              IN  size_t       value_size,
-                              OUT byte       **block)
+umbra_get_shared_shadow_block(DR_PARAM_IN  umbra_map_t *map,
+                              DR_PARAM_IN  ptr_uint_t   value,
+                              DR_PARAM_IN  size_t       value_size,
+                              DR_PARAM_OUT byte       **block)
 {
     if (map == NULL || map->magic != UMBRA_MAP_MAGIC) {
         ASSERT(false, "invalid umbra_map");
@@ -763,7 +763,7 @@ umbra_get_shared_shadow_block(IN  umbra_map_t *map,
 
 DR_EXPORT
 drmf_status_t
-umbra_get_granularity(const umbra_map_t *map, OUT int *scale, OUT bool *is_scale_down)
+umbra_get_granularity(const umbra_map_t *map, DR_PARAM_OUT int *scale, DR_PARAM_OUT bool *is_scale_down)
 {
     if (map == NULL || scale == NULL || is_scale_down == NULL)
         return DRMF_ERROR_INVALID_PARAMETER;
diff --git a/umbra/umbra.h b/umbra/umbra.h
index b2329d121..23d0cb231 100755
--- a/umbra/umbra.h
+++ b/umbra/umbra.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2014 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -309,15 +309,15 @@ DR_EXPORT
  * @param[out]  map_out  The mapping options.
  */
 drmf_status_t
-umbra_create_mapping(IN  umbra_map_options_t *ops,
-                     OUT umbra_map_t **map_out);
+umbra_create_mapping(DR_PARAM_IN  umbra_map_options_t *ops,
+                     DR_PARAM_OUT umbra_map_t **map_out);
 
 DR_EXPORT
 /**
  * Destroy a shadow memory mapping \p map created by umbra_create_mapping.
  */
 drmf_status_t
-umbra_destroy_mapping(IN  umbra_map_t *map);
+umbra_destroy_mapping(DR_PARAM_IN  umbra_map_t *map);
 
 DR_EXPORT
 /**
@@ -343,12 +343,12 @@ DR_EXPORT
  * on \p map creation.
  */
 drmf_status_t
-umbra_create_shadow_memory(IN  umbra_map_t *map,
-                           IN  umbra_shadow_memory_flags_t flags,
-                           IN  app_pc       app_addr,
-                           IN  size_t       app_size,
-                           IN  ptr_uint_t   value,
-                           IN  size_t       value_size);
+umbra_create_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  umbra_shadow_memory_flags_t flags,
+                           DR_PARAM_IN  app_pc       app_addr,
+                           DR_PARAM_IN  size_t       app_size,
+                           DR_PARAM_IN  ptr_uint_t   value,
+                           DR_PARAM_IN  size_t       value_size);
 
 DR_EXPORT
 /**
@@ -367,9 +367,9 @@ DR_EXPORT
  * which will be set to the value specified on \p map creation instead.
  */
 drmf_status_t
-umbra_delete_shadow_memory(IN  umbra_map_t *map,
-                           IN  app_pc       app_addr,
-                           IN  size_t       app_size);
+umbra_delete_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  app_pc       app_addr,
+                           DR_PARAM_IN  size_t       app_size);
 
 DR_EXPORT
 /**
@@ -380,7 +380,7 @@ DR_EXPORT
  * @param[out]  num_regs  Number of scratch register required for translation.
  */
 drmf_status_t
-umbra_num_scratch_regs_for_translation(OUT  int *num_regs);
+umbra_num_scratch_regs_for_translation(DR_PARAM_OUT  int *num_regs);
 
