include cleanup

The Zeek code base has very inconsistent #includes.  Many sources
included a few headers, and those headers included other headers, and
in the end, nearly everything is included everywhere, so missing
#includes were never noticed.  Another side effect was a lot of header
bloat which slows down the build.

First step to fix it: in each source file, its own header should be
included first to verify that each header's includes are correct, and
none is missing.

After adding the missing #includes, I replaced lots of #includes
inside headers with class forward declarations.  In most headers,
object pointers are never referenced, so declaring the function
prototypes with forward-declared classes is just fine.

This patch speeds up the build by 19%, because each compilation unit
gets smaller.  Here are the "time" numbers for a fresh build (with a
warm page cache but without ccache):

Before this patch:

 3144.94user 161.63system 3:02.87elapsed 1808%CPU (0avgtext+0avgdata 2168608maxresident)k
 760inputs+12008400outputs (1511major+57747204minor)pagefaults 0swaps

After this patch:

 2565.17user 141.83system 2:25.46elapsed 1860%CPU (0avgtext+0avgdata 1489076maxresident)k
 72576inputs+9130920outputs (1667major+49400430minor)pagefaults 0swaps

src/Anon.cc

@@ -1,3 +1,5 @@
+#include "Anon.h"
+
 #include <stdlib.h>
 #include <unistd.h>
 #include <assert.h>
@@ -5,7 +7,6 @@
 
 #include "util.h"
 #include "net_util.h"
-#include "Anon.h"
 #include "Val.h"
 #include "NetVar.h"
 

src/Anon.h

@@ -11,11 +11,11 @@
 #pragma once
 
 #include <vector>
-#include <set>
 #include <map>
 
 #include "Reporter.h"
-#include "net_util.h"
+
+using std::map;
 
 // TODO: Anon.h may not be the right place to put these functions ...
 

src/Attr.cc

@@ -4,6 +4,8 @@
 
 #include "Attr.h"
 #include "Expr.h"
+#include "Desc.h"
+#include "Val.h"
 #include "threading/SerialTypes.h"
 
 const char* attr_name(attr_tag t)

src/Attr.h

@@ -3,6 +3,7 @@
 #pragma once
 
 #include "Obj.h"
+#include "BroList.h"
 
 class Expr;
 

src/Base64.cc

@@ -1,5 +1,7 @@
 #include "zeek-config.h"
 #include "Base64.h"
+#include "BroString.h"
+
 #include <math.h>
 
 int Base64Converter::default_base64_table[256];

src/Base64.h

@@ -1,14 +1,10 @@
 #pragma once
 
-#include <assert.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "util.h"
-#include "BroString.h"
 #include "Reporter.h"
 #include "Conn.h"
 
+class BroString;
+
 // Maybe we should have a base class for generic decoders?
 class Base64Converter {
 public:

src/BroString.cc

@@ -1,13 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "BroString.h"
 
 #include <algorithm>
+#include <iostream>
 #include <ctype.h>
 
-#include <algorithm>
-
-#include "BroString.h"
+#include "Val.h"
 #include "Var.h"
 #include "Reporter.h"
 

src/BroString.h

@@ -2,13 +2,13 @@
 
 #pragma once
 
+#include "util.h"
+
 #include <vector>
 #include <string>
-#include <iostream>
-#include <stdlib.h>
-#include <sys/types.h>
+#include <iosfwd>
 
-#include "util.h"
+#include <sys/types.h>
 
 typedef u_char* byte_vec;
 

src/Brofiler.cc

@@ -1,3 +1,5 @@
+#include "Brofiler.h"
+
 #include <cstdio>
 #include <cstring>
 #include <sstream>
@@ -5,7 +7,10 @@
 #include <utility>
 #include <algorithm>
 #include <sys/stat.h>
-#include "Brofiler.h"
+
+#include "Stmt.h"
+#include "Desc.h"
+#include "Reporter.h"
 #include "util.h"
 
 Brofiler::Brofiler()

src/Brofiler.h

@@ -3,8 +3,14 @@
 #include <map>
 #include <utility>
 #include <list>
-#include <Stmt.h>
+#include <string>
 
+using std::list;
+using std::map;
+using std::pair;
+using std::string;
+
+class Stmt;
 
 /**
  * A simple class for managing stats of Bro script coverage across Bro runs.

src/CCL.h

@@ -2,8 +2,9 @@
 
 #pragma once
 
+#include "util.h" // for ptr_compat_int
+
 #include <vector>
-#include "List.h"
 
 typedef std::vector<ptr_compat_int> int_list;
 

src/CompHash.h

@@ -2,10 +2,10 @@
 
 #pragma once
 
-#include "Hash.h"
 #include "Type.h"
 
 class ListVal;
+class HashKey;
 
 class CompositeHash {
 public:

src/Conn.cc

@@ -2,15 +2,18 @@
 
 #include "zeek-config.h"
 
