Merge remote-tracking branch 'max/include_cleanup'

* max/include_cleanup:
  UID, ..: un-inline methods to reduce header dependencies
  include cleanup

CHANGES

@@ -1,4 +1,56 @@
 
+3.1.0-dev.542 | 2020-02-04 14:05:19 -0700
+
+  * UID, ..: un-inline methods to reduce header dependencies
+
+    Only 1% build time speedup, but still, it declutters the headers a bit.
+
+    Before this patch:
+
+     2565.17user 141.83system 2:25.46elapsed 1860%CPU (0avgtext+0avgdata 1489076maxresident)k
+     72576inputs+9130920outputs (1667major+49400430minor)pagefaults 0swaps
+
+    After this patch:
+
+     2537.19user 142.94system 2:26.90elapsed 1824%CPU (0avgtext+0avgdata 1434268maxresident)k
+     16240inputs+8887152outputs (1931major+48728888minor)pagefaults 0swaps (Max Kellermann)
+
+  * include cleanup
+
+    The Zeek code base has very inconsistent #includes.  Many sources
+    included a few headers, and those headers included other headers, and
+    in the end, nearly everything is included everywhere, so missing
+    #includes were never noticed.  Another side effect was a lot of header
+    bloat which slows down the build.
+
+    First step to fix it: in each source file, its own header should be
+    included first to verify that each header's includes are correct, and
+    none is missing.
+
+    After adding the missing #includes, I replaced lots of #includes
+    inside headers with class forward declarations.  In most headers,
+    object pointers are never referenced, so declaring the function
+    prototypes with forward-declared classes is just fine.
+
+    This patch speeds up the build by 19%, because each compilation unit
+    gets smaller.  Here are the "time" numbers for a fresh build (with a
+    warm page cache but without ccache):
+
+    Before this patch:
+
+     3144.94user 161.63system 3:02.87elapsed 1808%CPU (0avgtext+0avgdata 2168608maxresident)k
+     760inputs+12008400outputs (1511major+57747204minor)pagefaults 0swaps
+
+    After this patch:
+
+     2565.17user 141.83system 2:25.46elapsed 1860%CPU (0avgtext+0avgdata 1489076maxresident)k
+     72576inputs+9130920outputs (1667major+49400430minor)pagefaults 0swaps (Max Kellermann)
+
+  * Updating submodule(s).
+
+     [nomail] (Jon Siwek, Corelight)
+
+
 3.1.0-dev.538 | 2020-02-04 11:57:35 +0000
 
   * Updating submodules.

VERSION

@@ -1 +1 @@
-3.1.0-dev.538
+3.1.0-dev.542

src/Anon.cc

@@ -1,3 +1,5 @@
+#include "Anon.h"
+
 #include <stdlib.h>
 #include <unistd.h>
 #include <assert.h>
@@ -5,9 +7,9 @@
 
 #include "util.h"
 #include "net_util.h"
-#include "Anon.h"
 #include "Val.h"
 #include "NetVar.h"
+#include "Reporter.h"
 
 
 AnonymizeIPAddr* ip_anonymizer[NUM_ADDR_ANONYMIZATION_METHODS] = {0};
@@ -66,6 +68,13 @@ ipaddr32_t AnonymizeIPAddr::Anonymize(ipaddr32_t addr)
 		}
 	}
 
+// Keep the specified prefix unchanged.
+int AnonymizeIPAddr::PreservePrefix(ipaddr32_t /* input */, int /* num_bits */)
+	{
+	reporter->InternalError("prefix preserving is not supported for the anonymizer");
+	return 0;
+	}
+
 int AnonymizeIPAddr::PreserveNet(ipaddr32_t input)
 	{
 	switch ( addr_to_class(ntohl(input)) ) {

src/Anon.h

@@ -11,11 +11,9 @@
 #pragma once
 
 #include <vector>
-#include <set>
 #include <map>
 
-#include "Reporter.h"
+using std::map;
-#include "net_util.h"
 
 // TODO: Anon.h may not be the right place to put these functions ...
 
@@ -46,12 +44,7 @@ public:
 
 	ipaddr32_t Anonymize(ipaddr32_t addr);
 
-	// Keep the specified prefix unchanged.
+	virtual int PreservePrefix(ipaddr32_t input, int num_bits);
-	virtual int PreservePrefix(ipaddr32_t /* input */, int /* num_bits */)
-		{
-		reporter->InternalError("prefix preserving is not supported for the anonymizer");
-		return 0;
-		}
 
 	virtual ipaddr32_t anonymize(ipaddr32_t addr) = 0;
 	

src/Attr.cc

@@ -4,6 +4,8 @@
 
 #include "Attr.h"
 #include "Expr.h"
+#include "Desc.h"
+#include "Val.h"
 #include "threading/SerialTypes.h"
 
 const char* attr_name(attr_tag t)

src/Attr.h

@@ -3,6 +3,7 @@
 #pragma once
 
 #include "Obj.h"
+#include "BroList.h"
 
 class Expr;
 

src/Base64.cc

@@ -1,5 +1,9 @@
 #include "zeek-config.h"
 #include "Base64.h"
+#include "BroString.h"
+#include "Reporter.h"
+#include "Conn.h"
+
 #include <math.h>
 
 int Base64Converter::default_base64_table[256];
@@ -215,6 +219,14 @@ int Base64Converter::Done(int* pblen, char** pbuf)
 	return 0;
 	}
 
+void Base64Converter::IllegalEncoding(const char* msg)
+		{
+		// strncpy(error_msg, msg, sizeof(error_msg));
+		if ( conn )
+			conn->Weird("base64_illegal_encoding", msg);
+		else
+			reporter->Error("%s", msg);
+		}
 
 BroString* decode_base64(const BroString* s, const BroString* a, Connection* conn)
 	{
@@ -266,4 +278,3 @@ BroString* encode_base64(const BroString* s, const BroString* a, Connection* con
 
 	return new BroString(1, (u_char*)outbuf, outlen);
 	}
-

src/Base64.h

@@ -1,13 +1,11 @@
 #pragma once
 
-#include <assert.h>
+#include <string>
-#include <stdio.h>
-#include <string.h>
 
-#include "util.h"
+using std::string;
-#include "BroString.h"
+
-#include "Reporter.h"
+class BroString;
-#include "Conn.h"
+class Connection;
 
 // Maybe we should have a base class for generic decoders?
 class Base64Converter {
@@ -40,14 +38,7 @@ public:
 	int Errored() const	{ return errored; }
 
 	const char* ErrorMsg() const	{ return error_msg; }
-	void IllegalEncoding(const char* msg)
+	void IllegalEncoding(const char* msg);
-		{
-		// strncpy(error_msg, msg, sizeof(error_msg));
-		if ( conn )
-			conn->Weird("base64_illegal_encoding", msg);
-		else
-			reporter->Error("%s", msg);
-		}
 
 protected:
 	char error_msg[256];

src/BroString.cc

@@ -1,15 +1,16 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "BroString.h"
 
 #include <algorithm>
+#include <iostream>
 #include <ctype.h>
 
-#include <algorithm>
+#include "Val.h"
-
-#include "BroString.h"
 #include "Var.h"
 #include "Reporter.h"
+#include "util.h"
 
 #ifdef DEBUG
 #define DEBUG_STR(msg) DBG_LOG(DBG_STRING, msg)
@@ -274,6 +275,11 @@ void BroString::ToUpper()
 			b[i] = toupper(b[i]);
 	}
 
+unsigned int BroString::MemoryAllocation() const
+	{
+	return padded_sizeof(*this) + pad_size(n + final_NUL);
+	}
+
 BroString* BroString::GetSubstring(int start, int len) const
 	{
 	// This code used to live in zeek.bif's sub_bytes() routine.

src/BroString.h

@@ -4,11 +4,9 @@
 
 #include <vector>
 #include <string>
-#include <iostream>
+#include <iosfwd>
-#include <stdlib.h>
-#include <sys/types.h>
 
-#include "util.h"
+#include <sys/types.h>
 
 typedef u_char* byte_vec;
 
@@ -114,8 +112,7 @@ public:
 	// XXX and to_upper; the latter doesn't use BroString::ToUpper().
 	void ToUpper();
 