 DR_EXPORT
 /**
@@ -410,13 +410,13 @@ DR_EXPORT
  * and after this method is called, e.g. with \p drreg_reserve_aflags().
  */
 drmf_status_t
-umbra_insert_app_to_shadow(IN  void        *drcontext,
-                           IN  umbra_map_t *map,
-                           IN  instrlist_t *ilist,
-                           IN  instr_t     *where,
-                           IN  reg_id_t     addr_reg,
-                           IN  reg_id_t    *scratch_regs,
-                           IN  int          num_scratch_regs);
+umbra_insert_app_to_shadow(DR_PARAM_IN  void        *drcontext,
+                           DR_PARAM_IN  umbra_map_t *map,
+                           DR_PARAM_IN  instrlist_t *ilist,
+                           DR_PARAM_IN  instr_t     *where,
+                           DR_PARAM_IN  reg_id_t     addr_reg,
+                           DR_PARAM_IN  reg_id_t    *scratch_regs,
+                           DR_PARAM_IN  int          num_scratch_regs);
 
 DR_EXPORT
 /**
@@ -434,11 +434,11 @@ DR_EXPORT
  * for invalid addresses, returns DRMF_ERROR_INVALID_ADDRESS.
  */
 drmf_status_t
-umbra_read_shadow_memory(IN    umbra_map_t *map,
-                         IN    app_pc  app_addr,
-                         IN    size_t  app_size,
-                         INOUT size_t *shadow_size,
-                         OUT   byte   *buffer);
+umbra_read_shadow_memory(DR_PARAM_IN    umbra_map_t *map,
+                         DR_PARAM_IN    app_pc  app_addr,
+                         DR_PARAM_IN    size_t  app_size,
+                         DR_PARAM_INOUT size_t *shadow_size,
+                         DR_PARAM_OUT   byte   *buffer);
 
 DR_EXPORT
 /**
@@ -456,11 +456,11 @@ DR_EXPORT
  * for invalid addresses, returns DRMF_ERROR_INVALID_ADDRESS.
  */
 drmf_status_t
-umbra_write_shadow_memory(IN  umbra_map_t *map,
-                          IN  app_pc  app_addr,
-                          IN  size_t  app_size,
-                          INOUT size_t *shadow_size,
-                          IN  byte   *buffer);
+umbra_write_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                          DR_PARAM_IN  app_pc  app_addr,
+                          DR_PARAM_IN  size_t  app_size,
+                          DR_PARAM_INOUT size_t *shadow_size,
+                          DR_PARAM_IN  byte   *buffer);
 
 DR_EXPORT
 /**
@@ -479,12 +479,12 @@ DR_EXPORT
  * for invalid addresses, returns DRMF_ERROR_INVALID_ADDRESS.
  */
 drmf_status_t
-umbra_shadow_set_range(IN   umbra_map_t *map,
-                       IN   app_pc       app_addr,
-                       IN   size_t       app_size,
-                       OUT  size_t      *shadow_size,
-                       IN   ptr_uint_t   value,
-                       IN   size_t       value_size);
+umbra_shadow_set_range(DR_PARAM_IN   umbra_map_t *map,
+                       DR_PARAM_IN   app_pc       app_addr,
+                       DR_PARAM_IN   size_t       app_size,
+                       DR_PARAM_OUT  size_t      *shadow_size,
+                       DR_PARAM_IN   ptr_uint_t   value,
+                       DR_PARAM_IN   size_t       value_size);
 
 DR_EXPORT
 /**
@@ -504,11 +504,11 @@ DR_EXPORT
  * \note: Overlap is allowed.
  */
 drmf_status_t
-umbra_shadow_copy_range(IN  umbra_map_t *map,
-                        IN  app_pc  app_src,
-                        IN  app_pc  app_dst,
-                        IN  size_t  app_size,
-                        OUT size_t *shadow_size);
+umbra_shadow_copy_range(DR_PARAM_IN  umbra_map_t *map,
+                        DR_PARAM_IN  app_pc  app_src,
+                        DR_PARAM_IN  app_pc  app_dst,
+                        DR_PARAM_IN  size_t  app_size,
+                        DR_PARAM_OUT size_t *shadow_size);
 