+#include "Conn.h"
+
 #include <ctype.h>
 
+#include "Desc.h"
 #include "Net.h"
 #include "NetVar.h"
-#include "Conn.h"
 #include "Event.h"
 #include "Sessions.h"
 #include "Reporter.h"
 #include "Timer.h"
+#include "iosource/IOSource.h"
 #include "analyzer/protocol/pia/PIA.h"
 #include "binpac.h"
 #include "TunnelEncapsulation.h"

src/Conn.h

@@ -7,17 +7,15 @@
 #include <string>
 
 #include "Dict.h"
-#include "Val.h"
 #include "Timer.h"
-#include "RuleMatcher.h"
+#include "Rule.h"
 #include "IPAddr.h"
-#include "TunnelEncapsulation.h"
 #include "UID.h"
 #include "WeirdState.h"
+#include "iosource/Packet.h"
 
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
-#include "iosource/Packet.h"
 
 class Connection;
 class ConnectionTimer;
@@ -26,6 +24,9 @@ class LoginConn;
 class RuleHdrTest;
 class Specific_RE_Matcher;
 class RuleEndpointState;
+class EncapsulationStack;
+class Val;
+class RecordVal;
 
 namespace analyzer { class TransportLayerAnalyzer; }
 

src/DFA.cc

@@ -2,8 +2,9 @@
 
 #include "zeek-config.h"
 
-#include "EquivClass.h"
 #include "DFA.h"
+#include "EquivClass.h"
+#include "Desc.h"
 #include "digest.h"
 
 unsigned int DFA_State::transition_counter = 0;

src/DFA.h

@@ -3,9 +3,15 @@
 
 #pragma once
 
-#include <assert.h>
+#include "RE.h" // for typedef AcceptingSet
+#include "Obj.h"
+
+#include <map>
 #include <string>
 
+#include <assert.h>
+#include <sys/types.h> // for u_char
+
 class DFA_State;
 
 // Transitions to the uncomputed state indicate that we haven't yet

src/DNS_Mgr.cc

@@ -2,6 +2,8 @@
 
 #include "zeek-config.h"
 
+#include "DNS_Mgr.h"
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -29,9 +31,9 @@
 
 #include <algorithm>
 
-#include "DNS_Mgr.h"
 #include "Event.h"
 #include "Net.h"
+#include "Val.h"
 #include "Var.h"
 #include "Reporter.h"
 #include "iosource/Manager.h"

src/DNS_Mgr.h

@@ -7,9 +7,7 @@
 #include <queue>
 #include <utility>
 
-#include "util.h"
 #include "List.h"
-#include "Dict.h"
 #include "EventHandler.h"
 #include "iosource/IOSource.h"
 #include "IPAddr.h"

src/DbgBreakpoint.cc

@@ -2,17 +2,22 @@
 
 #include "zeek-config.h"
 
+#include "DbgBreakpoint.h"
+
 #include <assert.h>
 
+#include "Desc.h"
 #include "ID.h"
 #include "Queue.h"
 #include "Debug.h"
 #include "Scope.h"
+#include "Frame.h"
 #include "Func.h"
+#include "Val.h"
 #include "Stmt.h"
-#include "DbgBreakpoint.h"
 #include "Timer.h"
-
+#include "Reporter.h"
+#include "module_util.h"
 
 // BreakpointTimer used for time-based breakpoints
 class BreakpointTimer : public Timer {

src/DbgBreakpoint.h

@@ -2,7 +2,12 @@
 
 #pragma once
 
-#include "Debug.h"
+#include <string>
+
+using std::string;
+
+struct ParseLocationRec;
+class Stmt;
 
 enum BreakCode { bcNoHit, bcHit, bcHitAndDelete };
 class DbgBreakpoint {

src/DbgDisplay.h

@@ -2,7 +2,7 @@
 
 #pragma once
 
-#include "Debug.h"
+class Expr;
 
 // Automatic displays: display these at each stoppage.
 class DbgDisplay {

src/DbgWatch.h

@@ -2,7 +2,8 @@
 
 #pragma once
 
-#include "Debug.h"
+class BroObj;
+class Expr;
 
 class DbgWatch {
 public:

src/Debug.cc

@@ -2,6 +2,8 @@
 
 #include "zeek-config.h"
 
+#include "Debug.h"
+
 #include <stdio.h>
 #include <stdarg.h>
 #include <signal.h>
@@ -11,13 +13,20 @@
 using namespace std;
 
 #include "util.h"
-#include "Debug.h"
 #include "DebugCmds.h"
 #include "DbgBreakpoint.h"
+#include "ID.h"
+#include "Expr.h"
 #include "Stmt.h"
+#include "Frame.h"
 #include "Func.h"
 #include "Scope.h"
 #include "PolicyFile.h"
+#include "Desc.h"
+#include "Reporter.h"
+#include "Val.h"
+#include "module_util.h"
+#include "input.h"
 
 #ifdef HAVE_READLINE
 #include <readline/readline.h>

src/Debug.h

@@ -2,10 +2,15 @@
 
 #pragma once
 
+#include "Obj.h"
+#include "Queue.h"
+#include "StmtEnums.h"
+
 #include <vector>
 #include <map>
 #include <string>
 
+class Val;
 class Stmt;
 
 // This needs to be defined before we do the includes that come after it.
@@ -17,17 +22,10 @@ struct ParseLocationRec {
 	int line;
 };
 
-#include "Expr.h"
-#include "Var.h"
-#include "Frame.h"
-#include "Queue.h"
-#include "Dict.h"
-#include "StmtEnums.h"
-#include "DbgBreakpoint.h"
-
 class StmtLocMapping;
 typedef PQueue<StmtLocMapping> Filemap; // mapping for a single file
 
+class Frame;
 class DbgBreakpoint;
 class DbgWatch;
 class DbgDisplay;

src/DebugCmds.cc

@@ -2,6 +2,7 @@
 // implementation of most commands.
 