-	unsigned int MemoryAllocation() const
+	unsigned int MemoryAllocation() const;
-		{ return padded_sizeof(*this) + pad_size(n + final_NUL); }
 
 	// Returns new string containing the substring of this string,
 	// starting at @start >= 0 for going up to @length elements,

src/Brofiler.cc

@@ -1,3 +1,5 @@
+#include "Brofiler.h"
+
 #include <cstdio>
 #include <cstring>
 #include <sstream>
@@ -5,7 +7,10 @@
 #include <utility>
 #include <algorithm>
 #include <sys/stat.h>
-#include "Brofiler.h"
+
+#include "Stmt.h"
+#include "Desc.h"
+#include "Reporter.h"
 #include "util.h"
 
 Brofiler::Brofiler()

src/Brofiler.h

@@ -3,8 +3,14 @@
 #include <map>
 #include <utility>
 #include <list>
-#include <Stmt.h>
+#include <string>
 
+using std::list;
+using std::map;
+using std::pair;
+using std::string;
+
+class Stmt;
 
 /**
  * A simple class for managing stats of Bro script coverage across Bro runs.

src/CCL.cc

@@ -43,3 +43,8 @@ void CCL::Sort()
 	{
 	std::sort(syms->begin(), syms->end());
 	}
+
+unsigned int CCL::MemoryAllocation() const
+	{
+	return padded_sizeof(*this) + padded_sizeof(*syms) + pad_size(syms->size() * sizeof(int_list::value_type));
+	}

src/CCL.h

@@ -2,8 +2,9 @@
 
 #pragma once
 
+#include "util.h" // for ptr_compat_int
+
 #include <vector>
-#include "List.h"
 
 typedef std::vector<ptr_compat_int> int_list;
 
@@ -24,8 +25,7 @@ public:
 	void ReplaceSyms(int_list* new_syms)
 				{ delete syms; syms = new_syms; }
 
-	unsigned int MemoryAllocation() const
+	unsigned int MemoryAllocation() const;
-		{ return padded_sizeof(*this) + padded_sizeof(*syms) + pad_size(syms->size() * sizeof(int_list::value_type)); }
 
 protected:
 	int_list* syms;

src/CompHash.h

@@ -2,10 +2,10 @@
 
 #pragma once
 
-#include "Hash.h"
 #include "Type.h"
 
 class ListVal;
+class HashKey;
 
 class CompositeHash {
 public:

src/Conn.cc

@@ -2,15 +2,18 @@
 
 #include "zeek-config.h"
 
+#include "Conn.h"
+
 #include <ctype.h>
 
+#include "Desc.h"
 #include "Net.h"
 #include "NetVar.h"
-#include "Conn.h"
 #include "Event.h"
 #include "Sessions.h"
 #include "Reporter.h"
 #include "Timer.h"
+#include "iosource/IOSource.h"
 #include "analyzer/protocol/pia/PIA.h"
 #include "binpac.h"
 #include "TunnelEncapsulation.h"

src/Conn.h

@@ -7,17 +7,15 @@
 #include <string>
 
 #include "Dict.h"
-#include "Val.h"
 #include "Timer.h"
-#include "RuleMatcher.h"
+#include "Rule.h"
 #include "IPAddr.h"
-#include "TunnelEncapsulation.h"
 #include "UID.h"
 #include "WeirdState.h"
+#include "iosource/Packet.h"
 
 #include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
-#include "iosource/Packet.h"
 
 class Connection;
 class ConnectionTimer;
@@ -26,6 +24,9 @@ class LoginConn;
 class RuleHdrTest;
 class Specific_RE_Matcher;
 class RuleEndpointState;
+class EncapsulationStack;
+class Val;
+class RecordVal;
 
 namespace analyzer { class TransportLayerAnalyzer; }
 

src/DFA.cc

@@ -2,8 +2,9 @@
 
 #include "zeek-config.h"
 
-#include "EquivClass.h"
 #include "DFA.h"
+#include "EquivClass.h"
+#include "Desc.h"
 #include "digest.h"
 
 unsigned int DFA_State::transition_counter = 0;

src/DFA.h

@@ -3,9 +3,15 @@
 
 #pragma once
 
-#include <assert.h>
+#include "RE.h" // for typedef AcceptingSet
+#include "Obj.h"
+
+#include <map>
 #include <string>
 
+#include <assert.h>
+#include <sys/types.h> // for u_char
+
 class DFA_State;
 
 // Transitions to the uncomputed state indicate that we haven't yet

src/DNS_Mgr.cc

@@ -2,6 +2,8 @@
 
 #include "zeek-config.h"
 
+#include "DNS_Mgr.h"
+
 #include <sys/types.h>
 #include <sys/socket.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -29,9 +31,9 @@
 
 #include <algorithm>
 
-#include "DNS_Mgr.h"
 #include "Event.h"
 #include "Net.h"
+#include "Val.h"
 #include "Var.h"
 #include "Reporter.h"
 #include "iosource/Manager.h"

src/DNS_Mgr.h

@@ -7,9 +7,7 @@
 #include <queue>
 #include <utility>
 
-#include "util.h"
 #include "List.h"
-#include "Dict.h"
 #include "EventHandler.h"
 #include "iosource/IOSource.h"
 #include "IPAddr.h"

src/DbgBreakpoint.cc

@@ -2,17 +2,22 @@
 
 #include "zeek-config.h"
 
+#include "DbgBreakpoint.h"
+
 #include <assert.h>
 
+#include "Desc.h"
 #include "ID.h"
 #include "Queue.h"
 #include "Debug.h"
 #include "Scope.h"
+#include "Frame.h"
 #include "Func.h"
+#include "Val.h"
 #include "Stmt.h"
-#include "DbgBreakpoint.h"
 #include "Timer.h"
-
+#include "Reporter.h"
+#include "module_util.h"
 
 // BreakpointTimer used for time-based breakpoints
 class BreakpointTimer : public Timer {

src/DbgBreakpoint.h

@@ -2,7 +2,12 @@
 
 #pragma once
 
-#include "Debug.h"
+#include <string>
+
+using std::string;
+
+struct ParseLocationRec;
+class Stmt;
 
 enum BreakCode { bcNoHit, bcHit, bcHitAndDelete };
 class DbgBreakpoint {

src/DbgDisplay.h

@@ -2,7 +2,7 @@
 
 #pragma once
 
-#include "Debug.h"
+class Expr;
 
 // Automatic displays: display these at each stoppage.
 class DbgDisplay {

src/DbgWatch.h

@@ -2,7 +2,8 @@
 
 #pragma once
 
-#include "Debug.h"
+class BroObj;
+class Expr;
 
 class DbgWatch {
 public:

src/Debug.cc

@@ -2,6 +2,8 @@
 
 #include "zeek-config.h"
 
+#include "Debug.h"
+
 #include <stdio.h>
 #include <stdarg.h>
 #include <signal.h>
@@ -11,13 +13,20 @@
 using namespace std;
 
 #include "util.h"
-#include "Debug.h"
 #include "DebugCmds.h"
 #include "DbgBreakpoint.h"
+#include "ID.h"
+#include "Expr.h"
 #include "Stmt.h"
+#include "Frame.h"
 #include "Func.h"
 #include "Scope.h"
 #include "PolicyFile.h"
+#include "Desc.h"
+#include "Reporter.h"
+#include "Val.h"
+#include "module_util.h"
+#include "input.h"
 
 #ifdef HAVE_READLINE
 #include <readline/readline.h>

src/Debug.h

@@ -2,10 +2,15 @@
 
 #pragma once
 
+#include "Obj.h"
+#include "Queue.h"
+#include "StmtEnums.h"
+
 #include <vector>
 #include <map>
 #include <string>
 
+class Val;
 class Stmt;
 
 // This needs to be defined before we do the includes that come after it.
@@ -17,17 +22,10 @@ struct ParseLocationRec {
 	int line;
 };
 
-#include "Expr.h"
-#include "Var.h"
-#include "Frame.h"
-#include "Queue.h"
-#include "Dict.h"
-#include "StmtEnums.h"
-#include "DbgBreakpoint.h"
-
 class StmtLocMapping;
 typedef PQueue<StmtLocMapping> Filemap; // mapping for a single file
 
+class Frame;
 class DbgBreakpoint;
 class DbgWatch;
 class DbgDisplay;

src/DebugCmds.cc

@@ -2,6 +2,7 @@
 // implementation of most commands.
 