 DR_EXPORT
 /**
@@ -529,12 +529,12 @@ DR_EXPORT
  * for invalid addresses, returns DRMF_ERROR_INVALID_ADDRESS.
  */
 drmf_status_t
-umbra_value_in_shadow_memory(IN    umbra_map_t *map,
-                             INOUT app_pc      *app_addr,
-                             IN    size_t       app_size,
-                             IN    ptr_uint_t   value,
-                             IN    size_t       value_size,
-                             OUT   bool        *found);
+umbra_value_in_shadow_memory(DR_PARAM_IN    umbra_map_t *map,
+                             DR_PARAM_INOUT app_pc      *app_addr,
+                             DR_PARAM_IN    size_t       app_size,
+                             DR_PARAM_IN    ptr_uint_t   value,
+                             DR_PARAM_IN    size_t       value_size,
+                             DR_PARAM_OUT   bool        *found);
 
 DR_EXPORT
 /**
@@ -545,8 +545,8 @@ DR_EXPORT
  * @param[out] size  The shadow memory block size.
  */
 drmf_status_t
-umbra_get_shadow_block_size(IN  umbra_map_t *map,
-                            OUT size_t *size);
+umbra_get_shadow_block_size(DR_PARAM_IN  umbra_map_t *map,
+                            DR_PARAM_OUT size_t *size);
 
 DR_EXPORT
 /**
@@ -562,9 +562,9 @@ DR_EXPORT
  * since they are not considered as part of DynamoRIO internal or client memory.
  */
 drmf_status_t
-umbra_iterate_app_memory(IN  umbra_map_t *map,
-                         IN  void *user_data,
-                         IN  bool (*iter_func)(umbra_map_t *map,
+umbra_iterate_app_memory(DR_PARAM_IN  umbra_map_t *map,
+                         DR_PARAM_IN  void *user_data,
+                         DR_PARAM_IN  bool (*iter_func)(umbra_map_t *map,
                                                const dr_mem_info_t *info,
                                                void  *user_data));
 
@@ -589,9 +589,9 @@ DR_EXPORT
  *                        It can return false to stop the iteration.
  */
 drmf_status_t
-umbra_iterate_shadow_memory(IN  umbra_map_t *map,
-                            IN  void  *user_data,
-                            IN  shadow_iterate_func_t iter_func);
+umbra_iterate_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                            DR_PARAM_IN  void  *user_data,
+                            DR_PARAM_IN  shadow_iterate_func_t iter_func);
 
 DR_EXPORT
 /**
@@ -605,9 +605,9 @@ DR_EXPORT
  * shadow memory to determine the shadow memory type for \p shadow_addr.
  */
 drmf_status_t
-umbra_get_shadow_memory_type(IN  umbra_map_t *map,
-                             IN  byte *shadow_addr,
-                             OUT umbra_shadow_memory_type_t *shadow_type);
+umbra_get_shadow_memory_type(DR_PARAM_IN  umbra_map_t *map,
+                             DR_PARAM_IN  byte *shadow_addr,
+                             DR_PARAM_OUT umbra_shadow_memory_type_t *shadow_type);
 
 DR_EXPORT
 /**
@@ -631,9 +631,9 @@ DR_EXPORT
  *
  */
 drmf_status_t
-umbra_shadow_memory_is_shared(IN  umbra_map_t *map,
-                              IN  byte *shadow_addr,
-                              OUT umbra_shadow_memory_type_t *shadow_type);
+umbra_shadow_memory_is_shared(DR_PARAM_IN  umbra_map_t *map,
+                              DR_PARAM_IN  byte *shadow_addr,
+                              DR_PARAM_OUT umbra_shadow_memory_type_t *shadow_type);
 