 #include "zeek-config.h"
+#include "DebugCmds.h"
 
 #include <sys/types.h>
 
@@ -9,14 +10,18 @@
 #include <string.h>
 #include <assert.h>
 
-#include "Debug.h"
-#include "DebugCmds.h"
 #include "DebugCmdInfoConstants.cc"
+#include "Debug.h"
+#include "Desc.h"
 #include "DbgBreakpoint.h"
+#include "ID.h"
+#include "Frame.h"
 #include "Func.h"
 #include "Stmt.h"
 #include "Scope.h"
+#include "Reporter.h"
 #include "PolicyFile.h"
+#include "Val.h"
 #include "util.h"
 
 //

src/Desc.cc

@@ -1,15 +1,15 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Desc.h"
 
 #include <stdlib.h>
+#include <string.h>
 #include <errno.h>
 #include <math.h>
 
-#include "Desc.h"
 #include "File.h"
 #include "Reporter.h"
-
 #include "ConvertUTF.h"
 
 #define DEFAULT_SIZE 128

src/Desc.h

@@ -2,12 +2,14 @@
 
 #pragma once
 
-#include <stdio.h>
+#include "BroString.h" // for byte_vec
+#include "util.h" // for bro_int_t
+
 #include <set>
 #include <utility>
 #include <string>
 
-#include "BroString.h"
+#include <sys/types.h> // for u_char
 
 typedef enum {
 	DESC_READABLE,

src/Discard.cc

@@ -1,13 +1,18 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <algorithm>
-
 #include "zeek-config.h"
 
-#include "Net.h"
-#include "Var.h"
 #include "Discard.h"
 
+#include <algorithm>
+
+#include "Net.h"
+#include "Func.h"
+#include "Var.h"
+#include "Val.h"
+#include "IP.h"
+#include "Reporter.h" // for InterpreterException
+
 Discarder::Discarder()
 	{
 	check_ip = internal_func("discarder_check_ip");

src/Discard.h

@@ -2,14 +2,14 @@
 
 #pragma once
 
-#include "IP.h"
-#include "Func.h"
+#include <sys/types.h> // for u_char
 
 struct ip;
 struct tcphdr;
 struct udphdr;
 struct icmp;
 
+class IP_Hdr;
 class Val;
 class RecordType;
 class Func;

src/EquivClass.cc

@@ -3,6 +3,7 @@
 #include "zeek-config.h"
 
 #include "EquivClass.h"
+#include "CCL.h"
 
 EquivClass::EquivClass(int arg_size)
 	{

src/EquivClass.h

@@ -4,7 +4,7 @@
 
 #include <stdio.h>
 
-#include "CCL.h"
+class CCL;
 
 class EquivClass {
 public:

src/Event.cc

@@ -3,6 +3,7 @@
 #include "zeek-config.h"
 
 #include "Event.h"
+#include "Desc.h"
 #include "Func.h"
 #include "NetVar.h"
 #include "Trigger.h"

src/Event.h

@@ -2,10 +2,8 @@
 
 #pragma once
 
-#include "EventRegistry.h"
-
-#include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
+#include "Val.h"
 
 class EventMgr;
 

src/EventHandler.cc

@@ -1,5 +1,6 @@
-#include "Event.h"
 #include "EventHandler.h"
+#include "Event.h"
+#include "Desc.h"
 #include "Func.h"
 #include "Scope.h"
 #include "NetVar.h"

src/EventHandler.h

@@ -2,11 +2,10 @@
 
 #pragma once
 
-#include <assert.h>
+#include "BroList.h"
+
 #include <unordered_set>
 #include <string>
-#include "List.h"
-#include "BroList.h"
 
 class Func;
 class FuncType;

src/EventRegistry.cc

@@ -1,4 +1,5 @@
 #include "EventRegistry.h"
+#include "EventHandler.h"
 #include "RE.h"
 #include "Reporter.h"
 

src/EventRegistry.h

@@ -4,11 +4,14 @@
 
 #include <map>
 #include <string>
+#include <vector>
 
-#include "Func.h"
-#include "List.h"
-#include "Dict.h"
-#include "EventHandler.h"
+using std::string;
+using std::vector;
+
+class EventHandler;
+class EventHandlerPtr;
+class RE_Matcher;
 
 // The registry keeps track of all events that we provide or handle.
 class EventRegistry {

src/Expr.cc

@@ -4,6 +4,7 @@
 
 #include "Expr.h"
 #include "Event.h"
+#include "Desc.h"
 #include "Frame.h"
 #include "Func.h"
 #include "RE.h"
@@ -15,6 +16,8 @@
 #include "Trigger.h"
 #include "IPAddr.h"
 #include "digest.h"
+#include "module_util.h"
+#include "DebugLogger.h"
 
 #include "broker/Data.h"
 

src/Expr.h

@@ -5,16 +5,18 @@
 // BRO expressions.
 