 #include "zeek-config.h"
+#include "DebugCmds.h"
 
 #include <sys/types.h>
 
@@ -9,14 +10,18 @@
 #include <string.h>
 #include <assert.h>
 
-#include "Debug.h"
-#include "DebugCmds.h"
 #include "DebugCmdInfoConstants.cc"
+#include "Debug.h"
+#include "Desc.h"
 #include "DbgBreakpoint.h"
+#include "ID.h"
+#include "Frame.h"
 #include "Func.h"
 #include "Stmt.h"
 #include "Scope.h"
+#include "Reporter.h"
 #include "PolicyFile.h"
+#include "Val.h"
 #include "util.h"
 
 //

src/Desc.cc

@@ -1,15 +1,15 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Desc.h"
 
 #include <stdlib.h>
+#include <string.h>
 #include <errno.h>
 #include <math.h>
 
-#include "Desc.h"
 #include "File.h"
 #include "Reporter.h"
-
 #include "ConvertUTF.h"
 
 #define DEFAULT_SIZE 128

src/Desc.h

@@ -2,12 +2,14 @@
 
 #pragma once
 
-#include <stdio.h>
+#include "BroString.h" // for byte_vec
+#include "util.h" // for bro_int_t
+
 #include <set>
 #include <utility>
 #include <string>
 
-#include "BroString.h"
+#include <sys/types.h> // for u_char
 
 typedef enum {
 	DESC_READABLE,

src/Discard.cc

@@ -1,13 +1,18 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <algorithm>
-
 #include "zeek-config.h"
 
-#include "Net.h"
-#include "Var.h"
 #include "Discard.h"
 
+#include <algorithm>
+
+#include "Net.h"
+#include "Func.h"
+#include "Var.h"
+#include "Val.h"
+#include "IP.h"
+#include "Reporter.h" // for InterpreterException
+
 Discarder::Discarder()
 	{
 	check_ip = internal_func("discarder_check_ip");

src/Discard.h

@@ -2,14 +2,14 @@
 
 #pragma once
 
-#include "IP.h"
+#include <sys/types.h> // for u_char
-#include "Func.h"
 
 struct ip;
 struct tcphdr;
 struct udphdr;
 struct icmp;
 
+class IP_Hdr;
 class Val;
 class RecordType;
 class Func;

src/EquivClass.cc

@@ -3,6 +3,7 @@
 #include "zeek-config.h"
 
 #include "EquivClass.h"
+#include "CCL.h"
 
 EquivClass::EquivClass(int arg_size)
 	{

src/EquivClass.h

@@ -4,7 +4,7 @@
 
 #include <stdio.h>
 
-#include "CCL.h"
+class CCL;
 
 class EquivClass {
 public:

src/Event.cc

@@ -3,9 +3,11 @@
 #include "zeek-config.h"
 
 #include "Event.h"
+#include "Desc.h"
 #include "Func.h"
 #include "NetVar.h"
 #include "Trigger.h"
+#include "Val.h"
 #include "plugin/Manager.h"
 
 EventMgr mgr;
@@ -101,6 +103,19 @@ EventMgr::~EventMgr()
 	Unref(src_val);
 	}
 
+void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
+			  SourceID src, analyzer::ID aid,
+			  TimerMgr* mgr, BroObj* obj)
+	{
+	if ( h )
+		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
+	else
+		{
+		for ( const auto& v : vl )
+			Unref(v);
+		}
+	}
+
 void EventMgr::QueueEvent(Event* event)
 	{
 	bool done = PLUGIN_HOOK_WITH_RESULT(HOOK_QUEUE_EVENT, HookQueueEvent(event), false);
@@ -119,6 +134,13 @@ void EventMgr::QueueEvent(Event* event)
 	++num_events_queued;
 	}
 
+void EventMgr::Dispatch(Event* event, bool no_remote)
+	{
+	current_src = event->Source();
+	event->Dispatch(no_remote);
+	Unref(event);
+	}
+
 void EventMgr::Drain()
 	{
 	if ( event_queue_flush_point )

src/Event.h

@@ -2,9 +2,7 @@
 
 #pragma once
 
-#include "EventRegistry.h"
+#include "BroList.h"
-
-#include "analyzer/Tag.h"
 #include "analyzer/Analyzer.h"
 
 class EventMgr;
@@ -79,16 +77,7 @@ public:
 	// existence check.
 	void QueueEvent(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-			TimerMgr* mgr = 0, BroObj* obj = 0)
+			TimerMgr* mgr = 0, BroObj* obj = 0);
-		{
-		if ( h )
-			QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
-		else
-			{
-			for ( const auto& v : vl )
-				Unref(v);
-			}
-		}
 
 	// Same as QueueEvent, except taking the event's argument list via a
 	// pointer instead of by value.  This function takes ownership of the
@@ -102,12 +91,7 @@ public:
 		delete vl;
 		}
 
-	void Dispatch(Event* event, bool no_remote = false)
+	void Dispatch(Event* event, bool no_remote = false);
-		{
-		current_src = event->Source();
-		event->Dispatch(no_remote);
-		Unref(event);
-		}
 
 	void Drain();
 	bool IsDraining() const	{ return draining; }

src/EventHandler.cc

@@ -1,5 +1,6 @@
-#include "Event.h"
 #include "EventHandler.h"
+#include "Event.h"
+#include "Desc.h"
 #include "Func.h"
 #include "Scope.h"
 #include "NetVar.h"

src/EventHandler.h

@@ -2,11 +2,10 @@
 
 #pragma once
 
-#include <assert.h>
+#include "BroList.h"
+
 #include <unordered_set>
 #include <string>
-#include "List.h"
-#include "BroList.h"
 
 class Func;
 class FuncType;

src/EventRegistry.cc

@@ -1,4 +1,5 @@
 #include "EventRegistry.h"
+#include "EventHandler.h"
 #include "RE.h"
 #include "Reporter.h"
 

src/EventRegistry.h

@@ -4,11 +4,14 @@
 
 #include <map>
 #include <string>
+#include <vector>
 
-#include "Func.h"
+using std::string;
-#include "List.h"
+using std::vector;
-#include "Dict.h"
+
-#include "EventHandler.h"
+class EventHandler;
+class EventHandlerPtr;
+class RE_Matcher;
 
 // The registry keeps track of all events that we provide or handle.
 class EventRegistry {

src/Expr.cc

@@ -4,6 +4,7 @@
 
 #include "Expr.h"
 #include "Event.h"
+#include "Desc.h"
 #include "Frame.h"
 #include "Func.h"
 #include "RE.h"
@@ -15,6 +16,8 @@
 #include "Trigger.h"
 #include "IPAddr.h"
 #include "digest.h"
+#include "module_util.h"
+#include "DebugLogger.h"
 
 #include "broker/Data.h"
 
@@ -132,12 +135,32 @@ Val* Expr::InitVal(const BroType* t, Val* aggr) const
 	return check_and_promote(Eval(0), t, 1);
 	}
 
+int Expr::IsError() const
+	{
+	return type && type->Tag() == TYPE_ERROR;
+	}
+
+void Expr::SetError()
+	{
+	SetType(error_type());
+	}
+
 void Expr::SetError(const char* msg)
 	{
 	Error(msg);
 	SetError();
 	}
 
+int Expr::IsZero() const
+	{
+	return IsConst() && ExprVal()->IsZero();
+	}
+
+int Expr::IsOne() const
+	{
+	return IsConst() && ExprVal()->IsOne();
+	}
+
 void Expr::Describe(ODesc* d) const
 	{
 	if ( IsParen() && ! d->IsBinary() )
@@ -2076,6 +2099,11 @@ AssignExpr::AssignExpr(Expr* arg_op1, Expr* arg_op2, int arg_is_init,
 	SetLocationInfo(arg_op1->GetLocationInfo(), arg_op2->GetLocationInfo());
 	}
 
+AssignExpr::~AssignExpr()
+	{
+	Unref(val);
+	}
+
 bool AssignExpr::TypeCheck(attr_list* attrs)
 	{
 	TypeTag bt1 = op1->Type()->Tag();

src/Expr.h

@@ -5,16 +5,17 @@
 // BRO expressions.
 