 DR_EXPORT
 /**
@@ -668,10 +668,10 @@ DR_EXPORT
  *
  */
 drmf_status_t
-umbra_get_shadow_memory(IN    umbra_map_t *map,
-                        IN    app_pc app_addr,
-                        OUT   byte **shadow_addr,
-                        INOUT umbra_shadow_memory_info_t *shadow_info);
+umbra_get_shadow_memory(DR_PARAM_IN    umbra_map_t *map,
+                        DR_PARAM_IN    app_pc app_addr,
+                        DR_PARAM_OUT   byte **shadow_addr,
+                        DR_PARAM_INOUT umbra_shadow_memory_info_t *shadow_info);
 
 DR_EXPORT
 /**
@@ -685,9 +685,9 @@ DR_EXPORT
  * @param[out] shadow_addr  Return the replaced shadow memory address.
  */
 drmf_status_t
-umbra_replace_shared_shadow_memory(IN  umbra_map_t *map,
-                                   IN  app_pc       app_addr,
-                                   OUT byte       **shadow_addr);
+umbra_replace_shared_shadow_memory(DR_PARAM_IN  umbra_map_t *map,
+                                   DR_PARAM_IN  app_pc       app_addr,
+                                   DR_PARAM_OUT byte       **shadow_addr);
 
 DR_EXPORT
 /**
@@ -707,10 +707,10 @@ DR_EXPORT
  * implementation and always returns DRMF_ERROR_FEATURE_NOT_AVAILABLE.
  */
 drmf_status_t
-umbra_create_shared_shadow_block(IN  umbra_map_t *map,
-                                 IN  ptr_uint_t   value,
-                                 IN  size_t       value_size,
-                                 OUT byte       **block);
+umbra_create_shared_shadow_block(DR_PARAM_IN  umbra_map_t *map,
+                                 DR_PARAM_IN  ptr_uint_t   value,
+                                 DR_PARAM_IN  size_t       value_size,
+                                 DR_PARAM_OUT byte       **block);
 
 DR_EXPORT
 /**
@@ -727,10 +727,10 @@ DR_EXPORT
  * implementation and always returns DRMF_ERROR_FEATURE_NOT_AVAILABLE.
  */
 drmf_status_t
-umbra_get_shared_shadow_block(IN  umbra_map_t *map,
-                              IN  ptr_uint_t   value,
-                              IN  size_t       value_size,
-                              OUT byte       **block);
+umbra_get_shared_shadow_block(DR_PARAM_IN  umbra_map_t *map,
+                              DR_PARAM_IN  ptr_uint_t   value,
+                              DR_PARAM_IN  size_t       value_size,
+                              DR_PARAM_OUT byte       **block);
 
 /** Convenience routine for initializing umbra_shadow_memory_info. */
 static inline void
@@ -773,7 +773,7 @@ DR_EXPORT
  *                              or up.
  */
 drmf_status_t
-umbra_get_granularity(const umbra_map_t *map, OUT int *scale,
+umbra_get_granularity(const umbra_map_t *map, DR_PARAM_OUT int *scale,
                       bool *is_scale_down);
 
 /*@}*/ /* end doxygen group */
diff --git a/umbra/umbra_64.c b/umbra/umbra_64.c
index 14bff7e67..975225054 100644
--- a/umbra/umbra_64.c
+++ b/umbra/umbra_64.c
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2013-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2013-2022 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -262,10 +262,13 @@ static dr_os_version_info_t os_version = {sizeof(os_version),};
 /* Each unit has 16 segments, which could be used for app or shadow. */
 #define NUM_SEGMENTS      16 /* 16 segments per unit */
 
+
+#ifndef AARCH64
 static ptr_uint_t seg_index_mask(uint num_seg_bits)
 {
     return (ptr_uint_t)(NUM_SEGMENTS - 1) << num_seg_bits;
 }
+#endif
 