 #include "BroList.h"
-#include "ID.h"
 #include "Timer.h"
+#include "Type.h"
 #include "Val.h"
-#include "Debug.h"
 #include "EventHandler.h"
 #include "TraverseTypes.h"
 
 #include <memory>
+#include <string>
 #include <utility>
 
+using std::string;
+
 typedef enum {
 	EXPR_ANY = -1,
 	EXPR_NAME, EXPR_CONST,
@@ -873,8 +875,6 @@ protected:
 	int num_fields;
 };
 
-class EventHandler;
-
 class ScheduleTimer : public Timer {
 public:
 	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,

src/File.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "File.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -20,13 +21,14 @@
 
 #include <algorithm>
 
-#include "File.h"
+#include "Attr.h"
 #include "Type.h"
 #include "Expr.h"
 #include "NetVar.h"
 #include "Net.h"
 #include "Event.h"
 #include "Reporter.h"
+#include "Desc.h"
 
 std::list<std::pair<std::string, BroFile*>> BroFile::open_files;
 

src/File.h

@@ -2,19 +2,21 @@
 
 #pragma once
 
-#include <fcntl.h>
-#include "util.h"
 #include "Obj.h"
-#include "Attr.h"
 
 #include <list>
+#include <string>
 #include <utility>
 
+#include <fcntl.h>
+
 # ifdef NEED_KRB5_H
 #  include <krb5.h>
 # endif // NEED_KRB5_H
 
+class Attributes;
 class BroType;
+class RecordVal;
 
 class BroFile : public BroObj {
 public:

src/Frag.cc

@@ -2,11 +2,12 @@
 
 #include "zeek-config.h"
 
-#include "util.h"
-#include "Hash.h"
 #include "Frag.h"
+#include "Hash.h"
+#include "IP.h"
 #include "NetVar.h"
 #include "Sessions.h"
+#include "Reporter.h"
 
 #define MIN_ACCEPTABLE_FRAG_SIZE 64
 #define MAX_ACCEPTABLE_FRAG_SIZE 64000

src/Frag.h

@@ -2,16 +2,18 @@
 
 #pragma once
 
-#include <tuple>
-
-#include "util.h"
-#include "IP.h"
-#include "Net.h"
+#include "util.h" // for bro_uint_t
+#include "IPAddr.h"
 #include "Reassem.h"
 #include "Timer.h"
 
+#include <tuple>
+
+#include <sys/types.h> // for u_char
+
 class HashKey;
 class NetSessions;
+class IP_Hdr;
 
 class FragReassembler;
 class FragTimer;

src/Frame.cc

@@ -1,9 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "Frame.h"
+
 #include <broker/error.hh>
 #include "broker/Data.h"
 
-#include "Frame.h"
+#include "Func.h"
+#include "Desc.h"
+#include "IntrusivePtr.h"
 #include "Trigger.h"
 
 vector<Frame*> g_frame_stack;

src/Frame.h

@@ -2,17 +2,20 @@
 
 #pragma once
 
+#include "BroList.h" // for typedef val_list
+#include "Val.h"
+
 #include <unordered_map>
-#include <memory>
 #include <string>
+#include <utility>
+#include <vector>
 
 #include <broker/data.hh>
 #include <broker/expected.hh>
 
-#include "Val.h"
-
 namespace trigger { class Trigger; }
 class CallExpr;
+class BroFunc;
 
 class Frame :  public BroObj {
 public:

src/Func.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Func.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -32,12 +33,14 @@
 #include <broker/error.hh>
 
 #include "Base64.h"
+#include "Debug.h"
+#include "Desc.h"
+#include "Expr.h"
 #include "Stmt.h"
 #include "Scope.h"
 #include "Net.h"
 #include "NetVar.h"
 #include "File.h"
-#include "Func.h"
 #include "Frame.h"
 #include "Var.h"
 #include "analyzer/protocol/login/Login.h"
@@ -47,6 +50,9 @@
 #include "Traverse.h"
 #include "Reporter.h"
 #include "plugin/Manager.h"
+#include "module_util.h"
+#include "iosource/PktSrc.h"
+#include "iosource/PktDumper.h"
 
 extern	RETSIGTYPE sig_handler(int signo);
 

src/Func.h

@@ -2,16 +2,21 @@
 
 #pragma once
 
+#include "BroList.h"
+#include "Obj.h"
+#include "Type.h" /* for function_flavor */
+#include "TraverseTypes.h"
+
 #include <utility>
 #include <memory>
+#include <string>
+#include <vector>
 
 #include <broker/data.hh>
 #include <broker/expected.hh>
 
-#include "BroList.h"
-#include "Obj.h"
-#include "Debug.h"
-#include "Frame.h"
+using std::string;
+using std::vector;
 
 class Val;
 class ListExpr;
@@ -20,6 +25,7 @@ class Stmt;
 class Frame;
 class ID;
 class CallExpr;
+class Scope;
 
 class Func : public BroObj {
 public:

src/Hash.cc

@@ -19,6 +19,7 @@
 
 #include "Hash.h"
 #include "Reporter.h"
+#include "BroString.h"
 