 #include "BroList.h"
-#include "ID.h"
 #include "Timer.h"
-#include "Val.h"
+#include "Type.h"
-#include "Debug.h"
 #include "EventHandler.h"
 #include "TraverseTypes.h"
 
 #include <memory>
+#include <string>
 #include <utility>
 
+using std::string;
+
 typedef enum {
 	EXPR_ANY = -1,
 	EXPR_NAME, EXPR_CONST,
@@ -117,10 +118,10 @@ public:
 	int IsConst() const	{ return tag == EXPR_CONST; }
 
 	// True if the expression is in error (to alleviate error propagation).
-	int IsError() const	{ return type && type->Tag() == TYPE_ERROR; }
+	int IsError() const;
 
 	// Mark expression as in error.
-	void SetError()		{ SetType(error_type()); }
+	void SetError();
 	void SetError(const char* msg);
 
 	// Returns the expression's constant value, or complains
@@ -128,16 +129,10 @@ public:
 	inline Val* ExprVal() const;
 
 	// True if the expression is a constant zero, false otherwise.
-	int IsZero() const
+	int IsZero() const;
-		{
-		return IsConst() && ExprVal()->IsZero();
-		}
 
 	// True if the expression is a constant one, false otherwise.
-	int IsOne() const
+	int IsOne() const;
-		{
-		return IsConst() && ExprVal()->IsOne();
-		}
 
 	// True if the expression supports the "add" or "delete" operations,
 	// false otherwise.
@@ -603,7 +598,7 @@ public:
 	// If val is given, evaluating this expression will always yield the val
 	// yet still perform the assignment.  Used for triggers.
 	AssignExpr(Expr* op1, Expr* op2, int is_init, Val* val = 0, attr_list* attrs = 0);
-	~AssignExpr() override { Unref(val); }
+	~AssignExpr() override;
 
 	Val* Eval(Frame* f) const override;
 	void EvalIntoAggregate(const BroType* t, Val* aggr, Frame* f) const override;
@@ -873,8 +868,6 @@ protected:
 	int num_fields;
 };
 
-class EventHandler;
-
 class ScheduleTimer : public Timer {
 public:
 	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,

src/File.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "File.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -20,13 +21,14 @@
 
 #include <algorithm>
 
-#include "File.h"
+#include "Attr.h"
 #include "Type.h"
 #include "Expr.h"
 #include "NetVar.h"
 #include "Net.h"
 #include "Event.h"
 #include "Reporter.h"
+#include "Desc.h"
 
 std::list<std::pair<std::string, BroFile*>> BroFile::open_files;
 

src/File.h

@@ -2,19 +2,21 @@
 
 #pragma once
 
-#include <fcntl.h>
-#include "util.h"
 #include "Obj.h"
-#include "Attr.h"
 
 #include <list>
+#include <string>
 #include <utility>
 
+#include <fcntl.h>
+
 # ifdef NEED_KRB5_H
 #  include <krb5.h>
 # endif // NEED_KRB5_H
 
+class Attributes;
 class BroType;
+class RecordVal;
 
 class BroFile : public BroObj {
 public:

src/Frag.cc

@@ -2,11 +2,12 @@
 
 #include "zeek-config.h"
 
-#include "util.h"
-#include "Hash.h"
 #include "Frag.h"
+#include "Hash.h"
+#include "IP.h"
 #include "NetVar.h"
 #include "Sessions.h"
+#include "Reporter.h"
 
 #define MIN_ACCEPTABLE_FRAG_SIZE 64
 #define MAX_ACCEPTABLE_FRAG_SIZE 64000

src/Frag.h

@@ -2,16 +2,18 @@
 
 #pragma once
 
-#include <tuple>
+#include "util.h" // for bro_uint_t
-
+#include "IPAddr.h"
-#include "util.h"
-#include "IP.h"
-#include "Net.h"
 #include "Reassem.h"
 #include "Timer.h"
 
+#include <tuple>
+
+#include <sys/types.h> // for u_char
+
 class HashKey;
 class NetSessions;
+class IP_Hdr;
 
 class FragReassembler;
 class FragTimer;

src/Frame.cc

@@ -1,10 +1,15 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "Frame.h"
+
 #include <broker/error.hh>
 #include "broker/Data.h"
 
-#include "Frame.h"
+#include "Func.h"
+#include "Desc.h"
+#include "IntrusivePtr.h"
 #include "Trigger.h"
+#include "Val.h"
 
 vector<Frame*> g_frame_stack;
 
@@ -531,6 +536,14 @@ void Frame::ClearTrigger()
 	trigger = nullptr;
 	}
 
+void Frame::UnrefElement(int n)
+	{
+	if ( weak_refs && weak_refs[n] )
+		return;
+
+	Unref(frame[n]);
+	}
+
 bool Frame::IsOuterID(const ID* in) const
 	{
 	return std::any_of(outer_ids.begin(), outer_ids.end(),

src/Frame.h

@@ -2,17 +2,20 @@
 
 #pragma once
 
+#include "BroList.h" // for typedef val_list
+#include "Obj.h"
+
 #include <unordered_map>
-#include <memory>
 #include <string>
+#include <utility>
+#include <vector>
 
 #include <broker/data.hh>
 #include <broker/expected.hh>
 
-#include "Val.h"
-
 namespace trigger { class Trigger; }
 class CallExpr;
+class BroFunc;
 
 class Frame :  public BroObj {
 public:
@@ -232,13 +235,7 @@ private:
 	/**
 	 * Unrefs the value at offset 'n' frame unless it's a weak reference.
 	 */
-	void UnrefElement(int n)
+	void UnrefElement(int n);
-		{
-		if ( weak_refs && weak_refs[n] )
-			return;
-
-		Unref(frame[n]);
-		}
 
 	/** Have we captured this id? */
 	bool IsOuterID(const ID* in) const;

src/Func.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Func.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -32,12 +33,14 @@
 #include <broker/error.hh>
 
 #include "Base64.h"
+#include "Debug.h"
+#include "Desc.h"
+#include "Expr.h"
 #include "Stmt.h"
 #include "Scope.h"
 #include "Net.h"
 #include "NetVar.h"
 #include "File.h"
-#include "Func.h"
 #include "Frame.h"
 #include "Var.h"
 #include "analyzer/protocol/login/Login.h"
@@ -47,6 +50,9 @@
 #include "Traverse.h"
 #include "Reporter.h"
 #include "plugin/Manager.h"
+#include "module_util.h"
+#include "iosource/PktSrc.h"
+#include "iosource/PktDumper.h"
 
 extern	RETSIGTYPE sig_handler(int signo);
 

src/Func.h

@@ -2,16 +2,21 @@
 
 #pragma once
 
+#include "BroList.h"
+#include "Obj.h"
+#include "Type.h" /* for function_flavor */
+#include "TraverseTypes.h"
+
 #include <utility>
 #include <memory>
+#include <string>
+#include <vector>
 
 #include <broker/data.hh>
 #include <broker/expected.hh>
 
-#include "BroList.h"
+using std::string;
-#include "Obj.h"
+using std::vector;
-#include "Debug.h"
-#include "Frame.h"
 
 class Val;
 class ListExpr;
@@ -20,6 +25,7 @@ class Stmt;
 class Frame;
 class ID;
 class CallExpr;
+class Scope;
 
 class Func : public BroObj {
 public:

src/Hash.cc

@@ -19,6 +19,7 @@
 
 #include "Hash.h"
 #include "Reporter.h"
+#include "BroString.h"
 
 #include "siphash24.h"
 

src/Hash.h

@@ -2,12 +2,14 @@
 
 #pragma once
 
+#include "util.h" // for bro_int_t
+
 #include <stdlib.h>
 
-#include "BroString.h"
-
 #define UHASH_KEY_SIZE 36
 
+class BroString;
+
 typedef uint64_t hash_t;
 
 typedef enum {

src/ID.cc

@@ -3,15 +3,22 @@
 #include "zeek-config.h"
 
 #include "ID.h"
+#include "Attr.h"
+#include "Desc.h"
 #include "Expr.h"
 #include "Dict.h"
 #include "EventRegistry.h"
 #include "Func.h"
 #include "Scope.h"
+#include "Type.h"
 #include "File.h"
 #include "Scope.h"
 #include "Traverse.h"
+#include "Val.h"
 #include "zeekygen/Manager.h"
+#include "zeekygen/IdentifierInfo.h"
+#include "zeekygen/ScriptInfo.h"
+#include "module_util.h"
 