 static ptr_uint_t segment_size(uint num_seg_bits)
 {
@@ -355,6 +358,37 @@ static ptr_uint_t map_disp_win81[] = {
  * We check conflicts later when creating shadow memory.
  */
 #ifdef LINUX
+#ifdef AARCH64
+static const app_segment_t app_segments_initial[] = {
+    /* We split app3 [0x7F0000000000, 0x800000000000) into two parts:
+     * [0x7F0000000000, 0x7FFFFF400000) and [0x7FFFFF800000, 0x800000000000).
+     * And we skip [0x7FFFFF400000-0x7FFFFF800000)
+     * for app4 [0xFFFFFFFFFF400000,  0xFFFFFFFFFF800000) because current
+     * mapping schema maps app3 and app4 to the same segment.
+     * We cannot use smaller size due to the block allocation size
+     * (ALLOC_UNIT_SIZE) and the correspoinding bitmap for the shadow memory
+     * allocation tracking.
+     *
+     * We assume [0x7FFFFF400000-0x7FFFFF800000) will not be used by app.
+     * If app allocates memory from that region, umbra_add_app_segment
+     * will fail because umbra_add_shadow_segment fails to add corresponding
+     * shadow memory segment.
+     * FIXME i#1782, i#1798: we can proactively track memory allocation and
+     * use more expensive instrumentation when necessary to get rid of the
+     * assumption and segment split.
+     */
+    {(app_pc)0x0000ff0000000000,  (app_pc)0x0001000000000000, 0},
+    {(app_pc)0x0000000000000000,  (app_pc)0x0000010000000000, 0},
+    /* app4: [0xFFFFFFFF'FF600000, 0xFFFFFFFF'FF601000] */
+    /* for all additional segments */
+    { NULL, NULL, 0 },
+    { NULL, NULL, 0 },
+    { NULL, NULL, 0 },
+    { NULL, NULL, 0 },
+    { NULL, NULL, 0 },
+};
+
+#else
 static const app_segment_t app_segments_initial[] = {
     /* We split app3 [0x7F0000000000, 0x800000000000) into two parts:
      * [0x7F0000000000, 0x7FFFFF400000) and [0x7FFFFF800000, 0x800000000000).
@@ -388,6 +422,7 @@ static const app_segment_t app_segments_initial[] = {
     { NULL, NULL, 0 },
     { NULL, NULL, 0 },
 };
+#endif
 static const app_segment_t app_segments_initial_no_vsyscall[] = {
     /* We do not need any gaps or splitting without vsyscall. */
     /* for all additional segments */
@@ -869,7 +904,7 @@ umbra_map_arch_init(umbra_map_t *map, umbra_map_options_t *ops)
     ASSERT(map->shadow_block_size >= ALLOC_UNIT_SIZE &&
            map->app_block_size    >= ALLOC_UNIT_SIZE,
            "block size too small");
-    map->mask = segment_mask(num_seg_bits) | seg_index_mask(num_seg_bits);
+    map->mask = IF_AARCH64_ELSE(0xfffffffffffffffc, segment_mask(num_seg_bits) | seg_index_mask(num_seg_bits));
 #ifdef WINDOWS
     if (UMBRA_MAP_SCALE_IS_UP(map->options.scale)) {
         /* The only way we can avoid reserves from wrapping around or overlapping
@@ -997,11 +1032,11 @@ umbra_delete_shadow_memory_arch(umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_read_shadow_memory_arch(IN    umbra_map_t *map,
-                              IN    app_pc  app_addr,
-                              IN    size_t  app_size,
-                              INOUT size_t *shadow_size,
-                              IN    byte    *buffer)
+umbra_read_shadow_memory_arch(DR_PARAM_IN    umbra_map_t *map,
+                              DR_PARAM_IN    app_pc  app_addr,
+                              DR_PARAM_IN    size_t  app_size,
+                              DR_PARAM_INOUT size_t *shadow_size,
+                              DR_PARAM_IN    byte    *buffer)
 {
     /* i#1260: end pointers are all closed (i.e., inclusive) to handle overflow */
     app_pc app_blk_base, app_blk_end, app_src_end;
@@ -1040,11 +1075,11 @@ umbra_read_shadow_memory_arch(IN    umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_write_shadow_memory_arch(IN    umbra_map_t *map,
-                               IN    app_pc  app_addr,
-                               IN    size_t  app_size,
-                               INOUT size_t *shadow_size,
-                               IN    byte   *buffer)
+umbra_write_shadow_memory_arch(DR_PARAM_IN    umbra_map_t *map,
+                               DR_PARAM_IN    app_pc  app_addr,
+                               DR_PARAM_IN    size_t  app_size,
+                               DR_PARAM_INOUT size_t *shadow_size,
+                               DR_PARAM_IN    byte   *buffer)
 {
     /* i#1260: end pointers are all closed (i.e., inclusive) to handle overflow */
     app_pc app_blk_base, app_blk_end, app_src_end;
@@ -1083,12 +1118,12 @@ umbra_write_shadow_memory_arch(IN    umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_shadow_set_range_arch(IN   umbra_map_t *map,