 #include "siphash24.h"
 

src/Hash.h

@@ -2,12 +2,14 @@
 
 #pragma once
 
+#include "util.h" // for bro_int_t
+
 #include <stdlib.h>
 
-#include "BroString.h"
-
 #define UHASH_KEY_SIZE 36
 
+class BroString;
+
 typedef uint64_t hash_t;
 
 typedef enum {

src/ID.cc

@@ -3,6 +3,7 @@
 #include "zeek-config.h"
 
 #include "ID.h"
+#include "Desc.h"
 #include "Expr.h"
 #include "Dict.h"
 #include "EventRegistry.h"
@@ -11,7 +12,11 @@
 #include "File.h"
 #include "Scope.h"
 #include "Traverse.h"
+#include "Val.h"
 #include "zeekygen/Manager.h"
+#include "zeekygen/IdentifierInfo.h"
+#include "zeekygen/ScriptInfo.h"
+#include "module_util.h"
 
 ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	{

src/ID.h

@@ -2,14 +2,21 @@
 
 #pragma once
 
+#include "Obj.h"
 #include "Type.h"
 #include "Attr.h"
 #include "Notifier.h"
 #include "TraverseTypes.h"
+
+#include <map>
 #include <string>
+#include <vector>
 
 class Val;
+class Expr;
 class Func;
+class BroType;
+class Attributes;
 
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
 typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;

src/IP.cc

@@ -1,10 +1,11 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "IP.h"
+
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <netinet/icmp6.h>
 
-#include "IP.h"
 #include "Type.h"
 #include "Val.h"
 #include "Var.h"

src/IP.h

@@ -3,15 +3,16 @@
 #pragma once
 
 #include "zeek-config.h"
-#include "net_util.h"
 #include "IPAddr.h"
 #include "Reporter.h"
-#include "Val.h"
-#include "Type.h"
 #include <vector>
+
+#include <sys/types.h> // for u_char
 #include <netinet/in.h>
 #include <netinet/ip.h>
 
+using std::vector;
+
 #ifdef ENABLE_MOBILE_IPV6
 
 #ifndef IPPROTO_MOBILITY

src/IPAddr.h

@@ -2,17 +2,16 @@
 
 #pragma once
 
+#include "BroString.h"
+#include "Hash.h"
+#include "threading/SerialTypes.h"
+
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <string.h>
 #include <string>
 
-#include "BroString.h"
-#include "Hash.h"
-#include "util.h"
-#include "Type.h"
-#include "threading/SerialTypes.h"
-
+using std::string;
 struct ConnID;
 namespace analyzer { class ExpectedConn; }
 

src/NFA.cc

@@ -2,10 +2,12 @@
 
 #include "zeek-config.h"
 
-#include <algorithm>
-
 #include "NFA.h"
+#include "Desc.h"
 #include "EquivClass.h"
+#include "IntSet.h"
+
+#include <algorithm>
 
 static int nfa_state_id = 0;
 

src/NFA.h

@@ -2,9 +2,11 @@
 
 #pragma once
 
-#include "RE.h"
-#include "IntSet.h"
+#include "Obj.h"
+#include "List.h"
 
+class CCL;
+class Func;
 class NFA_State;
 class EquivClass;
 

src/Net.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Net.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -19,13 +20,16 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+extern "C" {
+#include "setsignal.h"
+};
+
 #include "NetVar.h"
 #include "Sessions.h"
 #include "Event.h"
 #include "Timer.h"
 #include "Var.h"
 #include "Reporter.h"
-#include "Net.h"
 #include "Anon.h"
 #include "PacketDumper.h"
 #include "iosource/Manager.h"
@@ -34,10 +38,6 @@
 #include "plugin/Manager.h"
 #include "broker/Manager.h"
 
-extern "C" {
-#include "setsignal.h"
-};
-
 extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 }

src/Net.h

@@ -2,14 +2,14 @@
 
 #pragma once
 
+#include <list>
 #include <vector>
 #include <string>
 #include <optional>
 
-#include "net_util.h"
-#include "util.h"
-#include "List.h"
-#include "Func.h"
+#include <sys/stat.h> // for ino_t
+
+using std::string;
 
 namespace iosource {
 	class IOSource;

src/NetVar.cc

@@ -2,8 +2,10 @@
 
 #include "zeek-config.h"
 
-#include "Var.h"
 #include "NetVar.h"
+#include "Var.h"
+#include "EventHandler.h"
+#include "Val.h"
 
 RecordType* conn_id;
 RecordType* endpoint;

src/Notifier.cc

@@ -1,7 +1,9 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "DebugLogger.h"
 #include "Notifier.h"
+#include "DebugLogger.h"
+
+#include <set>
 
 notifier::Registry notifier::registry;
 

src/Notifier.h

@@ -7,12 +7,7 @@
 
 #pragma once
 
-#include <set>
 #include <unordered_map>
-#include <string>
-
-#include "util.h"
-#include "DebugLogger.h"
 
 namespace notifier  {
 

src/Obj.cc

@@ -1,10 +1,11 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Obj.h"
 