 ID::ID(const char* arg_name, IDScope arg_scope, bool arg_is_export)
 	{
@@ -51,6 +58,11 @@ string ID::ModuleName() const
 	return extract_module_name(name);
 	}
 
+void ID::SetType(BroType* t)
+	{
+	Unref(type); type = t;
+	}
+
 void ID::ClearVal()
 	{
 	if ( ! weak_ref )
@@ -143,6 +155,11 @@ void ID::SetVal(Expr* ev, init_class c)
 	EvalFunc(a->AttrExpr(), ev);
 	}
 
+bool ID::IsRedefinable() const
+	{
+	return FindAttr(ATTR_REDEF) != 0;
+	}
+
 void ID::SetAttrs(Attributes* a)
 	{
 	Unref(attrs);
@@ -189,6 +206,16 @@ void ID::UpdateValAttrs()
 		}
 	}
 
+Attr* ID::FindAttr(attr_tag t) const
+	{
+	return attrs ? attrs->FindAttr(t) : 0;
+	}
+
+bool ID::IsDeprecated() const
+	{
+	return FindAttr(ATTR_DEPRECATED) != 0;
+	}
+
 void ID::MakeDeprecated(Expr* deprecation)
 	{
 	if ( IsDeprecated() )

src/ID.h

@@ -2,14 +2,20 @@
 
 #pragma once
 
-#include "Type.h"
+#include "Obj.h"
 #include "Attr.h"
 #include "Notifier.h"
 #include "TraverseTypes.h"
+
+#include <map>
 #include <string>
+#include <vector>
 
 class Val;
+class Expr;
 class Func;
+class BroType;
+class Attributes;
 
 typedef enum { INIT_NONE, INIT_FULL, INIT_EXTRA, INIT_REMOVE, } init_class;
 typedef enum { SCOPE_FUNCTION, SCOPE_MODULE, SCOPE_GLOBAL } IDScope;
@@ -29,7 +35,7 @@ public:
 
 	std::string ModuleName() const;
 
-	void SetType(BroType* t)	{ Unref(type); type = t; }
+	void SetType(BroType* t);
 	BroType* Type()			{ return type; }
 	const BroType* Type() const	{ return type; }
 
@@ -67,7 +73,7 @@ public:
 	void SetOffset(int arg_offset)	{ offset = arg_offset; }
 	int Offset() const		{ return offset; }
 
-	bool IsRedefinable() const	{ return FindAttr(ATTR_REDEF) != 0; }
+	bool IsRedefinable() const;
 
 	void SetAttrs(Attributes* attr);
 	void AddAttrs(Attributes* attr);
@@ -75,11 +81,9 @@ public:
 	void UpdateValAttrs();
 	Attributes* Attrs() const	{ return attrs; }
 
-	Attr* FindAttr(attr_tag t) const
+	Attr* FindAttr(attr_tag t) const;
-		{ return attrs ? attrs->FindAttr(t) : 0; }
 
-	bool IsDeprecated() const
+	bool IsDeprecated() const;
-		{ return FindAttr(ATTR_DEPRECATED) != 0; }
 
 	void MakeDeprecated(Expr* deprecation);
 

src/IP.cc

@@ -1,13 +1,16 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "IP.h"
+
 #include <sys/types.h>
 #include <netinet/in.h>
 #include <netinet/icmp6.h>
 
-#include "IP.h"
+#include "IPAddr.h"
 #include "Type.h"
 #include "Val.h"
 #include "Var.h"
+#include "Reporter.h"
 
 static RecordType* ip4_hdr_type = 0;
 static RecordType* ip6_hdr_type = 0;
@@ -304,6 +307,26 @@ RecordVal* IPv6_Hdr::BuildRecordVal(VectorVal* chain) const
 	return rv;
 	}
 
+IPAddr IP_Hdr::IPHeaderSrcAddr() const
+	{
+	return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src);
+	}
+
+IPAddr IP_Hdr::IPHeaderDstAddr() const
+	{
+	return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst);
+	}
+
+IPAddr IP_Hdr::SrcAddr() const
+	{
+	return ip4 ? IPAddr(ip4->ip_src) : ip6_hdrs->SrcAddr();
+	}
+
+IPAddr IP_Hdr::DstAddr() const
+	{
+	return ip4 ? IPAddr(ip4->ip_dst) : ip6_hdrs->DstAddr();
+	}
+
 RecordVal* IP_Hdr::BuildIPHdrVal() const
 	{
 	RecordVal* rval = 0;
@@ -446,6 +469,15 @@ static inline bool isIPv6ExtHeader(uint8_t type)
 	}
 	}
 
+IPv6_Hdr_Chain::~IPv6_Hdr_Chain()
+	{
+	for ( size_t i = 0; i < chain.size(); ++i ) delete chain[i];
+#ifdef ENABLE_MOBILE_IPV6
+	delete homeAddr;
+#endif
+	delete finalDst;
+	}
+
 void IPv6_Hdr_Chain::Init(const struct ip6_hdr* ip6, int total_len,
                           bool set_next, uint16_t next)
 	{
@@ -510,6 +542,46 @@ void IPv6_Hdr_Chain::Init(const struct ip6_hdr* ip6, int total_len,
 				  isIPv6ExtHeader(next_type) );
 	}
 
+bool IPv6_Hdr_Chain::IsFragment() const
+	{
+	if ( chain.empty() )
+		{
+		reporter->InternalWarning("empty IPv6 header chain");
+		return false;
+		}
+
+	return chain[chain.size()-1]->Type() == IPPROTO_FRAGMENT;
+	}
+
+IPAddr IPv6_Hdr_Chain::SrcAddr() const
+	{
+#ifdef ENABLE_MOBILE_IPV6
+	if ( homeAddr )
+		return IPAddr(*homeAddr);
+#endif
+	if ( chain.empty() )
+		{
+		reporter->InternalWarning("empty IPv6 header chain");
+		return IPAddr();
+		}
+
+	return IPAddr(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_src);
+	}
+
+IPAddr IPv6_Hdr_Chain::DstAddr() const
+	{
+	if ( finalDst )
+		return IPAddr(*finalDst);
+
+	if ( chain.empty() )
+		{
+		reporter->InternalWarning("empty IPv6 header chain");
+		return IPAddr();
+		}
+
+	return IPAddr(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_dst);
+	}
+
 void IPv6_Hdr_Chain::ProcessRoutingHeader(const struct ip6_rthdr* r, uint16_t len)
 	{
 	if ( finalDst )

src/IP.h

@@ -3,15 +3,23 @@
 #pragma once
 
 #include "zeek-config.h"
-#include "net_util.h"
+
-#include "IPAddr.h"
-#include "Reporter.h"
-#include "Val.h"
-#include "Type.h"
 #include <vector>
+
+#include <sys/types.h> // for u_char
 #include <netinet/in.h>
 #include <netinet/ip.h>
 
+#ifdef HAVE_NETINET_IP6_H
+#include <netinet/ip6.h>
+#endif
+
+using std::vector;
+
+class IPAddr;
+class RecordVal;
+class VectorVal;
+
 #ifdef ENABLE_MOBILE_IPV6
 
 #ifndef IPPROTO_MOBILITY
@@ -147,14 +155,7 @@ public:
 		finalDst(0)
 		{ Init(ip6, len, false); }
 
-	~IPv6_Hdr_Chain()
+	~IPv6_Hdr_Chain();
-		{
-		for ( size_t i = 0; i < chain.size(); ++i ) delete chain[i];
-#ifdef ENABLE_MOBILE_IPV6
-		delete homeAddr;
-#endif
-		delete finalDst;
-		}
 
 	/**
 	 * @return a copy of the header chain, but with pointers to individual
@@ -180,16 +181,7 @@ public:
 	/**
 	 * Returns whether the header chain indicates a fragmented packet.
 	 */
-	bool IsFragment() const
+	bool IsFragment() const;
-		{
-		if ( chain.empty() )
-			{
-			reporter->InternalWarning("empty IPv6 header chain");
-			return false;
-			}
-
-		return chain[chain.size()-1]->Type() == IPPROTO_FRAGMENT;
-		}
 
 	/**
 	 * Returns pointer to fragment header structure if the chain contains one.
@@ -224,39 +216,14 @@ public:
 	 * option as defined by Mobile IPv6 (RFC 6275), then return it, else
 	 * return the source address in the main IPv6 header.
 	 */
-	IPAddr SrcAddr() const
+	IPAddr SrcAddr() const;
-		{
-#ifdef ENABLE_MOBILE_IPV6
-		if ( homeAddr )
-			return IPAddr(*homeAddr);
-#endif
-		if ( chain.empty() )
-			{
-			reporter->InternalWarning("empty IPv6 header chain");
-			return IPAddr();
-			}
-
-		return IPAddr(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_src);
-		}
 
 	/**
 	 * If the chain contains a Routing header with non-zero segments left,
 	 * then return the last address of the first such header, else return
 	 * the destination address of the main IPv6 header.
 	 */
-	IPAddr DstAddr() const
+	IPAddr DstAddr() const;
-		{
-		if ( finalDst )
-			return IPAddr(*finalDst);
-
-		if ( chain.empty() )
-			{
-			reporter->InternalWarning("empty IPv6 header chain");
-			return IPAddr();
-			}
-
-		return IPAddr(((const struct ip6_hdr*)(chain[0]->Data()))->ip6_dst);
-		}
 
 	/**
 	 * Returns a vector of ip6_ext_hdr RecordVals that includes script-layer
@@ -400,22 +367,19 @@ public:
 	/**
 	 * Returns the source address held in the IP header.
 	 */
-	IPAddr IPHeaderSrcAddr() const
+	IPAddr IPHeaderSrcAddr() const;
-		{ return ip4 ? IPAddr(ip4->ip_src) : IPAddr(ip6->ip6_src); }
 
 	/**
 	 * Returns the destination address held in the IP header.
 	 */
-	IPAddr IPHeaderDstAddr() const
+	IPAddr IPHeaderDstAddr() const;
-		{ return ip4 ? IPAddr(ip4->ip_dst) : IPAddr(ip6->ip6_dst); }
 
 	/**
 	 * For IPv4 or IPv6 headers that don't contain a Home Address option
 	 * (Mobile IPv6, RFC 6275), return source address held in the IP header.
 	 * For IPv6 headers that contain a Home Address option, return that address.
 	 */
-	IPAddr SrcAddr() const
+	IPAddr SrcAddr() const;
-		{ return ip4 ? IPAddr(ip4->ip_src) : ip6_hdrs->SrcAddr(); }
 
 	/**
 	 * For IPv4 or IPv6 headers that don't contain a Routing header with
@@ -423,8 +387,7 @@ public:
 	 * For IPv6 headers with a Routing header that has non-zero segments left,
 	 * return the last address in the first such Routing header.
 	 */
-	IPAddr DstAddr() const
+	IPAddr DstAddr() const;
-		{ return ip4 ? IPAddr(ip4->ip_dst) : ip6_hdrs->DstAddr(); }
 
 	/**
 	 * Returns a pointer to the payload of the IP packet, usually an

src/IPAddr.cc

@@ -5,7 +5,9 @@
 #include <vector>
 #include "IPAddr.h"
 #include "Reporter.h"
+#include "BroString.h"
 #include "Conn.h"
+#include "Hash.h"
 #include "bro_inet_ntop.h"
 
 #include "analyzer/Manager.h"
@@ -45,6 +47,16 @@ ConnIDKey BuildConnIDKey(const ConnID& id)
 	return key;
 	}
 
+IPAddr::IPAddr(const BroString& s)
+	{
+	Init(s.CheckString());
+	}
+
+HashKey* IPAddr::GetHashKey() const
+	{
+	return new HashKey((void*)in6.s6_addr, sizeof(in6.s6_addr));
+	}
+
 static inline uint32_t bit_mask32(int bottom_bits)
 	{
 	if ( bottom_bits >= 32 )
@@ -290,6 +302,19 @@ string IPPrefix::AsString() const
 	return prefix.AsString() +"/" + l;
 	}
 
+HashKey* IPPrefix::GetHashKey() const
+	{
+	struct {
+		in6_addr ip;
+		uint32_t len;
+	} key;
+
+	key.ip = prefix.in6;
+	key.len = Length();
+
+	return new HashKey(&key, sizeof(key));
+	}
+
 bool IPPrefix::ConvertString(const char* text, IPPrefix* result)
 	{
 	string s(text);

src/IPAddr.h

@@ -2,18 +2,17 @@
 
 #pragma once
 
+#include "threading/SerialTypes.h"
+
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #include <string.h>
 #include <string>
 
-#include "BroString.h"
+using std::string;
-#include "Hash.h"
-#include "util.h"
-#include "Type.h"
-#include "threading/SerialTypes.h"
-
 struct ConnID;
+class BroString;
+class HashKey;
 namespace analyzer { class ExpectedConn; }
 
 typedef in_addr in4_addr;
@@ -113,10 +112,7 @@ public:
 	 * @param s String containing an IP address as either a dotted IPv4
 	 * address or a hex IPv6 address.
 	 */
-	explicit IPAddr(const BroString& s)
+	explicit IPAddr(const BroString& s);
-		{
-		Init(s.CheckString());
-		}
 
 	/**
 	 * Constructs an address instance from a raw byte representation.
@@ -255,10 +251,7 @@ public:
 	 * Returns a key that can be used to lookup the IP Address in a hash
 	 * table. Passes ownership to caller.
 	 */
-	HashKey* GetHashKey() const
+	HashKey* GetHashKey() const;
-		{
-		return new HashKey((void*)in6.s6_addr, sizeof(in6.s6_addr));
-		}
 
 	/**
 	 * Masks out lower bits of the address.
@@ -640,18 +633,7 @@ public:
 	 * Returns a key that can be used to lookup the IP Prefix in a hash
 	 * table. Passes ownership to caller.
 	 */
-	HashKey* GetHashKey() const
+	HashKey* GetHashKey() const;
-		{
-		struct {
-			in6_addr ip;
-			uint32_t len;
-		} key;
-
-		key.ip = prefix.in6;
-		key.len = Length();
-
-		return new HashKey(&key, sizeof(key));
-		}
 
 	/** Converts the prefix into the type used internally by the
 	  * inter-thread communication.

src/NFA.cc

@@ -2,10 +2,12 @@
 
 #include "zeek-config.h"
 
-#include <algorithm>
-
 #include "NFA.h"
+#include "Desc.h"
 #include "EquivClass.h"
+#include "IntSet.h"
+
+#include <algorithm>
 
 static int nfa_state_id = 0;
 

src/NFA.h

@@ -2,9 +2,11 @@
 
 #pragma once
 
-#include "RE.h"
+#include "Obj.h"
-#include "IntSet.h"
+#include "List.h"
 
+class CCL;
+class Func;
 class NFA_State;
 class EquivClass;
 

src/Net.cc

@@ -1,6 +1,7 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Net.h"
 
 #include <sys/types.h>
 #ifdef TIME_WITH_SYS_TIME
@@ -19,13 +20,16 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+extern "C" {
+#include "setsignal.h"
+};
+
 #include "NetVar.h"
 #include "Sessions.h"
 #include "Event.h"
 #include "Timer.h"
 #include "Var.h"
 #include "Reporter.h"
-#include "Net.h"
 #include "Anon.h"
 #include "PacketDumper.h"
 #include "iosource/Manager.h"
@@ -34,10 +38,6 @@
 #include "plugin/Manager.h"
 #include "broker/Manager.h"
 
-extern "C" {
-#include "setsignal.h"
-};
-
 extern "C" {
 extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
 }

src/Net.h

@@ -2,14 +2,14 @@
 
 #pragma once
 
+#include <list>
 #include <vector>
 #include <string>
 #include <optional>
 
-#include "net_util.h"
+#include <sys/stat.h> // for ino_t
-#include "util.h"
+
-#include "List.h"
+using std::string;
-#include "Func.h"
 
 namespace iosource {
 	class IOSource;

src/NetVar.cc

@@ -2,8 +2,10 @@
 
 #include "zeek-config.h"
 
-#include "Var.h"
 #include "NetVar.h"
+#include "Var.h"
+#include "EventHandler.h"
+#include "Val.h"
 
 RecordType* conn_id;
 RecordType* endpoint;

src/Notifier.cc

@@ -1,7 +1,9 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "DebugLogger.h"
 #include "Notifier.h"
+#include "DebugLogger.h"
+
+#include <set>
 
 notifier::Registry notifier::registry;
 

src/Notifier.h

@@ -7,12 +7,7 @@
 
 #pragma once
 
-#include <set>
 #include <unordered_map>
-#include <string>
-
-#include "util.h"
-#include "DebugLogger.h"
 
 namespace notifier  {
 

src/Obj.cc

@@ -1,10 +1,11 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "Obj.h"
 
 #include <stdlib.h>
 
-#include "Obj.h"
+#include "Desc.h"
 #include "Func.h"
 #include "File.h"
 #include "plugin/Manager.h"

src/Obj.h

@@ -4,8 +4,7 @@
 
 #include <limits.h>
 
-#include "input.h"
+class ODesc;
-#include "Desc.h"
 
 class Location {
 public:

src/OpaqueVal.cc

@@ -5,9 +5,12 @@
 #include "OpaqueVal.h"
 #include "NetVar.h"
 #include "Reporter.h"
+#include "Desc.h"
+#include "Var.h"
 #include "probabilistic/BloomFilter.h"
 #include "probabilistic/CardinalityCounter.h"
 
+#include <broker/data.hh>
 #include <broker/error.hh>
 
 // Helper to retrieve a broker value out of a broker::vector at a specified

src/OpaqueVal.h

@@ -2,14 +2,16 @@
 
 #pragma once
 
-#include <broker/data.hh>
-#include <broker/expected.hh>
-
 #include "RandTest.h"
 #include "Val.h"
 #include "digest.h"
 #include "paraglob/paraglob.h"
 
+#include <broker/expected.hh>
+
+#include <sys/types.h> // for u_char
+
+namespace broker { class data; }
 class OpaqueVal;
 
 /**

src/Options.cc

@@ -1,9 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <unistd.h>
-
 #include "zeek-config.h"
 
+#include "Options.h"
+
+#include <algorithm>
+
+#include <unistd.h>
+
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -11,8 +15,6 @@
 #include "bsd-getopt-long.h"
 #include "logging/writers/ascii/Ascii.h"
 
-#include "Options.h"
-
 void zeek::Options::filter_supervisor_options()
 	{
 	pcap_filter = {};

src/PacketDumper.cc

@@ -1,14 +1,10 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-
 #include "zeek-config.h"
-
-#include <assert.h>
-#include <stdlib.h>
-
-#include "Event.h"
-#include "Net.h"
 #include "PacketDumper.h"
+#include "Reporter.h"
+#include "util.h"
+#include "iosource/PktDumper.h"
 
 PacketDumper::PacketDumper(pcap_dumper_t* arg_pkt_dump)
 	{

src/PacketDumper.h

@@ -4,6 +4,8 @@
 
 #include <pcap.h>
 
+#include <sys/types.h> // for u_char
+
 class PacketDumper {
 public:
 	explicit PacketDumper(pcap_dumper_t* pkt_dump);

src/PacketFilter.cc

@@ -1,4 +1,5 @@
 #include "PacketFilter.h"
+#include "IP.h"
 
 void PacketFilter::DeleteFilter(void* data)
 	{

src/PacketFilter.h

@@ -2,9 +2,12 @@
 
 #pragma once
 
-#include "IP.h"
+#include "IPAddr.h"
 #include "PrefixTable.h"
 
+class IP_Hdr;
+class Val;
+
 class PacketFilter {
 public:
 	explicit PacketFilter(bool arg_default);

src/PrefixTable.cc

@@ -1,5 +1,6 @@
 #include "PrefixTable.h"
 #include "Reporter.h"
+#include "Val.h"
 
 prefix_t* PrefixTable::MakePrefix(const IPAddr& addr, int width)
 	{

src/PrefixTable.h

@@ -1,13 +1,19 @@
 #pragma once
 
-#include "Val.h"
-#include "net_util.h"
 #include "IPAddr.h"
 
 extern "C" {
 	#include "patricia.h"
 }
 
+#include <list>
+
+using std::list;
+using std::tuple;
+
+class Val;
+class SubNetVal;
+
 class PrefixTable {
 private:
 	struct iterator {

src/PriorityQueue.h

@@ -3,7 +3,7 @@
 #pragma once
 
 #include <math.h>
-#include "util.h"
+#include <stdint.h>
 
 class PriorityQueue;
 

src/Queue.h

@@ -2,6 +2,8 @@
 
 #pragma once
 
+#include <iterator>
+
 // Queue.h --
 //	Interface for class Queue, current implementation is as an
 //	array of ent's.  This implementation was chosen to optimize

src/RE.cc

@@ -1,15 +1,16 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #include "zeek-config.h"
+#include "RE.h"
 
 #include <stdlib.h>
 #include <utility>
 
-#include "RE.h"
 #include "DFA.h"
 #include "CCL.h"
 #include "EquivClass.h"
 #include "Reporter.h"
+#include "BroString.h"
 
 CCL* curr_ccl = 0;
 

src/RE.h

@@ -2,9 +2,7 @@
 
 #pragma once
 
-#include "Obj.h"
+#include "List.h"
-#include "Dict.h"
-#include "BroString.h"
 #include "CCL.h"
 #include "EquivClass.h"
 
@@ -12,6 +10,7 @@
 #include <map>
 #include <string>
 
+#include <sys/types.h> // for u_char
 #include <ctype.h>
 typedef int (*cce_func)(int);
 
@@ -21,6 +20,7 @@ class DFA_Machine;
 class Specific_RE_Matcher;
 class RE_Matcher;
 class DFA_State;
+class BroString;
 
 extern int case_insensitive;
 extern CCL* curr_ccl;

src/RandTest.cc

@@ -12,9 +12,10 @@
 	Modified for Bro by Seth Hall - July 2010
 */
 
-#include <math.h>
 #include "RandTest.h"
 
+#include <math.h>
+
 #define log2of10 3.32192809488736234787
 /*  RT_LOG2  --  Calculate log to the base 2  */
 static double rt_log2(double x)

src/RandTest.h

@@ -1,6 +1,6 @@
 #pragma once
 
-#include "util.h"
+#include <stdint.h>
 
 #define RT_MONTEN 6  /* Bytes used as Monte Carlo
                         co-ordinates. This should be no more

src/Reassem.cc

@@ -1,10 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "zeek-config.h"
+#include "Reassem.h"
+
 #include <algorithm>
 
-#include "zeek-config.h"
+#include "Desc.h"
 
-#include "Reassem.h"
+using std::min;
 
 uint64_t Reassembler::total_size = 0;
 uint64_t Reassembler::sizes[REASSEM_NUM];

src/Reassem.h

@@ -5,7 +5,10 @@
 #include <map>
 
 #include "Obj.h"
-#include "IPAddr.h"
+
+#include <assert.h>
+#include <string.h>
+#include <sys/types.h> // for u_char
 
 // Whenever subclassing the Reassembler class
 // you should add to this for known subclasses.

src/Reporter.cc

@@ -2,18 +2,23 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 //
 
+#include "zeek-config.h"
+#include "Reporter.h"
+
 #include <unistd.h>
 #include <syslog.h>
 
-#include "zeek-config.h"
+#include "Desc.h"
-#include "Reporter.h"
 #include "Event.h"
+#include "Expr.h"
 #include "NetVar.h"
 #include "Net.h"
 #include "Conn.h"
 #include "Timer.h"
+#include "EventHandler.h"
 #include "plugin/Plugin.h"
 #include "plugin/Manager.h"
+#include "input.h"
 #include "file_analysis/File.h"
 
 #ifdef SYSLOG_INT

src/Reporter.h

@@ -11,8 +11,6 @@
 #include <unordered_set>
 #include <unordered_map>
 
-#include "util.h"
-#include "EventHandler.h"
 #include "IPAddr.h"
 
 namespace analyzer { class Analyzer; }
@@ -20,6 +18,7 @@ namespace file_analysis { class File; }
 class Connection;
 class Location;
 class Reporter;
+class EventHandlerPtr;
 
 // One cannot raise this exception directly, go through the
 // Reporter's methods instead.

src/Rule.cc

@@ -1,6 +1,8 @@
 #include "zeek-config.h"
 
 #include "Rule.h"
+#include "RuleAction.h"
+#include "RuleCondition.h"
 #include "RuleMatcher.h"
 
 // Start at one as we want search for this within a list,

src/Rule.h

@@ -1,17 +1,17 @@
 #pragma once
 
-#include <limits.h>
-#include <map>
-
-#include "Obj.h"
 #include "List.h"
-#include "Dict.h"
+#include "Obj.h"
-#include "util.h"
+
+#include <map>
+#include <string>
+
+#include <limits.h>
+#include <stdint.h>
 
 class RuleCondition;
 class RuleAction;
 class RuleHdrTest;
-
 class Rule;
 
 typedef PList<Rule> rule_list;

src/RuleAction.cc

@@ -12,6 +12,11 @@ using std::string;
 
 #include "analyzer/Manager.h"
 
+RuleActionEvent::RuleActionEvent(const char* arg_msg)
+	{
+	msg = copy_string(arg_msg);
+	}
+
 void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
 				const u_char* data, int len)
 	{
@@ -30,6 +35,12 @@ void RuleActionEvent::PrintDebug()
 	fprintf(stderr, "	RuleActionEvent: |%s|\n", msg);
 	}
 
+RuleActionMIME::RuleActionMIME(const char* arg_mime, int arg_strength)
+	{
+	mime = copy_string(arg_mime);
+	strength = arg_strength;
+	}
+
 void RuleActionMIME::PrintDebug()
 	{
 	fprintf(stderr, "	RuleActionMIME: |%s|\n", mime);

src/RuleAction.h

@@ -1,11 +1,13 @@
 #pragma once
 
-#include "BroString.h"
-#include "List.h"
-#include "util.h"
-
 #include "analyzer/Tag.h"
 
+#include <string>
+
+#include <sys/types.h> // for u_char
+
+using std::string;
+
 class Rule;
 class RuleEndpointState;
 
@@ -23,7 +25,7 @@ public:
 // Implements the "event" keyword.
 class RuleActionEvent : public RuleAction {
 public:
-	explicit RuleActionEvent(const char* arg_msg)	{ msg = copy_string(arg_msg); }
+	explicit RuleActionEvent(const char* arg_msg);
 	~RuleActionEvent() override { delete [] msg; }
 
 	void DoAction(const Rule* parent, RuleEndpointState* state,
@@ -37,8 +39,7 @@ private:
 
 class RuleActionMIME : public RuleAction {
 public:
-	explicit RuleActionMIME(const char* arg_mime, int arg_strength = 0)
+	explicit RuleActionMIME(const char* arg_mime, int arg_strength = 0);
-		{ mime = copy_string(arg_mime); strength = arg_strength; }
 
 	~RuleActionMIME() override
 		{ delete [] mime; }

src/RuleCondition.cc

@@ -1,8 +1,13 @@
 #include "zeek-config.h"
 
 #include "RuleCondition.h"
+#include "RuleMatcher.h"
 #include "analyzer/protocol/tcp/TCP.h"
+#include "Reporter.h"
 #include "Scope.h"
+#include "Func.h"
+#include "Val.h"
+#include "Var.h" // for internal_type()
 
 static inline bool is_established(const analyzer::tcp::TCP_Endpoint* e)
 	{

src/RuleCondition.h

@@ -1,10 +1,9 @@
 #pragma once
 
-#include "BroString.h"
+#include <stdint.h> // for u_char
-#include "Func.h"
+#include <sys/types.h> // for u_char
-#include "List.h"
-#include "util.h"
 
+class ID;
 class Rule;
 class RuleEndpointState;
 

src/RuleMatcher.cc

@@ -1,15 +1,23 @@
+
+#include "zeek-config.h"
+#include "RuleMatcher.h"
+
 #include <algorithm>
 #include <functional>
 
-#include "zeek-config.h"
+#include "RuleAction.h"
-
+#include "RuleCondition.h"
+#include "ID.h"
+#include "IntSet.h"
+#include "IP.h"
 #include "analyzer/Analyzer.h"
-#include "RuleMatcher.h"
 #include "DFA.h"
+#include "DebugLogger.h"
 #include "NetVar.h"
 #include "Scope.h"
 #include "File.h"
 #include "Reporter.h"
+#include "module_util.h"
 
 // FIXME: Things that are not fully implemented/working yet:
 //

src/RuleMatcher.h

@@ -1,24 +1,17 @@
 #pragma once
 
-#include <limits.h>
+#include "Rule.h"
+#include "RE.h"
+#include "CCL.h"
+
 #include <vector>
 #include <map>
 #include <functional>
 #include <set>
 #include <string>
 
-#include "IPAddr.h"
+#include <sys/types.h> // for u_char
-#include "BroString.h"
+#include <limits.h>
-#include "List.h"
-#include "RE.h"
-#include "Net.h"
-#include "Sessions.h"
-#include "IntSet.h"
-#include "util.h"
-#include "Rule.h"
-#include "RuleAction.h"
-#include "RuleCondition.h"
-#include "iosource/Packet.h"
 
 //#define MATCHER_PRINT_STATS
 
@@ -34,6 +27,18 @@ extern FILE* rules_in;
 extern int rules_line_number;
 extern const char* current_rule_file;
 
+using std::vector;
+using std::map;
+using std::set;
+using std::string;
+
+class Val;
+class BroFile;
+class IntSet;
+class IP_Hdr;
+class IPPrefix;
+class RE_Match_State;
+class Specific_RE_Matcher;
 class RuleMatcher;
 extern RuleMatcher* rule_matcher;
 

src/Scope.cc

@@ -2,10 +2,12 @@
 
 #include "zeek-config.h"
 
+#include "Scope.h"
+#include "Desc.h"
 #include "ID.h"
 #include "Val.h"
-#include "Scope.h"
 #include "Reporter.h"
+#include "module_util.h"
 
 typedef PList<Scope> scope_list;
 

src/Scope.h

@@ -5,11 +5,9 @@
 #include <string>
 #include <map>
 
-#include "Dict.h"
 #include "Obj.h"
 #include "BroList.h"
 #include "TraverseTypes.h"
-#include "module_util.h"
 
 class ID;
 class BroType;

src/SerializationFormat.cc

@@ -1,9 +1,10 @@
+#include "SerializationFormat.h"
+
 #include <ctype.h>
 
-#include "net_util.h"
-#include "SerializationFormat.h"
 #include "DebugLogger.h"
 #include "Reporter.h"
+#include "net_util.h"
 
 const float SerializationFormat::GROWTH_FACTOR = 2.5;
 

src/SerializationFormat.h

@@ -4,7 +4,7 @@
 
 #include <string>
 
-#include "util.h"
+#include <stdint.h>
 
 class IPAddr;
 class IPPrefix;

src/Sessions.cc

@@ -2,6 +2,7 @@
 
 
 #include "zeek-config.h"
+#include "Sessions.h"
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -9,11 +10,11 @@
 #include <stdlib.h>
 #include <unistd.h>
 
+#include "Desc.h"
 #include "Net.h"
 #include "Event.h"
 #include "Timer.h"
 #include "NetVar.h"
-#include "Sessions.h"
 #include "Reporter.h"
 
 #include "analyzer/protocol/icmp/ICMP.h"

src/Sessions.h

@@ -2,26 +2,25 @@
 
 #pragma once
 
+#include "Frag.h"
+#include "PacketFilter.h"
+#include "NetVar.h"
+#include "analyzer/protocol/tcp/Stats.h"
+
 #include <map>
 #include <utility>
 
-#include "Dict.h"
+#include <sys/types.h> // for u_char
-#include "CompHash.h"
-#include "IP.h"
-#include "Frag.h"
-#include "PacketFilter.h"
-#include "Stats.h"
-#include "NetVar.h"
-#include "TunnelEncapsulation.h"
-#include "analyzer/protocol/tcp/Stats.h"
 
 class EncapsulationStack;
+class EncapsulatingConn;
+class Packet;
+class PacketProfiler;
 class Connection;
 class ConnCompressor;
 struct ConnID;
 
 class Discarder;
-class PacketFilter;
 
 namespace analyzer { namespace stepping_stone { class SteppingStoneManager; } }
 namespace analyzer { namespace arp { class ARP_Analyzer; } }