-                            IN   app_pc       app_addr,
-                            IN   size_t       app_size,
-                            OUT  size_t      *shadow_size,
-                            IN   ptr_uint_t   value,
-                            IN   size_t       value_size)
+umbra_shadow_set_range_arch(DR_PARAM_IN   umbra_map_t *map,
+                            DR_PARAM_IN   app_pc       app_addr,
+                            DR_PARAM_IN   size_t       app_size,
+                            DR_PARAM_OUT  size_t      *shadow_size,
+                            DR_PARAM_IN   ptr_uint_t   value,
+                            DR_PARAM_IN   size_t       value_size)
 {
     /* i#1260: end pointers are all closed (i.e., inclusive) to handle overflow */
     app_pc app_blk_base, app_blk_end, app_src_end;
@@ -1125,11 +1160,11 @@ umbra_shadow_set_range_arch(IN   umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_shadow_copy_range_arch(IN  umbra_map_t *map,
-                             IN  app_pc  app_src,
-                             IN  app_pc  app_dst,
-                             IN  size_t  app_size_in,
-                             OUT size_t *shadow_size_out)
+umbra_shadow_copy_range_arch(DR_PARAM_IN  umbra_map_t *map,
+                             DR_PARAM_IN  app_pc  app_src,
+                             DR_PARAM_IN  app_pc  app_dst,
+                             DR_PARAM_IN  size_t  app_size_in,
+                             DR_PARAM_OUT size_t *shadow_size_out)
 {
     /* i#1260: end pointers are all closed (i.e., inclusive) to handle overflow */
     app_pc app_blk_base, app_blk_end, app_src_end;
@@ -1202,12 +1237,12 @@ umbra_shadow_copy_range_arch(IN  umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_value_in_shadow_memory_arch(IN    umbra_map_t *map,
-                                  INOUT app_pc *app_addr,
-                                  IN    size_t  app_size,
-                                  IN    ptr_uint_t value,
-                                  IN    size_t value_size,
-                                  OUT   bool  *found)
+umbra_value_in_shadow_memory_arch(DR_PARAM_IN    umbra_map_t *map,
+                                  DR_PARAM_INOUT app_pc *app_addr,
+                                  DR_PARAM_IN    size_t  app_size,
+                                  DR_PARAM_IN    ptr_uint_t value,
+                                  DR_PARAM_IN    size_t value_size,
+                                  DR_PARAM_OUT   bool  *found)
 {
     /* i#1260: end pointers are all closed (i.e., inclusive) to handle overflow */
     app_pc app_blk_base, app_blk_end, app_src_end;
@@ -1310,9 +1345,12 @@ umbra_insert_app_to_shadow_arch(void *drcontext,
                                        opnd_create_reg(reg_addr), opnd_create_reg(reg_addr),
                                        opnd_create_reg(tmp)));
     if (map->options.scale == UMBRA_MAP_SCALE_UP_2X) {
-        PRE(ilist, where, INSTR_CREATE_lsl(drcontext,
-                                           opnd_create_reg(reg_addr), opnd_create_reg(reg_addr),
-                                           OPND_CREATE_INT8(map->shift)));
+        /* XXX: Use INSTR_CREATE_lsl or an xinst variant when DR provides it. */
+        PRE(ilist, where, instr_create_1dst_3src(drcontext, OP_ubfm,
+                                                 opnd_create_reg(reg_addr),
+                                                 opnd_create_reg(reg_addr),
+                                                 OPND_CREATE_INT(64 - map->shift),
+                                                 OPND_CREATE_INT(63 - map->shift)));
     } else if (map->options.scale <= UMBRA_MAP_SCALE_DOWN_2X) {
         PRE(ilist, where, XINST_CREATE_slr_s(drcontext,
                                              opnd_create_reg(reg_addr),
@@ -1383,9 +1421,9 @@ umbra_iterate_shadow_memory_arch(umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_shadow_memory_is_shared_arch(IN  umbra_map_t *map,
-                                   IN  byte *shadow_addr,
-                                   OUT umbra_shadow_memory_type_t *shadow_type)
+umbra_shadow_memory_is_shared_arch(DR_PARAM_IN  umbra_map_t *map,
+                                   DR_PARAM_IN  byte *shadow_addr,
+                                   DR_PARAM_OUT umbra_shadow_memory_type_t *shadow_type)
 {
     *shadow_type = UMBRA_SHADOW_MEMORY_TYPE_UNKNOWN;
     return DRMF_SUCCESS;
@@ -1471,19 +1509,19 @@ umbra_replace_shared_shadow_memory_arch(umbra_map_t *map,
 }
 