 #include <stdlib.h>
 
-#include "Obj.h"
+#include "Desc.h"
 #include "Func.h"
 #include "File.h"
 #include "plugin/Manager.h"

src/Obj.h

@@ -4,8 +4,7 @@
 
 #include <limits.h>
 
-#include "input.h"
-#include "Desc.h"
+class ODesc;
 
 class Location {
 public:

src/OpaqueVal.cc

@@ -5,9 +5,12 @@
 #include "OpaqueVal.h"
 #include "NetVar.h"
 #include "Reporter.h"
+#include "Desc.h"
+#include "Var.h"
 #include "probabilistic/BloomFilter.h"
 #include "probabilistic/CardinalityCounter.h"
 
+#include <broker/data.hh>
 #include <broker/error.hh>
 
 // Helper to retrieve a broker value out of a broker::vector at a specified

src/OpaqueVal.h

@@ -2,14 +2,16 @@
 
 #pragma once
 
-#include <broker/data.hh>
-#include <broker/expected.hh>
-
 #include "RandTest.h"
 #include "Val.h"
 #include "digest.h"
 #include "paraglob/paraglob.h"
 
+#include <broker/expected.hh>
+
+#include <sys/types.h> // for u_char
+
+namespace broker { class data; }
 class OpaqueVal;
 
 /**

src/Options.cc

@@ -1,9 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <unistd.h>
-
 #include "zeek-config.h"
 
+#include "Options.h"
+
+#include <algorithm>
+
+#include <unistd.h>
+
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -11,8 +15,6 @@
 #include "bsd-getopt-long.h"
 #include "logging/writers/ascii/Ascii.h"
 
-#include "Options.h"
-
 void zeek::Options::filter_supervisor_options()
 	{
 	pcap_filter = {};

src/PacketDumper.cc

@@ -1,14 +1,10 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-
 #include "zeek-config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
 #include "PacketDumper.h"
+#include "Reporter.h"
+#include "util.h"
+#include "iosource/PktDumper.h"
 
 PacketDumper::PacketDumper(pcap_dumper_t* arg_pkt_dump)
 	{

src/PacketDumper.h

@@ -4,6 +4,8 @@
 
 #include <pcap.h>
 
+#include <sys/types.h> // for u_char
+
 class PacketDumper {
 public:
 	explicit PacketDumper(pcap_dumper_t* pkt_dump);

src/PacketFilter.cc

@@ -1,4 +1,5 @@
 #include "PacketFilter.h"
+#include "IP.h"
 
 void PacketFilter::DeleteFilter(void* data)
 	{

src/PacketFilter.h

@@ -2,9 +2,12 @@
 
 #pragma once
 
-#include "IP.h"
+#include "IPAddr.h"
 #include "PrefixTable.h"
 
+class IP_Hdr;
+class Val;
+
 class PacketFilter {
 public:
 	explicit PacketFilter(bool arg_default);

src/PrefixTable.cc

@@ -1,5 +1,6 @@
 #include "PrefixTable.h"
 #include "Reporter.h"
+#include "Val.h"
 
 prefix_t* PrefixTable::MakePrefix(const IPAddr& addr, int width)
 	{

src/PrefixTable.h

@@ -1,13 +1,19 @@
 #pragma once
 
-#include "Val.h"
-#include "net_util.h"
 #include "IPAddr.h"
 
 extern "C" {
 	#include "patricia.h"
 }
 
+#include <list>
+
+using std::list;
+using std::tuple;
+
+class Val;
+class SubNetVal;
+
 class PrefixTable {
 private:
 	struct iterator {

src/PriorityQueue.h

@@ -3,7 +3,7 @@
 #pragma once
 
 #include <math.h>
-#include "util.h"
+#include <stdint.h>
 
 class PriorityQueue;
 

src/Queue.h

@@ -2,6 +2,8 @@
 
 #pragma once
 
+#include <iterator>
+
 // Queue.h --
 //	Interface for class Queue, current implementation is as an
 //	array of ent's.  This implementation was chosen to optimize

src/RE.cc

@@ -1,15 +1,16 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "RE.h"
 
 #include <stdlib.h>
 #include <utility>
 
-#include "RE.h"
 #include "DFA.h"
 #include "CCL.h"
 #include "EquivClass.h"
 #include "Reporter.h"
+#include "BroString.h"
 
 CCL* curr_ccl = 0;
 

src/RE.h

@@ -2,9 +2,7 @@
 
 #pragma once
 
-#include "Obj.h"
-#include "Dict.h"
-#include "BroString.h"
+#include "List.h"
 #include "CCL.h"
 #include "EquivClass.h"
 
@@ -12,6 +10,7 @@
 #include <map>
 #include <string>
 
+#include <sys/types.h> // for u_char
 #include <ctype.h>
 typedef int (*cce_func)(int);
 
@@ -21,6 +20,7 @@ class DFA_Machine;
 class Specific_RE_Matcher;
 class RE_Matcher;
 class DFA_State;
+class BroString;
 
 extern int case_insensitive;
 extern CCL* curr_ccl;

src/RandTest.cc

@@ -12,9 +12,10 @@
 	Modified for Bro by Seth Hall - July 2010
 */
 
-#include <math.h>
 #include "RandTest.h"
 
+#include <math.h>
+
 #define log2of10 3.32192809488736234787
 /*  RT_LOG2  --  Calculate log to the base 2  */
 static double rt_log2(double x)

src/RandTest.h

@@ -1,6 +1,6 @@
 #pragma once
 
-#include "util.h"
+#include <stdint.h>
 
 #define RT_MONTEN 6  /* Bytes used as Monte Carlo
                         co-ordinates. This should be no more

src/Reassem.cc

@@ -1,10 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "zeek-config.h"
+#include "Reassem.h"
+
 #include <algorithm>
 
-#include "zeek-config.h"
+#include "Desc.h"
 
-#include "Reassem.h"
+using std::min;
 
 uint64_t Reassembler::total_size = 0;
 uint64_t Reassembler::sizes[REASSEM_NUM];

src/Reassem.h

@@ -5,7 +5,10 @@
 #include <map>
 
 #include "Obj.h"
-#include "IPAddr.h"
+
+#include <assert.h>
+#include <string.h>
+#include <sys/types.h> // for u_char
 
 // Whenever subclassing the Reassembler class
 // you should add to this for known subclasses.

src/Reporter.cc

@@ -2,18 +2,23 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 //
 
+#include "zeek-config.h"
+#include "Reporter.h"
+
 #include <unistd.h>
 #include <syslog.h>
 
-#include "zeek-config.h"
-#include "Reporter.h"
+#include "Desc.h"
 #include "Event.h"
+#include "Expr.h"
 #include "NetVar.h"
 #include "Net.h"
 #include "Conn.h"
 #include "Timer.h"
+#include "EventHandler.h"
 #include "plugin/Plugin.h"
 #include "plugin/Manager.h"
+#include "input.h"
 #include "file_analysis/File.h"
 
 #ifdef SYSLOG_INT

src/Reporter.h

@@ -11,8 +11,6 @@
 #include <unordered_set>
 #include <unordered_map>
 
-#include "util.h"
-#include "EventHandler.h"
 #include "IPAddr.h"
 
 namespace analyzer { class Analyzer; }
@@ -20,6 +18,7 @@ namespace file_analysis { class File; }
 class Connection;
 class Location;
 class Reporter;
+class EventHandlerPtr;
 
 // One cannot raise this exception directly, go through the
 // Reporter's methods instead.

src/Rule.cc

@@ -1,6 +1,8 @@
 #include "zeek-config.h"
 
 #include "Rule.h"
+#include "RuleAction.h"
+#include "RuleCondition.h"
 #include "RuleMatcher.h"
 
 // Start at one as we want search for this within a list,

src/Rule.h

@@ -1,17 +1,17 @@
 #pragma once
 
-#include <limits.h>
-#include <map>
-
-#include "Obj.h"
 #include "List.h"
-#include "Dict.h"
-#include "util.h"
+#include "Obj.h"
+
+#include <map>
+#include <string>
+
+#include <limits.h>
+#include <stdint.h>
 
 class RuleCondition;
 class RuleAction;
 class RuleHdrTest;
-
 class Rule;
 
 typedef PList<Rule> rule_list;

src/RuleAction.h

@@ -1,11 +1,15 @@
 #pragma once
 
-#include "BroString.h"
-#include "List.h"
 #include "util.h"
 
 #include "analyzer/Tag.h"
 
+#include <string>
+
+#include <sys/types.h> // for u_char
+
+using std::string;
+
 class Rule;
 class RuleEndpointState;
 

src/RuleCondition.cc

@@ -1,8 +1,13 @@
 #include "zeek-config.h"
 
 #include "RuleCondition.h"
+#include "RuleMatcher.h"
 #include "analyzer/protocol/tcp/TCP.h"
+#include "Reporter.h"
 #include "Scope.h"
+#include "Func.h"
+#include "Val.h"
+#include "Var.h" // for internal_type()
 
 static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
 	{

src/RuleCondition.h

@@ -1,10 +1,9 @@
 #pragma once
 
-#include "BroString.h"
-#include "Func.h"
-#include "List.h"
-#include "util.h"
+#include <stdint.h> // for u_char
+#include <sys/types.h> // for u_char
 
+class ID;
 class Rule;
 class RuleEndpointState;
 

src/RuleMatcher.cc

@@ -1,15 +1,23 @@
+
+#include "zeek-config.h"
+#include "RuleMatcher.h"
+
 #include <algorithm>
 #include <functional>
 
-#include "zeek-config.h"
-
+#include "RuleAction.h"
+#include "RuleCondition.h"
+#include "ID.h"
+#include "IntSet.h"
+#include "IP.h"
 #include "analyzer/Analyzer.h"
-#include "RuleMatcher.h"
 #include "DFA.h"
+#include "DebugLogger.h"
 #include "NetVar.h"
 #include "Scope.h"
 #include "File.h"
 #include "Reporter.h"
+#include "module_util.h"
 
 // FIXME: Things that are not fully implemented/working yet:
 //

src/RuleMatcher.h

@@ -1,24 +1,17 @@
 #pragma once
 
-#include <limits.h>
+#include "Rule.h"
+#include "RE.h"
+#include "CCL.h"
+
 #include <vector>
 #include <map>
 #include <functional>
 #include <set>
 #include <string>
 
-#include "IPAddr.h"
-#include "BroString.h"
-#include "List.h"
-#include "RE.h"
-#include "Net.h"
-#include "Sessions.h"
-#include "IntSet.h"
-#include "util.h"
-#include "Rule.h"
-#include "RuleAction.h"
-#include "RuleCondition.h"
-#include "iosource/Packet.h"
+#include <sys/types.h> // for u_char
+#include <limits.h>
 