 drmf_status_t
-umbra_create_shared_shadow_block_arch(IN  umbra_map_t *map,
-                                      IN  ptr_uint_t   value,
-                                      IN  size_t       value_size,
-                                      OUT byte       **block)
+umbra_create_shared_shadow_block_arch(DR_PARAM_IN  umbra_map_t *map,
+                                      DR_PARAM_IN  ptr_uint_t   value,
+                                      DR_PARAM_IN  size_t       value_size,
+                                      DR_PARAM_OUT byte       **block)
 {
     return DRMF_ERROR_FEATURE_NOT_AVAILABLE;
 }
 
 drmf_status_t
-umbra_get_shared_shadow_block_arch(IN  umbra_map_t *map,
-                                   IN  ptr_uint_t   value,
-                                   IN  size_t       value_size,
-                                   OUT byte       **block)
+umbra_get_shared_shadow_block_arch(DR_PARAM_IN  umbra_map_t *map,
+                                   DR_PARAM_IN  ptr_uint_t   value,
+                                   DR_PARAM_IN  size_t       value_size,
+                                   DR_PARAM_OUT byte       **block)
 {
     *block = NULL;
     return DRMF_ERROR_FEATURE_NOT_AVAILABLE;
@@ -1502,9 +1540,9 @@ umbra_identify_shadow_fault(void *drcontext, dr_mcontext_t *raw_mc,
         return false;
     LOG(UMBRA_VERBOSE,
         "%s: decoding cache %p looking for %p\n", __FUNCTION__, pc, raw_mc->pc);
-    umbra_map_t *map = NULL;
     bool found_xl8 = false;
 #ifndef AARCH64
+    umbra_map_t *map = NULL;
     bool found_and = false;
 #endif
     instr_init(drcontext, &inst);
diff --git a/umbra/umbra_private.h b/umbra/umbra_private.h
index 2805a3082..1f0eb6321 100644
--- a/umbra/umbra_private.h
+++ b/umbra/umbra_private.h
@@ -1,5 +1,5 @@
 /* **********************************************************
- * Copyright (c) 2012-2021 Google, Inc.  All rights reserved.
+ * Copyright (c) 2012-2024 Google, Inc.  All rights reserved.
  * **********************************************************/
 
 /* Dr. Memory: the memory debugger
@@ -88,10 +88,10 @@ struct _umbra_map_t {
  * indirect call per loop iter, and an iterator would have call costs
  * as well.  These loops can be performance-critical parts of Dr. Memory.
  *
- * Usage: APP_RANGE_LOOP(IN app_pc app_addr, IN size_t app_size,
- *                       OUT app_pc app_blk_base, OUT app_pc app_blk_end,
- *                       OUT app_pc app_src_end,
- *                       OUT app_pc start, OUT app_pc end, OUT size_t iter_size,
+ * Usage: APP_RANGE_LOOP(DR_PARAM_IN app_pc app_addr, DR_PARAM_IN size_t app_size,
+ *                       DR_PARAM_OUT app_pc app_blk_base, DR_PARAM_OUT app_pc app_blk_end,
+ *                       DR_PARAM_OUT app_pc app_src_end,
+ *                       DR_PARAM_OUT app_pc start, DR_PARAM_OUT app_pc end, DR_PARAM_OUT size_t iter_size,
  *                       { loop_body... })
  *
  * Each iteration operates on the app address range [start, end].
@@ -204,19 +204,19 @@ umbra_write_shadow_memory_arch(umbra_map_t *map,
                                byte   *buffer);
 
 drmf_status_t
-umbra_shadow_set_range_arch(IN   umbra_map_t *map,
-                            IN   app_pc       app_addr,
-                            IN   size_t       app_size,
-                            OUT  size_t      *shadow_size,
-                            IN   ptr_uint_t   value,
-                            IN   size_t       value_size);
+umbra_shadow_set_range_arch(DR_PARAM_IN   umbra_map_t *map,
+                            DR_PARAM_IN   app_pc       app_addr,
+                            DR_PARAM_IN   size_t       app_size,
+                            DR_PARAM_OUT  size_t      *shadow_size,
+                            DR_PARAM_IN   ptr_uint_t   value,
+                            DR_PARAM_IN   size_t       value_size);
 
 drmf_status_t
-umbra_shadow_copy_range_arch(IN  umbra_map_t *map,
-                             IN  app_pc  app_src,
-                             IN  app_pc  app_dst,
-                             IN  size_t  app_size,
-                             OUT size_t *shadow_size);
+umbra_shadow_copy_range_arch(DR_PARAM_IN  umbra_map_t *map,
+                             DR_PARAM_IN  app_pc  app_src,
+                             DR_PARAM_IN  app_pc  app_dst,
+                             DR_PARAM_IN  size_t  app_size,
+                             DR_PARAM_OUT size_t *shadow_size);
 
 drmf_status_t
 umbra_iterate_shadow_memory_arch(umbra_map_t *map,
@@ -252,16 +252,16 @@ umbra_replace_shared_shadow_memory_arch(umbra_map_t *map,
                                         byte **shadow_addr);
 
 drmf_status_t
-umbra_create_shared_shadow_block_arch(IN  umbra_map_t *map,
-                                      IN  ptr_uint_t   value,
-                                      IN  size_t       value_size,
-                                      OUT byte       **block);
+umbra_create_shared_shadow_block_arch(DR_PARAM_IN  umbra_map_t *map,
+                                      DR_PARAM_IN  ptr_uint_t   value,
+                                      DR_PARAM_IN  size_t       value_size,
+                                      DR_PARAM_OUT byte       **block);
 
 drmf_status_t
-umbra_get_shared_shadow_block_arch(IN  umbra_map_t *map,
-                                   IN  ptr_uint_t   value,
-                                   IN  size_t       value_size,
-                                   OUT byte       **block);
+umbra_get_shared_shadow_block_arch(DR_PARAM_IN  umbra_map_t *map,
+                                   DR_PARAM_IN  ptr_uint_t   value,
+                                   DR_PARAM_IN  size_t       value_size,
+                                   DR_PARAM_OUT byte       **block);
 
 bool
 umbra_handle_fault(void *drcontext, byte *target, dr_mcontext_t *raw_mc,