 //#define MATCHER_PRINT_STATS
 
@@ -34,6 +27,18 @@ extern FILE* rules_in;
 extern int rules_line_number;
 extern const char* current_rule_file;
 
+using std::vector;
+using std::map;
+using std::set;
+using std::string;
+
+class Val;
+class BroFile;
+class IntSet;
+class IP_Hdr;
+class IPPrefix;
+class RE_Match_State;
+class Specific_RE_Matcher;
 class RuleMatcher;
 extern RuleMatcher* rule_matcher;
 

src/Scope.cc

@@ -2,10 +2,12 @@
 
 #include "zeek-config.h"
 
+#include "Scope.h"
+#include "Desc.h"
 #include "ID.h"
 #include "Val.h"
-#include "Scope.h"
 #include "Reporter.h"
+#include "module_util.h"
 
 typedef PList<Scope> scope_list;
 

src/Scope.h

@@ -5,11 +5,9 @@
 #include <string>
 #include <map>
 
-#include "Dict.h"
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
-#include "module_util.h"
 
 class ID;
 class BroType;

src/SerializationFormat.cc

@@ -1,9 +1,10 @@
+#include "SerializationFormat.h"
+
 #include <ctype.h>
 
-#include "net_util.h"
-#include "SerializationFormat.h"
 #include "DebugLogger.h"
 #include "Reporter.h"
+#include "net_util.h"
 
 const float SerializationFormat::GROWTH_FACTOR = 2.5;
 

src/SerializationFormat.h

@@ -4,7 +4,7 @@
 
 #include <string>
 
-#include "util.h"
+#include <stdint.h>
 
 class IPAddr;
 class IPPrefix;

src/Sessions.cc

@@ -2,6 +2,7 @@
 
 
 #include "zeek-config.h"
+#include "Sessions.h"
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -9,11 +10,11 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+#include "Desc.h"
 #include "Net.h"
 #include "Event.h"
 #include "Timer.h"
 #include "NetVar.h"
-#include "Sessions.h"
 #include "Reporter.h"
 
 #include "analyzer/protocol/icmp/ICMP.h"

src/Sessions.h

@@ -2,26 +2,25 @@
 
 #pragma once
 
+#include "Frag.h"
+#include "PacketFilter.h"
+#include "NetVar.h"
+#include "analyzer/protocol/tcp/Stats.h"
+
 #include <map>
 #include <utility>
 
-#include "Dict.h"
-#include "CompHash.h"
-#include "IP.h"
-#include "Frag.h"
-#include "PacketFilter.h"
-#include "Stats.h"
-#include "NetVar.h"
-#include "TunnelEncapsulation.h"
-#include "analyzer/protocol/tcp/Stats.h"
+#include <sys/types.h> // for u_char
 
 class EncapsulationStack;
+class EncapsulatingConn;
+class Packet;
+class PacketProfiler;
 class Connection;
 class ConnCompressor;
 struct ConnID;
 
 class Discarder;
-class PacketFilter;
 
 namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
 namespace analyzer { namespace arp { class ARP_Analyzer; } }

src/SmithWaterman.cc

@@ -9,6 +9,7 @@
 #include "Var.h"
 #include "util.h"
 #include "Reporter.h"
+#include "Val.h"
 
 BroSubstring::BroSubstring(const BroSubstring& bst)
 : BroString((const BroString&) bst), _num(), _new(bst._new)

src/Stats.cc

@@ -1,15 +1,19 @@
+#include "Stats.h"
+#include "RuleMatcher.h"
 #include "Conn.h"
 #include "File.h"
 #include "Event.h"
+#include "Net.h"
 #include "NetVar.h"
+#include "Var.h" // for internal_type()
 #include "Sessions.h"
-#include "Stats.h"
 #include "Scope.h"
 #include "cq.h"
 #include "DNS_Mgr.h"
 #include "Trigger.h"
 #include "threading/Manager.h"
 #include "broker/Manager.h"
+#include "input.h"
 
 uint64_t killed_by_inactivity = 0;
 

src/Stats.h

@@ -5,6 +5,12 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/resource.h>
+#include <stdint.h>
+
+class Func;
+class TableVal;
+class Location;
+class BroFile;
 
 // Object called by SegmentProfiler when it is done and reports its
 // cumulative CPU/memory statistics.

src/Stmt.cc

@@ -11,6 +11,7 @@
 #include "Stmt.h"
 #include "Scope.h"
 #include "Var.h"
+#include "Desc.h"
 #include "Debug.h"
 #include "Traverse.h"
 #include "Trigger.h"

src/Stmt.h

@@ -5,8 +5,9 @@
 // BRO statements.
 
 #include "BroList.h"
+#include "Dict.h"
+#include "ID.h"
 #include "Obj.h"
-#include "Expr.h"
 #include "Reporter.h"
 
 #include "StmtEnums.h"
@@ -14,7 +15,11 @@
 #include "TraverseTypes.h"
 
 class StmtList;
+class CompositeHash;
+class EventExpr;
+class ListExpr;
 class ForStmt;
+class Frame;
 
 class Stmt : public BroObj {
 public: