Merge remote-tracking branch 'origin/topic/jsiwek/runtime-exception-leak-cleanup'

* origin/topic/jsiwek/runtime-exception-leak-cleanup: Func::DescribeDebug: move a NumFields() call out of loop Use const-ref parameter for zeek::val_list_to_args() Fix missing IntrusivePtr.h include and ambiguous ODesc::Add call Remove TimerMgr arg from event queuing/scheduling methods Deprecate Analyzer::ConnectionEvent() Deprecate file_analysis::File::FileEvent methods using val_list args Deprecate Connection::ConnectionEvent methods Deprecate EventMgr::QueueEventFast() and update usages to Enqueue() Deprecate EventMgr::QueueEvent() and update usages to Enqueue() Deprecate Func::Call(val_list*, ...) Use vector<IntrusivePtr<Val>> for Func::Call and Event queuing args Fix memory leak in Zeek when-statement bodies with runtime errors Change TableVal::RecoverIndex() to return IntrusivePtr Use IntrusivePtr in TableVal::CallExpireFunc Fix memory leak when runtime error occurs in a Zeek for-loop Enable leak checks for btests that produce runtime exceptions
2025-10-02 14:48:21 +00:00 · 2020-03-27 11:48:46 -07:00 · 2020-03-27 11:48:46 -07:00 · 85c6c2b9ee
commit 85c6c2b9ee
parent 75d7396f2d 29a7222563
133 changed files with 2044 additions and 1999 deletions
--- a/54
+++ b/54
@ -1,3 +1,57 @@
 3.2.0-dev.300 | 2020-03-27 11:48:46 -0700
  * Func::DescribeDebug: move a NumFields() call out of loop (Jon Siwek, Corelight)
  * Use const-ref parameter for zeek::val_list_to_args()
    It ended up being used a bit more than initially expected and this
    is closer to the style we're generally aiming for. (Jon Siwek, Corelight)
  * Fix missing IntrusivePtr.h include and ambiguous ODesc::Add call (Jon Siwek, Corelight)
  * Remove TimerMgr arg from event queuing/scheduling methods
    It's not useful for anything since there's only ever a single TimerMgr. (Jon Siwek, Corelight)
  * Deprecate Analyzer::ConnectionEvent()
    And update usages to Analyzer::EnqueueConnEvent() (Jon Siwek, Corelight)
  * Deprecate file_analysis::File::FileEvent methods using val_list args
    And update usages to the overload that takes a zeek::Args instead. (Jon Siwek, Corelight)
  * Deprecate Connection::ConnectionEvent methods
    And update usages to Connection::EnqueueEvent (Jon Siwek, Corelight)
  * Deprecate EventMgr::QueueEventFast() and update usages to Enqueue() (Jon Siwek, Corelight)
  * Deprecate EventMgr::QueueEvent() and update usages to Enqueue() (Jon Siwek, Corelight)
  * Deprecate Func::Call(val_list*, ...)
    The version taking a vector of intrusive pointers should be used
    instead.  A variadic version is also added that forwards all arguments. (Jon Siwek, Corelight)
  * Use vector<IntrusivePtr<Val>> for Func::Call and Event queuing args
    This change may break BIFs that use @ARGS@, @ARG@, or @ARGC@ since their
    types have changed. (Jon Siwek, Corelight)
  * Fix memory leak in Zeek when-statement bodies with runtime errors (Jon Siwek, Corelight)
  * Change TableVal::RecoverIndex() to return IntrusivePtr (Jon Siwek, Corelight)
  * Use IntrusivePtr in TableVal::CallExpireFunc (Jon Siwek, Corelight)
  * Fix memory leak when runtime error occurs in a Zeek for-loop (Jon Siwek, Corelight)
  * Enable leak checks for btests that produce runtime exceptions
    These were previously reporting leaks due to various allocations not
    getting cleaned up during the stack unwind, but at the current state of
    the transition toward IntrusivePtr usage, theses tests no longer leak. (Jon Siwek, Corelight)
 3.2.0-dev.280 | 2020-03-24 13:49:43 -0700
--- a/26
+++ b/26
@ -27,10 +27,14 @@ Changed Functionality
 ---------------------
 - Several C++ functions have been changed to pass smart pointers
-  (`class IntrusivePtr<>`) instead of raw pointers.  This makes the
+  (``class IntrusivePtr<>``) instead of raw pointers.  This makes the
  code more robust.  External plugins may need to be updated to this
  API change.
 - BIFs that use @ARG@, @ARGS@, or @ARGC@ may break since their type has
  changed: BIF arguments are now passed as a ``std::vector<IntrusivePtr<Val>>``
  rather than a ``val_list`` (i.e. ``List<Val*>``).
 Removed Functionality
 ---------------------
@ -43,6 +47,26 @@ Removed Functionality
 Deprecated Functionality
 ------------------------
 - The ``Func::Call(val_list*, ...)`` method is now deprecated.  The alternate
  overload taking a ``zeek::Args`` (``std::vector<IntrusivePtr<Val>>``) should
  be used instead.  There's also now a variadic template that forwards all
  arguments.
 - The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
  are now deprecated, use ``EventMgr::Enqueue()`` instead.
 - The ``Connection::ConnectionEvent()`` and
  ``Connection::ConnectionEventFast()`` methods are now deprecated, use
  ``Connection::EnqueueEvent()`` instead.
 - The ``file_analysis::File::FileEvent()`` methods taking ``val_list``
  arguments are now deprecated, use the overload that takes a ``zeek::Args``
  instead.
 - The ``analyzer::Analyzer::ConnectionEvent()`` and
  ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
  ``analyzer::Analyzer::EnqueueConnEvent()`` instead.
 Zeek 3.1.0
 ==========
--- a/2
+++ b/2
@ -1 +1 @@
-3.2.0-dev.280
+3.2.0-dev.300
--- a/aux/bifcl
+++ b/aux/bifcl
@ -1 +1 @@
-Subproject commit b3a5d01c041b78a9e50544ac891c5e0d35c116f7
+Subproject commit 92377e064d925389b1732d105a674f2f761615e6
--- a/src/Anon.cc
+++ b/src/Anon.cc
@ -421,12 +421,10 @@ ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl)
 void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
 	{
 	if ( anonymization_mapping )
-		{
+		mgr.Enqueue(anonymization_mapping,
-		mgr.QueueEventFast(anonymization_mapping, {
+			make_intrusive<AddrVal>(input),
-			new AddrVal(input),
+			make_intrusive<AddrVal>(output)
-			new AddrVal(output)
+		);
 		});
 		}
 	}
 #endif
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -282,6 +282,7 @@ set(MAIN_SRCS
    Val.cc
    Var.cc
    WeirdState.cc
    ZeekArgs.cc
    bsd-getopt-long.c
    bro_inet_ntop.c
    cq.c
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@ -207,7 +207,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 			auto tbl = tv->AsTable();
 			auto it = tbl->InitForIteration();
-			ListVal* lv = new ListVal(TYPE_ANY);
+			auto lv = make_intrusive<ListVal>(TYPE_ANY);
 			struct HashKeyComparer {
 				bool operator()(const HashKey* a, const HashKey* b) const
@ -229,7 +229,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 			while ( tbl->NextEntry(k, it) )
 				{
 				hashkeys[k] = idx++;
-				lv->Append(tv->RecoverIndex(k));
+				lv->Append(tv->RecoverIndex(k).release());
 				}
 			for ( auto& kv : hashkeys )
@ -242,10 +242,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 				if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key,
 				                            false)) )
 					{
 					Unref(lv);
 					return 0;
 					}
 				if ( ! v->Type()->IsSet() )
 					{
@ -253,14 +250,10 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 					if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(),
 								    val.get(), false)) )
 						{
 						Unref(lv);
 						return 0;
 						}
 					}
 				}
 			Unref(lv);
 			}
 			break;
--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -203,7 +203,7 @@ void Connection::NextPacket(double t, int is_orig,
 			is_successful = true;
 		if ( ! was_successful && is_successful && connection_successful )
-			ConnectionEventFast(connection_successful, nullptr, {BuildConnVal()});
+			EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		}
 	else
 		last_time = t;
@ -259,11 +259,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
 		// and at this stage it's not a *multiple* instance.
 		return;
-	ConnectionEventFast(e, 0, {
+	EnqueueEvent(e, nullptr,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		val_mgr->GetBool(is_orig),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-		val_mgr->GetCount(threshold)
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}
-	});
+	);
 	}
 void Connection::DeleteTimer(double /* t */)
@ -323,7 +323,7 @@ void Connection::EnableStatusUpdateTimer()
 void Connection::StatusUpdateTimer(double t)
 	{
-	ConnectionEventFast(connection_status_update, 0, { BuildConnVal() });
+	EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	ADD_TIMER(&Connection::StatusUpdateTimer,
 			network_time + connection_status_update_interval, 0,
 			TIMER_CONN_STATUS_UPDATE);
@ -446,15 +446,13 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool
 void Connection::RemovalEvent()
 	{
-	auto cv = BuildConnVal();
+	auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()};
 	if ( connection_state_remove )
-		ConnectionEventFast(connection_state_remove, nullptr, {cv->Ref()});
+		EnqueueEvent(connection_state_remove, nullptr, cv);
 	if ( is_successful && successful_connection_remove )
-		ConnectionEventFast(successful_connection_remove, nullptr, {cv->Ref()});
+		EnqueueEvent(successful_connection_remove, nullptr, cv);
 	Unref(cv);
 	}
 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
@ -463,10 +461,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
 		return;
 	if ( name )
-		ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()});
+		EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	else
-		ConnectionEventFast(f, analyzer, {BuildConnVal()});
+		EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -479,39 +476,50 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
 		}
 	if ( v2 )
-		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2});
+		EnqueueEvent(f, analyzer,
 		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
 		             IntrusivePtr{AdoptRef{}, v1},
 		             IntrusivePtr{AdoptRef{}, v2});
 	else
-		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1});
+		EnqueueEvent(f, analyzer,
 		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
 		             IntrusivePtr{AdoptRef{}, v1});
 	}
 void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
 	auto args = zeek::val_list_to_args(vl);
 	if ( ! f )
 		{
 		// This may actually happen if there is no local handler
 		// and a previously existing remote handler went away.
 		for ( const auto& v : vl)
 			Unref(v);
 		return;
 		}
 	// "this" is passed as a cookie for the event
-	mgr.QueueEvent(f, std::move(vl), SOURCE_LOCAL,
+	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 			a ? a->GetID() : 0, timer_mgr, this);
 	}
 void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
 	// "this" is passed as a cookie for the event
-	mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL,
+	mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
-			a ? a->GetID() : 0, timer_mgr, this);
+	            a ? a->GetID() : 0, this);
 	}
 void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
 	{
-	ConnectionEvent(f, a, std::move(*vl));
+	auto args = zeek::val_list_to_args(*vl);
 	delete vl;
 	if ( f )
 		EnqueueEvent(f, a, std::move(args));
 	}
 void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a,
                              zeek::Args args)
 	{
 	// "this" is passed as a cookie for the event
 	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}
 void Connection::Weird(const char* name, const char* addl)
@ -688,12 +696,12 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
 		if ( connection_flow_label_changed &&
 		     (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
 			{
-			ConnectionEventFast(connection_flow_label_changed, 0, {
+			EnqueueEvent(connection_flow_label_changed, 0,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(is_orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-				val_mgr->GetCount(my_flow_label),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)},
-				val_mgr->GetCount(flow_label),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)}
-			});
+			);
 			}
 		my_flow_label = flow_label;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -5,6 +5,8 @@
 #include <sys/types.h>
 #include <string>
 #include <tuple>
 #include <type_traits>
 #include "Dict.h"
 #include "Timer.h"
@ -12,6 +14,8 @@
 #include "IPAddr.h"
 #include "UID.h"
 #include "WeirdState.h"
 #include "ZeekArgs.h"
 #include "IntrusivePtr.h"
 #include "iosource/Packet.h"
 #include "analyzer/Tag.h"
@ -187,6 +191,7 @@ public:
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// reference count for each element in the 'vl' list are decremented.  The
 	// arguments used for the event are whatevever is provided in 'vl'.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);
@ -194,6 +199,7 @@ public:
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' and also for decrementing the reference count
 	// of each of its elements.
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list* vl);
@ -205,9 +211,26 @@ public:
 	// the case where there's no handlers (one usually also does that because
 	// it would be a waste of effort to construct all the event arguments when
 	// there's no handlers to consume them).
 	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);
 	/**
 	 * Enqueues an event associated with this connection and given analyzer.
 	 */
 	void EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 	                  zeek::Args args);
 	/**
 	 * A version of EnqueueEvent() taking a variable number of arguments.
 	 */
 	template <class... Args>
 	std::enable_if_t<
 	  std::is_convertible_v<
 	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
 	EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args)
 		{ return EnqueueEvent(h, analyzer, zeek::Args{std::forward<Args>(args)...}); }
 	void Weird(const char* name, const char* addl = "");
 	bool DidWeird() const	{ return weird != 0; }
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -704,7 +704,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
 	if ( ! e )
 		return;
-	mgr.QueueEventFast(e, {BuildMappingVal(dm).release()});
+	mgr.Enqueue(e, BuildMappingVal(dm));
 	}
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
@ -713,11 +713,11 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
 	if ( ! e )
 		return;
-	mgr.QueueEventFast(e, {
+	mgr.Enqueue(e,
-		BuildMappingVal(dm).release(),
+		BuildMappingVal(dm),
-		l1->ConvertToSet(),
+		IntrusivePtr{AdoptRef{}, l1->ConvertToSet()},
-		l2->ConvertToSet(),
+		IntrusivePtr{AdoptRef{}, l2->ConvertToSet()}
-	});
+	);
 	}
 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@ -725,10 +725,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
 	if ( ! e )
 		return;
-	mgr.QueueEventFast(e, {
+	mgr.Enqueue(e, BuildMappingVal(old_dm), BuildMappingVal(new_dm));
 		BuildMappingVal(old_dm).release(),
 		BuildMappingVal(new_dm).release(),
 	});
 	}
 IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -39,11 +39,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 	if ( check_ip )
 		{
-		val_list args{ip->BuildPktHdrVal()};
+		zeek::Args args{{AdoptRef{}, ip->BuildPktHdrVal()}};
 		try
 			{
-			discard_packet = check_ip->Call(&args)->AsBool();
+			discard_packet = check_ip->Call(args)->AsBool();
 			}
 		catch ( InterpreterException& e )
@ -91,14 +91,14 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct tcphdr* tp = (const struct tcphdr*) data;
 			int th_len = tp->th_off * 4;
-			val_list args{
+			zeek::Args args{
-				ip->BuildPktHdrVal(),
+				{AdoptRef{}, ip->BuildPktHdrVal()},
-				BuildData(data, th_len, len, caplen),
+				{AdoptRef{}, BuildData(data, th_len, len, caplen)},
 			};
 			try
 				{
-				discard_packet = check_tcp->Call(&args)->AsBool();
+				discard_packet = check_tcp->Call(args)->AsBool();
 				}
 			catch ( InterpreterException& e )
@ -115,14 +115,14 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct udphdr* up = (const struct udphdr*) data;
 			int uh_len = sizeof (struct udphdr);
-			val_list args{
+			zeek::Args args{
-				ip->BuildPktHdrVal(),
+				{AdoptRef{}, ip->BuildPktHdrVal()},
-				BuildData(data, uh_len, len, caplen),
+				{AdoptRef{}, BuildData(data, uh_len, len, caplen)},
 			};
 			try
 				{
-				discard_packet = check_udp->Call(&args)->AsBool();
+				discard_packet = check_udp->Call(args)->AsBool();
 				}
 			catch ( InterpreterException& e )
@ -138,11 +138,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			{
 			const struct icmp* ih = (const struct icmp*) data;
-			val_list args{ip->BuildPktHdrVal()};
+			zeek::Args args{{AdoptRef{}, ip->BuildPktHdrVal()}};
 			try
 				{
-				discard_packet = check_icmp->Call(&args)->AsBool();
+				discard_packet = check_icmp->Call(args)->AsBool();
 				}
 			catch ( InterpreterException& e )
--- a/src/Event.cc
+++ b/src/Event.cc
@ -18,14 +18,12 @@ EventMgr mgr;
 uint64_t num_events_queued = 0;
 uint64_t num_events_dispatched = 0;
-Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
+Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args,
-		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
+             SourceID arg_src, analyzer::ID arg_aid, BroObj* arg_obj)
 		BroObj* arg_obj)
 	: handler(arg_handler),
 	  args(std::move(arg_args)),
 	  src(arg_src),
 	  aid(arg_aid),
 	  mgr(arg_mgr ? arg_mgr : timer_mgr),
 	  obj(arg_obj),
 	  next_event(nullptr)
 	{
@ -33,14 +31,6 @@ Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
 		Ref(obj);
 	}
 Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
 		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
 		BroObj* arg_obj)
 	: Event(arg_handler, std::move(*arg_args), arg_src, arg_aid, arg_mgr, arg_obj)
 	{
 	delete arg_args;
 	}
 void Event::Describe(ODesc* d) const
 	{
 	if ( d->IsReadable() )
@ -53,7 +43,7 @@ void Event::Describe(ODesc* d) const
 	if ( ! d->IsBinary() )
 		d->Add("(");
-	describe_vals(&args, d);
+	describe_vals(args, d);
 	if ( ! d->IsBinary() )
 		d->Add("(");
 	}
@ -68,7 +58,7 @@ void Event::Dispatch(bool no_remote)
 	try
 		{
-		handler->Call(&args, no_remote);
+		handler->Call(args, no_remote);
 		}
 	catch ( InterpreterException& e )
@ -88,7 +78,6 @@ EventMgr::EventMgr()
 	{
 	head = tail = 0;
 	current_src = SOURCE_LOCAL;
 	current_mgr = timer_mgr;
 	current_aid = 0;
 	src_val = 0;
 	draining = 0;
@ -106,17 +95,38 @@ EventMgr::~EventMgr()
 	Unref(src_val);
 	}
-void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
+void EventMgr::QueueEventFast(const EventHandlerPtr &h, val_list vl,
-			  SourceID src, analyzer::ID aid,
+                              SourceID src, analyzer::ID aid, TimerMgr* mgr,
-			  TimerMgr* mgr, BroObj* obj)
+                              BroObj* obj)
 	{
 	QueueEvent(new Event(h, zeek::val_list_to_args(vl), src, aid, obj));
 	}
 void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
                          SourceID src, analyzer::ID aid,
                          TimerMgr* mgr, BroObj* obj)
 	{
 	auto args = zeek::val_list_to_args(vl);
 	if ( h )
-		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
+		Enqueue(h, std::move(args), src, aid, obj);
-	else
+	}
-		{
+
-		for ( const auto& v : vl )
+void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list* vl,
-			Unref(v);
+                          SourceID src, analyzer::ID aid,
-		}
+                          TimerMgr* mgr, BroObj* obj)
 	{
 	auto args = zeek::val_list_to_args(*vl);
 	delete vl;
 	if ( h )
 		Enqueue(h, std::move(args), src, aid, obj);
 	}
 void EventMgr::Enqueue(const EventHandlerPtr& h, zeek::Args vl,
                       SourceID src, analyzer::ID aid, BroObj* obj)
 	{
 	QueueEvent(new Event(h, std::move(vl), src, aid, obj));
 	}
 void EventMgr::QueueEvent(Event* event)
@ -150,7 +160,7 @@ void EventMgr::Dispatch(Event* event, bool no_remote)
 void EventMgr::Drain()
 	{
 	if ( event_queue_flush_point )
-		QueueEventFast(event_queue_flush_point, val_list{});
+		Enqueue(event_queue_flush_point, zeek::Args{});
 	SegmentProfiler prof(segment_logger, "draining-events");
@ -176,7 +186,6 @@ void EventMgr::Drain()
 			Event* next = current->NextEvent();
 			current_src = current->Source();
 			current_mgr = current->Mgr();
 			current_aid = current->Analyzer();
 			current->Dispatch();
 			Unref(current);
--- a/src/Event.h
+++ b/src/Event.h
@ -6,29 +6,27 @@
 #include "analyzer/Analyzer.h"
 #include "iosource/IOSource.h"
 #include "Flare.h"
 #include "ZeekArgs.h"
 #include "IntrusivePtr.h"
 #include <tuple>
 #include <type_traits>
 class EventMgr;
 // We don't Unref() the individual arguments by using delete_vals()
 // in a dtor because Func::Call already does that.
 class Event : public BroObj {
 public:
-	Event(EventHandlerPtr handler, val_list args,
+	Event(EventHandlerPtr handler, zeek::Args args,
-		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
+	      SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-		TimerMgr* mgr = 0, BroObj* obj = 0);
+	      BroObj* obj = nullptr);
 	Event(EventHandlerPtr handler, val_list* args,
 		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 		TimerMgr* mgr = 0, BroObj* obj = 0);
 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }
 	SourceID Source() const		{ return src; }
 	analyzer::ID Analyzer() const	{ return aid; }
 	TimerMgr* Mgr() const		{ return mgr; }
 	EventHandlerPtr Handler() const	{ return handler; }
-	const val_list* Args() const	{ return &args; }
+	const zeek::Args& Args() const	{ return args; }
 	void Describe(ODesc* d) const override;
@ -40,10 +38,9 @@ protected:
 	void Dispatch(bool no_remote = false);
 	EventHandlerPtr handler;
-	val_list args;
+	zeek::Args args;
 	SourceID src;
 	analyzer::ID aid;
 	TimerMgr* mgr;
 	BroObj* obj;
 	Event* next_event;
 };
@ -64,12 +61,10 @@ public:
 	// against the case where there's no handlers (one usually also does that
 	// because it would be a waste of effort to construct all the event
 	// arguments when there's no handlers to consume them).
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEventFast(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-			TimerMgr* mgr = 0, BroObj* obj = 0)
+			TimerMgr* mgr = 0, BroObj* obj = 0);
 		{
 		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
 		}
 	// Queues an event if there's an event handler (or remote consumer).  This
 	// function always takes ownership of decrementing the reference count of
@ -77,6 +72,7 @@ public:
 	// checked for event handler existence, you may wish to call
 	// QueueEventFast() instead of this function to prevent the redundant
 	// existence check.
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEvent(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0);
@ -85,13 +81,36 @@ public:
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' as well as decrementing the reference count of
 	// each of its elements.
 	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-			TimerMgr* mgr = 0, BroObj* obj = 0)
+			TimerMgr* mgr = 0, BroObj* obj = 0);
-		{
+
-		QueueEvent(h, std::move(*vl), src, aid, mgr, obj);
+	/**
-		delete vl;
+	 * Adds an event to the queue.  If no handler is found for the event
-		}
+	 * when later going to call it, nothing happens except for having
 	 * wasted a bit of time/resources, so callers may want to first check
 	 * if any handler/consumer exists before enqueuing an event.
 	 * @param h  reference to the event handler to later call.
 	 * @param vl  the argument list to the event handler call.
 	 * @param src  indicates the origin of the event (local versus remote).
 	 * @param aid  identifies the protocol analyzer generating the event.
 	 * @param obj  an arbitrary object to use as a "cookie" or just hold a
 	 * reference to until dispatching the event.
 	 */
 	void Enqueue(const EventHandlerPtr& h, zeek::Args vl,
 	             SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 	             BroObj* obj = nullptr);
 	/**
 	 * A version of Enqueue() taking a variable number of arguments.
 	 */
 	template <class... Args>
 	std::enable_if_t<
 	  std::is_convertible_v<
 	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
 	Enqueue(const EventHandlerPtr& h, Args&&... args)
 		{ return Enqueue(h, zeek::Args{std::forward<Args>(args)...}); }
 	void Dispatch(Event* event, bool no_remote = false);
@ -107,9 +126,6 @@ public:
 	// non-analyzer event.
 	analyzer::ID CurrentAnalyzer() const	{ return current_aid; }
 	// Returns the timer mgr associated with the last raised event.
 	TimerMgr* CurrentTimerMgr() const	{ return current_mgr; }
 	int Size() const
 		{ return num_events_queued - num_events_dispatched; }
@ -127,7 +143,6 @@ protected:
 	Event* tail;
 	SourceID current_src;
 	analyzer::ID current_aid;
 	TimerMgr* current_mgr;
 	RecordVal* src_val;
 	bool draining;
 	bro::Flare queue_flare;
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@ -60,7 +60,7 @@ void EventHandler::SetLocalHandler(Func* f)
 	local = f;
 	}
-void EventHandler::Call(val_list* vl, bool no_remote)
+void EventHandler::Call(const zeek::Args& vl, bool no_remote)
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Event: %s\n", Name());
@ -75,12 +75,12 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			{
 			// Send event in form [name, xs...] where xs represent the arguments.
 			broker::vector xs;
-			xs.reserve(vl->length());
+			xs.reserve(vl.size());
 			bool valid_args = true;
-			for ( auto i = 0; i < vl->length(); ++i )
+			for ( auto i = 0u; i < vl.size(); ++i )
 				{
-				auto opt_data = bro_broker::val_to_data((*vl)[i]);
+				auto opt_data = bro_broker::val_to_data(vl[i].get());
 				if ( opt_data )
 					xs.emplace_back(move(*opt_data));
@ -115,14 +115,9 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 	if ( local )
 		// No try/catch here; we pass exceptions upstream.
 		local->Call(vl);
 	else
 		{
 		for ( auto v : *vl )
 			Unref(v);
 		}
 	}
-void EventHandler::NewEvent(val_list* vl)
+void EventHandler::NewEvent(const zeek::Args& vl)
 	{
 	if ( ! new_event )
 		return;
@ -132,7 +127,7 @@ void EventHandler::NewEvent(val_list* vl)
 		return;
 	RecordType* args = FType()->Args();
-	VectorVal* vargs = new VectorVal(call_argument_vector);
+	auto vargs = make_intrusive<VectorVal>(call_argument_vector);
 	for ( int i = 0; i < args->NumFields(); i++ )
 		{
@ -151,19 +146,15 @@ void EventHandler::NewEvent(val_list* vl)
 		if ( fdefault )
 			rec->Assign(2, std::move(fdefault));
-		if ( i < vl->length() && (*vl)[i] )
+		if ( i < static_cast<int>(vl.size()) && vl[i] )
-			{
+			rec->Assign(3, vl[i]);
 			Val* val = (*vl)[i];
 			Ref(val);
 			rec->Assign(3, val);
 			}
 		vargs->Assign(i, std::move(rec));
 		}
 	Event* ev = new Event(new_event, {
-		new StringVal(name),
+		make_intrusive<StringVal>(name),
-		vargs,
+		std::move(vargs),
 	});
 	mgr.Dispatch(ev);
 	}
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@ -3,6 +3,7 @@
 #pragma once
 #include "BroList.h"
 #include "ZeekArgs.h"
 #include <unordered_set>
 #include <string>
@ -31,7 +32,7 @@ public:
 		auto_publish.erase(topic);
 		}
-	void Call(val_list* vl, bool no_remote = false);
+	void Call(const zeek::Args& vl, bool no_remote = false);
 	// Returns true if there is at least one local or remote handler.
 	explicit operator  bool() const;
@ -52,7 +53,7 @@ public:
 	bool GenerateAlways()	{ return generate_always; }
 private:
-	void NewEvent(val_list* vl);	// Raise new_event() meta event.
+	void NewEvent(const zeek::Args& vl);	// Raise new_event() meta event.
 	const char* name;
 	Func* local;
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -3884,12 +3884,11 @@ IntrusivePtr<Val> FlattenExpr::Fold(Val* v) const
 	return l;
 	}
-ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
+ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, zeek::Args arg_args,
-                             double t, TimerMgr* arg_tmgr)
+                             double t)
 	: Timer(t, TIMER_SCHEDULE),
-	  event(arg_event), args(std::move(*arg_args)), tmgr(arg_tmgr)
+	  event(arg_event), args(std::move(arg_args))
 	{
 	delete arg_args;
 	}
 ScheduleTimer::~ScheduleTimer()
@ -3898,7 +3897,8 @@ ScheduleTimer::~ScheduleTimer()
 void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
 	{
-	mgr.QueueEvent(event, std::move(args), SOURCE_LOCAL, 0, tmgr);
+	if ( event )
 		mgr.Enqueue(event, std::move(args));
 	}
 ScheduleExpr::ScheduleExpr(IntrusivePtr<Expr> arg_when,
@ -3937,17 +3937,10 @@ IntrusivePtr<Val> ScheduleExpr::Eval(Frame* f) const
 	if ( when->Type()->Tag() == TYPE_INTERVAL )
 		dt += network_time;
-	val_list* args = eval_list(f, event->Args());
+	auto args = eval_list(f, event->Args());
 	if ( args )
-		{
+		timer_mgr->Add(new ScheduleTimer(event->Handler(), std::move(*args), dt));
 		TimerMgr* tmgr = mgr.CurrentTimerMgr();
 		if ( ! tmgr )
 			tmgr = timer_mgr;
 		tmgr->Add(new ScheduleTimer(event->Handler(), args, dt, tmgr));
 		}
 	return nullptr;
 	}
@ -4236,7 +4229,7 @@ IntrusivePtr<Val> CallExpr::Eval(Frame* f) const
 	IntrusivePtr<Val> ret;
 	auto func_val = func->Eval(f);
-	val_list* v = eval_list(f, args.get());
+	auto v = eval_list(f, args.get());
 	if ( func_val && v )
 		{
@ -4246,16 +4239,11 @@ IntrusivePtr<Val> CallExpr::Eval(Frame* f) const
 		if ( f )
 			f->SetCall(this);
-		ret = func->Call(v, f);
+		ret = func->Call(*v, f);
 		if ( f )
 			f->SetCall(current_call);
 		// Don't Unref() the arguments, as Func::Call already did that.
 		delete v;
 		}
 	else
 		delete_vals(v);
 	return ret;
 	}
@ -4448,9 +4436,10 @@ IntrusivePtr<Val> EventExpr::Eval(Frame* f) const
 	if ( IsError() )
 		return nullptr;
-	val_list* v = eval_list(f, args.get());
+	auto v = eval_list(f, args.get());
-	mgr.QueueEvent(handler, std::move(*v));
+
-	delete v;
+	if ( handler )
 		mgr.Enqueue(handler, std::move(*v));
 	return nullptr;
 	}
@ -5176,36 +5165,23 @@ int check_and_promote_exprs_to_type(ListExpr* const elements, BroType* type)
 	return 1;
 	}
-val_list* eval_list(Frame* f, const ListExpr* l)
+std::optional<std::vector<IntrusivePtr<Val>>> eval_list(Frame* f, const ListExpr* l)
 	{
 	const expr_list& e = l->Exprs();
-	val_list* v = new val_list(e.length());
+	auto rval = std::make_optional<std::vector<IntrusivePtr<Val>>>();
-	bool success = true;
+	rval->reserve(e.length());
 	for ( const auto& expr : e )
 		{
 		auto ev = expr->Eval(f);
 		if ( ! ev )
-			{
+			return {};
 			success = false;
 			break;
 			}
-		v->push_back(ev.release());
+		rval->emplace_back(std::move(ev));
 		}
-	if ( ! success )
+	return rval;
 		{
 		for ( const auto& val : *v )
 			Unref(val);
 		delete v;
 		return nullptr;
 		}
 	else
 		return v;
 	}
 bool expr_greater(const Expr* e1, const Expr* e2)
--- a/src/Expr.h
+++ b/src/Expr.h
@ -9,10 +9,13 @@
 #include "EventHandler.h"
 #include "TraverseTypes.h"
 #include "Val.h"
 #include "ZeekArgs.h"
 #include <memory>
 #include <string>
 #include <vector>
 #include <utility>
 #include <optional>
 using std::string;
@ -737,16 +740,14 @@ protected:
 class ScheduleTimer : public Timer {
 public:
-	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,
+	ScheduleTimer(EventHandlerPtr event, zeek::Args args, double t);
 			TimerMgr* tmgr);
 	~ScheduleTimer() override;
 	void Dispatch(double t, int is_expire) override;
 protected:
 	EventHandlerPtr event;
-	val_list args;
+	zeek::Args args;
 	TimerMgr* tmgr;
 };
 class ScheduleExpr : public Expr {
@ -936,9 +937,9 @@ extern int check_and_promote_exprs(ListExpr* elements, TypeList* types);
 extern int check_and_promote_args(ListExpr* args, RecordType* types);
 extern int check_and_promote_exprs_to_type(ListExpr* elements, BroType* type);
-// Returns a ListExpr simplified down to a list a values, or a nil
+// Returns a ListExpr simplified down to a list a values, or nil
-// pointer if they couldn't all be reduced.
+// if they couldn't all be reduced.
-val_list* eval_list(Frame* f, const ListExpr* l);
+std::optional<std::vector<IntrusivePtr<Val>>> eval_list(Frame* f, const ListExpr* l);
 // Returns true if e1 is "greater" than e2 - here "greater" is just
 // a heuristic, used with commutative operators to put them into
--- a/src/File.cc
+++ b/src/File.cc
@ -325,7 +325,7 @@ void BroFile::RaiseOpenEvent()
 		return;
 	Ref(this);
-	Event* event = new ::Event(::file_opened, {new Val(this)});
+	Event* event = new ::Event(::file_opened, {make_intrusive<Val>(this)});
 	mgr.Dispatch(event, true);
 	}
--- a/src/Frame.cc
+++ b/src/Frame.cc
@ -14,7 +14,7 @@
 vector<Frame*> g_frame_stack;
-Frame::Frame(int arg_size, const BroFunc* func, const val_list* fn_args)
+Frame::Frame(int arg_size, const BroFunc* func, const zeek::Args* fn_args)
 	{
 	size = arg_size;
 	frame = new Val*[size];
--- a/src/Frame.h
+++ b/src/Frame.h
@ -5,6 +5,7 @@
 #include "BroList.h" // for typedef val_list
 #include "Obj.h"
 #include "IntrusivePtr.h"
 #include "ZeekArgs.h"
 #include <unordered_map>
 #include <string>
@ -28,7 +29,7 @@ public:
 	 * @param func the function that is creating this frame
 	 * @param fn_args the arguments being passed to that function.
 	 */
-	Frame(int size, const BroFunc* func, const val_list *fn_args);
+	Frame(int size, const BroFunc* func, const zeek::Args* fn_args);
 	/**
 	 * Deletes the frame. Unrefs its trigger, the values that it
@ -100,7 +101,7 @@ public:
 	 * @return the arguments passed to the function that this frame
 	 * is associated with.
 	 */
-	const val_list* GetFuncArgs() const	{ return func_args; }
+	const zeek::Args* GetFuncArgs() const	{ return func_args; }
 	/**
 	 * Change the function that the frame is associated with.
@ -283,7 +284,7 @@ private:
 	/** The function this frame is associated with. */
 	const BroFunc* function;
 	/** The arguments to the function that this Frame is associated with. */
-	const val_list* func_args;
+	const zeek::Args* func_args;
 	/** The next statement to be evaluted in the context of this frame. */
 	Stmt* next_stmt;
--- a/src/Func.cc
+++ b/src/Func.cc
@ -79,19 +79,16 @@ std::string render_call_stack()
 		auto name = ci.func->Name();
 		std::string arg_desc;
-		if ( ci.args )
+		for ( const auto& arg : ci.args )
 			{
-			for ( const auto& arg : *ci.args )
+			ODesc d;
-				{
+			d.SetShort();
-				ODesc d;
+			arg->Describe(&d);
 				d.SetShort();
 				arg->Describe(&d);
-				if ( ! arg_desc.empty() )
+			if ( ! arg_desc.empty() )
-					arg_desc += ", ";
+				arg_desc += ", ";
-				arg_desc += d.Description();
+			arg_desc += d.Description();
 				}
 			}
 		rval += fmt("#%d %s(%s)", lvl, name, arg_desc.data());
@ -143,23 +140,24 @@ IntrusivePtr<Func> Func::DoClone()
 	return {NewRef{}, this};
 	}
-void Func::DescribeDebug(ODesc* d, const val_list* args) const
+void Func::DescribeDebug(ODesc* d, const zeek::Args* args) const
 	{
 	d->Add(Name());
 	RecordType* func_args = FType()->Args();
 	if ( args )
 		{
 		d->Add("(");
 		RecordType* func_args = FType()->Args();
 		auto num_fields = static_cast<size_t>(func_args->NumFields());
-		for ( int i = 0; i < args->length(); ++i )
+		for ( auto i = 0u; i < args->size(); ++i )
 			{
 			// Handle varargs case (more args than formals).
-			if ( i >= func_args->NumFields() )
+			if ( i >= num_fields )
 				{
 				d->Add("vararg");
-				d->Add(i - func_args->NumFields());
+				int va_num = i - num_fields;
 				d->Add(va_num);
 				}
 			else
 				d->Add(func_args->FieldName(i));
@ -167,7 +165,7 @@ void Func::DescribeDebug(ODesc* d, const val_list* args) const
 			d->Add(" = '");
 			(*args)[i]->Describe(d);
-			if ( i < args->length() - 1 )
+			if ( i < args->size() - 1 )
 				d->Add("', ");
 			else
 				d->Add("'");
@ -217,7 +215,7 @@ void Func::CopyStateInto(Func* other) const
 	other->unique_id = unique_id;
 	}
-std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_result, val_list* args, function_flavor flavor) const
+std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_result, function_flavor flavor) const
 	{
 	// Helper function factoring out this code from BroFunc:Call() for
 	// better readability.
@ -265,9 +263,6 @@ std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_resu
 		}
 	}
 	for ( const auto& arg : *args )
 		Unref(arg);
 	return plugin_result;
 	}
@ -300,7 +295,12 @@ int BroFunc::IsPure() const
 		[](const Body& b) { return b.stmts->IsPure(); });
 	}
-IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
+IntrusivePtr<Val> Func::Call(val_list* args, Frame* parent) const
 	{
 	return Call(zeek::val_list_to_args(*args), parent);
 	}
 IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", Name());
@ -312,7 +312,7 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 	std::pair<bool, Val*> plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), empty_hook_result);
-	plugin_result = HandlePluginResult(plugin_result, args, Flavor());
+	plugin_result = HandlePluginResult(plugin_result,  Flavor());
 	if( plugin_result.first )
 		return {AdoptRef{}, plugin_result.second};
@ -321,13 +321,10 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 		{
 		// Can only happen for events and hooks.
 		assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
 		for ( const auto& arg : *args )
 			Unref(arg);
 		return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr;
 		}
-	auto f = make_intrusive<Frame>(frame_size, this, args);
+	auto f = make_intrusive<Frame>(frame_size, this, &args);
 	if ( closure )
 		f->CaptureClosure(closure, outer_ids);
@ -346,7 +343,7 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 	if ( g_trace_state.DoTrace() )
 		{
 		ODesc d;
-		DescribeDebug(&d, args);
+		DescribeDebug(&d, &args);
 		g_trace_state.LogTrace("%s called: %s\n",
 			FType()->FlavorString().c_str(), d.Description());
@ -362,19 +359,16 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 				body.stmts->GetLocationInfo());
 		// Fill in the rest of the frame with the function's arguments.
-		loop_over_list(*args, j)
+		for ( auto j = 0u; j < args.size(); ++j )
 			{
-			Val* arg = (*args)[j];
+			Val* arg = args[j].get();
 			if ( f->NthElement(j) != arg )
 				{
 				// Either not yet set, or somebody reassigned the frame slot.
-				Ref(arg);
+				f->SetElement(j, arg->Ref());
 				f->SetElement(j, arg);
 				}
 			}
-		f->Reset(args->length());
+		f->Reset(args.size());
 		try
 			{
@ -421,11 +415,6 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 	call_stack.pop_back();
 	// We have an extra Ref for each argument (so that they don't get
 	// deleted between bodies), release that.
 	for ( const auto& arg : *args )
 		Unref(arg);
 	if ( Flavor() == FUNC_FLAVOR_HOOK )
 		{
 		if ( ! result )
@ -612,7 +601,7 @@ int BuiltinFunc::IsPure() const
 	return is_pure;
 	}
-IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const
+IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", Name());
@ -624,7 +613,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const
 	std::pair<bool, Val*> plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), empty_hook_result);
-	plugin_result = HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
+	plugin_result = HandlePluginResult(plugin_result, FUNC_FLAVOR_FUNCTION);
 	if ( plugin_result.first )
 		return {AdoptRef{}, plugin_result.second};
@ -632,20 +621,16 @@ IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const
 	if ( g_trace_state.DoTrace() )
 		{
 		ODesc d;
-		DescribeDebug(&d, args);
+		DescribeDebug(&d, &args);
 		g_trace_state.LogTrace("\tBuiltin Function called: %s\n", d.Description());
 		}
 	const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
 	call_stack.emplace_back(CallInfo{call_expr, this, args});
-	IntrusivePtr<Val> result{AdoptRef{}, func(parent, args)};
+	IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)};
 	call_stack.pop_back();
 	for ( const auto& arg : *args )
 		Unref(arg);
 	// Don't Unref() args, that's the caller's responsibility.
 	if ( result && g_trace_state.DoTrace() )
 		{
 		ODesc d;
@ -663,6 +648,16 @@ void BuiltinFunc::Describe(ODesc* d) const
 	d->AddCount(is_pure);
 	}
 void builtin_error(const char* msg)
 	{
 	builtin_error(msg, IntrusivePtr<Val>{});
 	}
 void builtin_error(const char* msg, IntrusivePtr<Val> arg)
 	{
 	builtin_error(msg, arg.get());
 	}
 void builtin_error(const char* msg, BroObj* arg)
 	{
 	auto emit = [=](const CallExpr* ce)
--- a/src/Func.h
+++ b/src/Func.h
@ -7,11 +7,14 @@
 #include "IntrusivePtr.h"
 #include "Type.h" /* for function_flavor */
 #include "TraverseTypes.h"
 #include "ZeekArgs.h"
 #include <utility>
 #include <memory>
 #include <string>
 #include <vector>
 #include <tuple>
 #include <type_traits>
 #include <broker/data.hh>
 #include <broker/expected.hh>
@ -30,7 +33,6 @@ class Scope;
 class Func : public BroObj {
 public:
 	enum Kind { BRO_FUNC, BUILTIN_FUNC };
 	explicit Func(Kind arg_kind);
@ -50,7 +52,27 @@ public:
 	const vector<Body>& GetBodies() const	{ return bodies; }
 	bool HasBodies() const	{ return bodies.size(); }
-	virtual IntrusivePtr<Val> Call(val_list* args, Frame* parent = 0) const = 0;
+	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
 	virtual IntrusivePtr<Val> Call(val_list* args, Frame* parent = nullptr) const;
 	/**
 	 * Calls a Zeek function.
 	 * @param args  the list of arguments to the function call.
 	 * @param parent  the frame from which the function is being called.
 	 * @return  the return value of the function call.
 	 */
 	virtual IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent = nullptr) const = 0;
 	/**
 	 * A version of Call() taking a variable number of individual arguments.
 	 */
 	template <class... Args>
 	std::enable_if_t<
 	  std::is_convertible_v<std::tuple_element_t<0, std::tuple<Args...>>,
 	                        IntrusivePtr<Val>>,
 	  IntrusivePtr<Val>>
 	Call(Args&&... args) const
 		{ return Call(zeek::Args{std::forward<Args>(args)...}); }
 	// Add a new event handler to an existing function (event).
 	virtual void AddBody(IntrusivePtr<Stmt> new_body, id_list* new_inits,
@ -67,7 +89,7 @@ public:
 	void SetName(const char* arg_name)	{ name = arg_name; }
 	void Describe(ODesc* d) const override = 0;
-	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
+	virtual void DescribeDebug(ODesc* d, const zeek::Args* args) const;
 	virtual IntrusivePtr<Func> DoClone();
@ -84,7 +106,7 @@ protected:
 	void CopyStateInto(Func* other) const;
 	// Helper function for handling result of plugin hook.
-	std::pair<bool, Val*> HandlePluginResult(std::pair<bool, Val*> plugin_result, val_list* args, function_flavor flavor) const;
+	std::pair<bool, Val*> HandlePluginResult(std::pair<bool, Val*> plugin_result, function_flavor flavor) const;
 	vector<Body> bodies;
 	IntrusivePtr<Scope> scope;
@ -102,7 +124,7 @@ public:
 	~BroFunc() override;
 	int IsPure() const override;
-	IntrusivePtr<Val> Call(val_list* args, Frame* parent) const override;
+	IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent) const override;
 	/**
 	 * Adds adds a closure to the function. Closures are cloned and
@ -169,7 +191,7 @@ private:
 	bool weak_closure_ref = false;
 };
-typedef Val* (*built_in_func)(Frame* frame, val_list* args);
+using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args);
 class BuiltinFunc : public Func {
 public:
@ -177,7 +199,7 @@ public:
 	~BuiltinFunc() override;
 	int IsPure() const override;
-	IntrusivePtr<Val> Call(val_list* args, Frame* parent) const override;
+	IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent) const override;
 	built_in_func TheFunc() const	{ return func; }
 	void Describe(ODesc* d) const override;
@ -190,7 +212,9 @@ protected:
 };
-extern void builtin_error(const char* msg, BroObj* arg = 0);
+extern void builtin_error(const char* msg);
 extern void builtin_error(const char* msg, IntrusivePtr<Val>);
 extern void builtin_error(const char* msg, BroObj* arg);
 extern void init_builtin_funcs();
 extern void init_builtin_funcs_subdirs();
@ -199,7 +223,7 @@ extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
 struct CallInfo {
 	const CallExpr* call;
 	const Func* func;
-	const val_list* args;
+	const zeek::Args& args;
 };
 // Struct that collects all the specifics defining a Func. Used for BroFuncs
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@ -221,6 +221,26 @@ MD5Val::~MD5Val()
 		EVP_MD_CTX_free(ctx);
 	}
 void HashVal::digest_one(EVP_MD_CTX* h, const Val* v)
 	{
 	if ( v->Type()->Tag() == TYPE_STRING )
 		{
 		const BroString* str = v->AsString();
 		hash_update(h, str->Bytes(), str->Len());
 		}
 	else
 		{
 		ODesc d(DESC_BINARY);
 		v->Describe(&d);
 		hash_update(h, (const u_char *) d.Bytes(), d.Len());
 		}
 	}
 void HashVal::digest_one(EVP_MD_CTX* h, const IntrusivePtr<Val>& v)
 	{
 	digest_one(h, v.get());
 	}
 IntrusivePtr<Val> MD5Val::DoClone(CloneState* state)
 	{
 	auto out = make_intrusive<MD5Val>();
@ -236,39 +256,6 @@ IntrusivePtr<Val> MD5Val::DoClone(CloneState* state)
 	return state->NewClone(this, std::move(out));
 	}
 void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
 	{
 	EVP_MD_CTX* h = hash_init(Hash_MD5);
 	for ( const auto& v : vlist )
 		{
 		if ( v->Type()->Tag() == TYPE_STRING )
 			{
 			const BroString* str = v->AsString();
 			hash_update(h, str->Bytes(), str->Len());
 			}
 		else
 			{
 			ODesc d(DESC_BINARY);
 			v->Describe(&d);
 			hash_update(h, (const u_char *) d.Bytes(), d.Len());
 			}
 		}
 	hash_final(h, result);
 	}
 void MD5Val::hmac(val_list& vlist,
                  u_char key[MD5_DIGEST_LENGTH],
                  u_char result[MD5_DIGEST_LENGTH])
 	{
 	digest(vlist, result);
 	for ( int i = 0; i < MD5_DIGEST_LENGTH; ++i )
 		result[i] ^= key[i];
 	internal_md5(result, MD5_DIGEST_LENGTH, result);
 	}
 bool MD5Val::DoInit()
 	{
 	assert(! IsValid());
@ -389,28 +376,6 @@ IntrusivePtr<Val> SHA1Val::DoClone(CloneState* state)
 	return state->NewClone(this, std::move(out));
 	}
 void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
 	{
 	EVP_MD_CTX* h = hash_init(Hash_SHA1);
 	for ( const auto& v : vlist )
 		{
 		if ( v->Type()->Tag() == TYPE_STRING )
 			{
 			const BroString* str = v->AsString();
 			hash_update(h, str->Bytes(), str->Len());
 			}
 		else
 			{
 			ODesc d(DESC_BINARY);
 			v->Describe(&d);
 			hash_update(h, (const u_char *) d.Bytes(), d.Len());
 			}
 		}
 	hash_final(h, result);
 	}
 bool SHA1Val::DoInit()
 	{
 	assert(! IsValid());
@ -535,28 +500,6 @@ IntrusivePtr<Val> SHA256Val::DoClone(CloneState* state)
 	return state->NewClone(this, std::move(out));
 	}
 void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
 	{
 	EVP_MD_CTX* h = hash_init(Hash_SHA256);
 	for ( const auto& v : vlist )
 		{
 		if ( v->Type()->Tag() == TYPE_STRING )
 			{
 			const BroString* str = v->AsString();
 			hash_update(h, str->Bytes(), str->Len());
 			}
 		else
 			{
 			ODesc d(DESC_BINARY);
 			v->Describe(&d);
 			hash_update(h, (const u_char *) d.Bytes(), d.Len());
 			}
 		}
 	hash_final(h, result);
 	}
 bool SHA256Val::DoInit()
 	{
 	assert( ! IsValid() );
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@ -162,12 +162,26 @@ namespace probabilistic {
 class HashVal : public OpaqueVal {
 public:
 	template <class T>
 	static void digest_all(HashAlgorithm alg, const T& vlist, u_char* result)
 		{
 		auto h = hash_init(alg);
 		for ( const auto& v : vlist )
 			digest_one(h, v);
 		hash_final(h, result);
 		}
 	bool IsValid() const;
 	bool Init();
 	bool Feed(const void* data, size_t size);
 	IntrusivePtr<StringVal> Get();
 protected:
 	static void digest_one(EVP_MD_CTX* h, const Val* v);
 	static void digest_one(EVP_MD_CTX* h, const IntrusivePtr<Val>& v);
 	HashVal()	{ valid = false; }
 	explicit HashVal(OpaqueType* t);
@ -182,11 +196,22 @@ private:
 class MD5Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]);
+	template <class T>
 	static void digest(const T& vlist, u_char result[MD5_DIGEST_LENGTH])
 		{ digest_all(Hash_MD5, vlist, result); }
-	static void hmac(val_list& vlist,
+	template <class T>
-			 u_char key[MD5_DIGEST_LENGTH],
+	static void hmac(const T& vlist,
-			 u_char result[MD5_DIGEST_LENGTH]);
+	                 u_char key[MD5_DIGEST_LENGTH],
 	                 u_char result[MD5_DIGEST_LENGTH])
 		{
 		digest(vlist, result);
 		for ( int i = 0; i < MD5_DIGEST_LENGTH; ++i )
 			result[i] ^= key[i];
 		internal_md5(result, MD5_DIGEST_LENGTH, result);
 		}
 	MD5Val();
 	~MD5Val();
@ -207,7 +232,9 @@ private:
 class SHA1Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]);
+	template <class T>
 	static void digest(const T& vlist, u_char result[SHA_DIGEST_LENGTH])
 		{ digest_all(Hash_SHA1, vlist, result); }
 	SHA1Val();
 	~SHA1Val();
@ -228,7 +255,9 @@ private:
 class SHA256Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]);
+	template <class T>
 	static void digest(const T& vlist, u_char result[SHA256_DIGEST_LENGTH])
 		{ digest_all(Hash_SHA256, vlist, result); }
 	SHA256Val();
 	~SHA256Val();
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -80,7 +80,6 @@ void Reporter::InitOptions()
 		auto index = wl_val->RecoverIndex(k);
 		string key = index->Index(0)->AsString()->CheckString();
 		weird_sampling_whitelist.emplace(move(key));
 		Unref(index);
 		delete k;
 		}
 	}
@ -481,26 +480,28 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		auto vl_size = 1 + (bool)time + (bool)location + (bool)conn +
 		               (addl ? addl->length() : 0);
-		val_list vl(vl_size);
+		zeek::Args vl;
 		vl.reserve(vl_size);
 		if ( time )
-			vl.push_back(new Val(network_time ? network_time : current_time(), TYPE_TIME));
+			vl.emplace_back(make_intrusive<Val>(network_time ? network_time : current_time(), TYPE_TIME));
-		vl.push_back(new StringVal(buffer));
+		vl.emplace_back(make_intrusive<StringVal>(buffer));
 		if ( location )
-			vl.push_back(new StringVal(loc_str.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));
 		if ( conn )
-			vl.push_back(conn->BuildConnVal());
+			vl.emplace_back(AdoptRef{}, conn->BuildConnVal());
 		if ( addl )
-			std::copy(addl->begin(), addl->end(), std::back_inserter(vl));
+			for ( auto v : *addl )
 				vl.emplace_back(AdoptRef{}, v);
 		if ( conn )
-			conn->ConnectionEventFast(event, 0, std::move(vl));
+			conn->EnqueueEvent(event, nullptr, std::move(vl));
 		else
-			mgr.QueueEventFast(event, std::move(vl));
+			mgr.Enqueue(event, std::move(vl));
 		}
 	else
 		{
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@ -21,13 +21,11 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
 				const u_char* data, int len)
 	{
 	if ( signature_match )
-		{
+		mgr.Enqueue(signature_match,
-		mgr.QueueEventFast(signature_match, {
+			IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
-			rule_matcher->BuildRuleStateValue(parent, state),
+			make_intrusive<StringVal>(msg),
-			new StringVal(msg),
+			data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}
-			data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),
+		);
 		});
 		}
 	}
 void RuleActionEvent::PrintDebug()
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -167,19 +167,20 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 		return id->ID_Val()->AsBool();
 	// Call function with a signature_state value as argument.
-	val_list args(2);
+	zeek::Args args;
-	args.push_back(rule_matcher->BuildRuleStateValue(rule, state));
+	args.reserve(2);
 	args.emplace_back(AdoptRef{}, rule_matcher->BuildRuleStateValue(rule, state));
 	if ( data )
-		args.push_back(new StringVal(len, (const char*) data));
+		args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
 	else
-		args.push_back(val_mgr->GetEmptyString());
+		args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 	bool result = false;
 	try
 		{
-		auto val = id->ID_Val()->AsFunc()->Call(&args);
+		auto val = id->ID_Val()->AsFunc()->Call(args);
 		result = val && val->AsBool();
 		}
--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -123,7 +123,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 	SegmentProfiler prof(segment_logger, "dispatching-packet");
 	if ( raw_packet )
-		mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()});
+		mgr.Enqueue(raw_packet, IntrusivePtr{AdoptRef{}, pkt->BuildPktHdrVal()});
 	if ( pkt_profiler )
 		pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -310,7 +310,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		{
 		dump_this_packet = 1;
 		if ( esp_packet )
-			mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()});
+			mgr.Enqueue(esp_packet, IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
 		// Can't do more since upper-layer payloads are going to be encrypted.
 		return;
@ -330,7 +330,8 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			}
 		if ( mobile_ipv6_message )
-			mgr.QueueEvent(mobile_ipv6_message, {ip_hdr->BuildPktHdrVal()});
+			mgr.Enqueue(mobile_ipv6_message,
 			            IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});
 		if ( ip_hdr->NextProto() != IPPROTO_NONE )
 			Weird("mobility_piggyback", pkt, encapsulation);
--- a/src/Stats.cc
+++ b/src/Stats.cc
@ -314,8 +314,8 @@ void ProfileLogger::Log()
 		{
 		Ref(file);
 		mgr.Dispatch(new Event(profiling_update, {
-			new Val(file),
+			make_intrusive<Val>(file),
-			val_mgr->GetBool(expensive),
+			{AdoptRef{}, val_mgr->GetBool(expensive)},
 		}));
 		}
 	}
@ -372,11 +372,11 @@ void SampleLogger::SegmentProfile(const char* /* name */,
 					double dtime, int dmem)
 	{
 	if ( load_sample )
-		mgr.QueueEventFast(load_sample, {
+		mgr.Enqueue(load_sample,
-			load_samples->Ref(),
+			IntrusivePtr{NewRef{}, load_samples},
-			new IntervalVal(dtime, Seconds),
+			make_intrusive<IntervalVal>(dtime, Seconds),
-			val_mgr->GetInt(dmem)
+			IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)}
-		});
+		);
 	}
 void SegmentProfiler::Init()
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -151,15 +151,12 @@ IntrusivePtr<Val> ExprListStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	last_access = network_time;
 	flow = FLOW_NEXT;
-	val_list* vals = eval_list(f, l.get());
+	auto vals = eval_list(f, l.get());
 	if ( vals )
-		{
+		return DoExec(std::move(*vals), flow);
-		auto result = DoExec(vals, flow);
+
-		delete_vals(vals);
+	return nullptr;
 		return result;
 		}
 	else
 		return nullptr;
 	}
 void ExprListStmt::Describe(ODesc* d) const
@ -169,11 +166,6 @@ void ExprListStmt::Describe(ODesc* d) const
 	DescribeDone(d);
 	}
 void ExprListStmt::PrintVals(ODesc* d, val_list* vals, int offset) const
 	{
 	describe_vals(vals, d, offset);
 	}
 TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc = cb->PreStmt(this);
@ -206,13 +198,13 @@ static IntrusivePtr<EnumVal> lookup_enum_val(const char* module_name, const char
 	return et->GetVal(index);
 	}
-static void print_log(val_list* vals)
+static void print_log(const std::vector<IntrusivePtr<Val>>& vals)
 	{
 	auto plval = lookup_enum_val("Log", "PRINTLOG");
 	auto record = make_intrusive<RecordVal>(internal_type("Log::PrintLogInfo")->AsRecordType());
 	auto vec = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());
-	for ( const auto& val : *vals )
+	for ( const auto& val : vals )
 		{
 		ODesc d(DESC_READABLE);
 		val->Describe(&d);
@ -224,7 +216,8 @@ static void print_log(val_list* vals)
 	log_mgr->Write(plval.get(), record.get());
 	}
-IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
+IntrusivePtr<Val> PrintStmt::DoExec(std::vector<IntrusivePtr<Val>> vals,
                                    stmt_flow_type& /* flow */) const
 	{
 	RegisterAccess();
@ -234,9 +227,9 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 	BroFile* f = print_stdout;
 	int offset = 0;
-	if ( vals->length() > 0 && (*vals)[0]->Type()->Tag() == TYPE_FILE )
+	if ( vals.size() > 0 && (vals)[0]->Type()->Tag() == TYPE_FILE )
 		{
-		f = (*vals)[0]->AsFile();
+		f = (vals)[0]->AsFile();
 		if ( ! f->IsOpen() )
 			return nullptr;
@ -277,7 +270,7 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 		d.SetFlush(0);
 		d.SetStyle(style);
-		PrintVals(&d, vals, offset);
+		describe_vals(vals, &d, offset);
 		f->Write(d.Description(), d.Len());
 		}
 	else
@ -286,7 +279,7 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 		d.SetFlush(0);
 		d.SetStyle(style);
-		PrintVals(&d, vals, offset);
+		describe_vals(vals, &d, offset);
 		f->Write("\n", 1);
 		}
@ -966,13 +959,11 @@ EventStmt::EventStmt(IntrusivePtr<EventExpr> arg_e)
 IntrusivePtr<Val> EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
-	val_list* args = eval_list(f, event_expr->Args());
+	auto args = eval_list(f, event_expr->Args());
 	auto h = event_expr->Handler();
-	if ( args )
+	if ( args && h )
-		{
+		mgr.Enqueue(h, std::move(*args));
 		mgr.QueueEvent(event_expr->Handler(), std::move(*args));
 		delete args;
 		}
 	flow = FLOW_NEXT;
 	return nullptr;
@ -1198,7 +1189,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		IterCookie* c = loop_vals->InitForIteration();
 		while ( (current_tev = loop_vals->NextEntry(k, c)) )
 			{
-			ListVal* ind_lv = tv->RecoverIndex(k);
+			auto ind_lv = tv->RecoverIndex(k);
 			delete k;
 			if ( value_var )
@ -1206,10 +1197,18 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 			for ( int i = 0; i < ind_lv->Length(); i++ )
 				f->SetElement((*loop_vars)[i], ind_lv->Index(i)->Ref());
 			Unref(ind_lv);
 			flow = FLOW_NEXT;
-			ret = body->Exec(f, flow);
+
 			try
 				{
 				ret = body->Exec(f, flow);
 				}
 			catch ( InterpreterException& )
 				{
 				loop_vals->StopIteration(c);
 				throw;
 				}
 			if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
 				{
--- a/src/Stmt.h
+++ b/src/Stmt.h
@ -95,10 +95,10 @@ protected:
 	~ExprListStmt() override;
 	IntrusivePtr<Val> Exec(Frame* f, stmt_flow_type& flow) const override;
-	virtual IntrusivePtr<Val> DoExec(val_list* vals, stmt_flow_type& flow) const = 0;
+	virtual IntrusivePtr<Val> DoExec(std::vector<IntrusivePtr<Val>> vals,
 	                                 stmt_flow_type& flow) const = 0;
 	void Describe(ODesc* d) const override;
 	void PrintVals(ODesc* d, val_list* vals, int offset) const;
 	IntrusivePtr<ListExpr> l;
 };
@ -109,7 +109,8 @@ public:
 	explicit PrintStmt(L&& l) : ExprListStmt(STMT_PRINT, std::forward<L>(l)) { }
 protected:
-	IntrusivePtr<Val> DoExec(val_list* vals, stmt_flow_type& flow) const override;
+	IntrusivePtr<Val> DoExec(std::vector<IntrusivePtr<Val>> vals,
 	                         stmt_flow_type& flow) const override;
 };
 class ExprStmt : public Stmt {
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@ -321,9 +321,14 @@ bool Trigger::Eval()
 		delete [] pname;
 #endif
-		trigger->Cache(frame->GetCall(), v.get());
+		auto queued = trigger->Cache(frame->GetCall(), v.get());
 		trigger->Release();
 		frame->ClearTrigger();
 		if ( ! queued && trigger->TimeoutValue() < 0 )
 			// Usually the parent-trigger would get unref'd either by
 			// its Eval() or its eventual Timeout(), but has neither
 			Unref(trigger);
 		}
 	Unref(f);
@ -368,9 +373,14 @@ void Trigger::Timeout()
 			DBG_LOG(DBG_NOTIFIERS, "%s: trigger has parent %s, caching timeout result", Name(), pname);
 			delete [] pname;
 #endif
-			trigger->Cache(frame->GetCall(), v.get());
+			auto queued = trigger->Cache(frame->GetCall(), v.get());
 			trigger->Release();
 			frame->ClearTrigger();
 			if ( ! queued && trigger->TimeoutValue() < 0 )
 				// Usually the parent-trigger would get unref'd either by
 				// its Eval() or its eventual Timeout(), but has neither
 				Unref(trigger);
 			}
 		}
@ -429,10 +439,10 @@ void Trigger::Attach(Trigger *trigger)
 	Hold();
 	}
-void Trigger::Cache(const CallExpr* expr, Val* v)
+bool Trigger::Cache(const CallExpr* expr, Val* v)
 	{
 	if ( disabled || ! v )
-		return;
+		return false;
 	ValCache::iterator i = cache.find(expr);
@ -448,6 +458,7 @@ void Trigger::Cache(const CallExpr* expr, Val* v)
 	Ref(v);
 	trigger_mgr->Queue(this);
 	return true;
 	}
--- a/src/Trigger.h
+++ b/src/Trigger.h
@ -59,8 +59,10 @@ public:
 	// to the given trigger.  Note, automatically calls Hold().
 	void Attach(Trigger* trigger);
-	// Cache for return values of delayed function calls.
+	// Cache for return values of delayed function calls.  Returns whether
-	void Cache(const CallExpr* expr, Val* val);
+	// the trigger is queued for later evaluation -- it may not be queued
 	// if the Val is null or it's disabled.
 	bool Cache(const CallExpr* expr, Val* val);
 	Val* Lookup(const CallExpr*);
 	// Disable this trigger completely. Needed because Unref'ing the trigger
--- a/src/Val.cc
+++ b/src/Val.cc
@ -532,12 +532,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 				{
 				auto lv = tval->RecoverIndex(k);
 				delete k;
-
+				Val* entry_key = lv->Length() == 1 ? lv->Index(0) : lv.get();
 				Val* entry_key;
 				if ( lv->Length() == 1 )
 					entry_key = lv->Index(0)->Ref();
 				else
 					entry_key = lv->Ref();
 				if ( tval->Type()->IsSet() )
 					BuildJSON(writer, entry_key, only_loggable, re);
@ -556,9 +551,6 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 					BuildJSON(writer, entry->Value(), only_loggable, re, key_str);
 					}
 				Unref(entry_key);
 				Unref(lv);
 				}
 			if ( tval->Type()->IsSet() )
@ -1537,9 +1529,8 @@ int TableVal::Assign(Val* index, HashKey* k, IntrusivePtr<Val> new_val)
 		{
 		if ( ! index )
 			{
-			Val* v = RecoverIndex(&k_copy);
+			auto v = RecoverIndex(&k_copy);
-			subnets->Insert(v, new_entry_val);
+			subnets->Insert(v.get(), new_entry_val);
 			Unref(v);
 			}
 		else
 			subnets->Insert(index, new_entry_val);
@ -1553,10 +1544,10 @@ int TableVal::Assign(Val* index, HashKey* k, IntrusivePtr<Val> new_val)
 	if ( change_func )
 		{
-		Val* change_index = index ? index->Ref() : RecoverIndex(&k_copy);
+		auto change_index = index ? IntrusivePtr<Val>{NewRef{}, index}
 		                          : RecoverIndex(&k_copy);
 		Val* v = old_entry_val ? old_entry_val->Value() : new_val.get();
-		CallChangeFunc(change_index, v, old_entry_val ? ELEMENT_CHANGED : ELEMENT_NEW);
+		CallChangeFunc(change_index.get(), v, old_entry_val ? ELEMENT_CHANGED : ELEMENT_NEW);
 		Unref(change_index);
 		}
 	delete old_entry_val;
@ -1844,25 +1835,24 @@ IntrusivePtr<Val> TableVal::Default(Val* index)
 		}
 	const Func* f = def_val->AsFunc();
-	val_list vl;
+	zeek::Args vl;
 	if ( index->Type()->Tag() == TYPE_LIST )
 		{
 		const val_list* vl0 = index->AsListVal()->Vals();
-		vl = val_list(vl0->length());
+		vl.reserve(vl0->length());
 		for ( const auto& v : *vl0 )
-			vl.push_back(v->Ref());
+			vl.emplace_back(NewRef{}, v);
 		}
 	else
-		{
+		vl.emplace_back(NewRef{}, index);
 		vl = val_list{index->Ref()};
 		}
 	IntrusivePtr<Val> result;
 	try
 		{
-		result = f->Call(&vl);
+		result = f->Call(vl);
 		}
 	catch ( InterpreterException& e )
@ -1991,9 +1981,9 @@ bool TableVal::UpdateTimestamp(Val* index)
 	return true;
 	}
-ListVal* TableVal::RecoverIndex(const HashKey* k) const
+IntrusivePtr<ListVal> TableVal::RecoverIndex(const HashKey* k) const
 	{
-	return table_hash->RecoverVals(k).release();
+	return table_hash->RecoverVals(k);
 	}
 void TableVal::CallChangeFunc(const Val* index, Val* old_value, OnChangeType tpe)
@ -2020,34 +2010,35 @@ void TableVal::CallChangeFunc(const Val* index, Val* old_value, OnChangeType tpe
 			}
 		const Func* f = thefunc->AsFunc();
-		val_list vl { Ref() };
+		const auto& index_list = *index->AsListVal()->Vals();
-		IntrusivePtr<EnumVal> type;
+
 		zeek::Args vl;
 		vl.reserve(2 + index_list.length() + table_type->IsTable());
 		vl.emplace_back(NewRef{}, this);
 		switch ( tpe )
 			{
 			case ELEMENT_NEW:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_NEW);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_NEW));
 				break;
 			case ELEMENT_CHANGED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_CHANGED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_CHANGED));
 				break;
 			case ELEMENT_REMOVED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_REMOVED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_REMOVED));
 				break;
 			case ELEMENT_EXPIRED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_EXPIRED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_EXPIRED));
 			}
 		vl.append(type.release());
 		for ( const auto& v : *index->AsListVal()->Vals() )
-			vl.append(v->Ref());
+			vl.emplace_back(NewRef{}, v);
-		if ( ! table_type->IsSet() )
+		if ( table_type->IsTable() )
-			vl.append(old_value->Ref());
+			vl.emplace_back(NewRef{}, old_value);
 		in_change_func = true;
-		f->Call(&vl);
+		f->Call(vl);
 		}
 	catch ( InterpreterException& e )
 		{
@ -2344,11 +2335,12 @@ void TableVal::DoExpire(double t)
 		else if ( v->ExpireAccessTime() + timeout < t )
 			{
-			Val* idx = nullptr;
+			IntrusivePtr<ListVal> idx = nullptr;
 			if ( expire_func )
 				{
 				idx = RecoverIndex(k);
-				double secs = CallExpireFunc(idx->Ref());
+				double secs = CallExpireFunc(idx);
 				// It's possible that the user-provided
 				// function modified or deleted the table
@ -2359,7 +2351,6 @@ void TableVal::DoExpire(double t)
 				if ( ! v )
 					{ // user-provided function deleted it
 					v = v_saved;
 					Unref(idx);
 					delete k;
 					continue;
 					}
@ -2369,7 +2360,6 @@ void TableVal::DoExpire(double t)
 					// User doesn't want us to expire
 					// this now.
 					v->SetExpireAccess(network_time - timeout + secs);
 					Unref(idx);
 					delete k;
 					continue;
 					}
@ -2380,7 +2370,7 @@ void TableVal::DoExpire(double t)
 				{
 				if ( ! idx )
 					idx = RecoverIndex(k);
-				if ( ! subnets->Remove(idx) )
+				if ( ! subnets->Remove(idx.get()) )
 					reporter->InternalWarning("index not in prefix table");
 				}
@ -2389,9 +2379,9 @@ void TableVal::DoExpire(double t)
 				{
 				if ( ! idx )
 					idx = RecoverIndex(k);
-				CallChangeFunc(idx, v->Value(), ELEMENT_EXPIRED);
+				CallChangeFunc(idx.get(), v->Value(), ELEMENT_EXPIRED);
 				}
-			Unref(idx);
+
 			delete v;
 			modified = true;
 			}
@ -2439,13 +2429,10 @@ double TableVal::GetExpireTime()
 	return -1;
 	}
-double TableVal::CallExpireFunc(Val* idx)
+double TableVal::CallExpireFunc(IntrusivePtr<ListVal> idx)
 	{
 	if ( ! expire_func )
 		{
 		Unref(idx);
 		return 0;
 		}
 	double secs = 0;
@ -2454,54 +2441,46 @@ double TableVal::CallExpireFunc(Val* idx)
 		auto vf = expire_func->Eval(nullptr);
 		if ( ! vf )
 			{
 			// Will have been reported already.
 			Unref(idx);
 			return 0;
 			}
 		if ( vf->Type()->Tag() != TYPE_FUNC )
 			{
 			vf->Error("not a function");
 			Unref(idx);
 			return 0;
 			}
 		const Func* f = vf->AsFunc();
-		val_list vl { Ref() };
+		zeek::Args vl;
 		const auto func_args = f->FType()->ArgTypes()->Types();
 		// backwards compatibility with idx: any idiom
 		bool any_idiom = func_args->length() == 2 && func_args->back()->Tag() == TYPE_ANY;
-		if ( idx->Type()->Tag() == TYPE_LIST )
+		if ( ! any_idiom )
 			{
-			if ( ! any_idiom )
+			const auto& index_list = *idx->AsListVal()->Vals();
-				{
+			vl.reserve(1 + index_list.length());
-				for ( const auto& v : *idx->AsListVal()->Vals() )
+			vl.emplace_back(NewRef{}, this);
 					vl.append(v->Ref());
-				Unref(idx);
+			for ( const auto& v : index_list )
-				}
+				vl.emplace_back(NewRef{}, v);
 			else
 				{
 				ListVal* idx_list = idx->AsListVal();
 				// Flatten if only one element
 				if ( idx_list->Length() == 1 )
 					{
 					Val* old = idx;
 					idx = idx_list->Index(0)->Ref();
 					Unref(old);
 					}
 				vl.append(idx);
 				}
 			}
 		else
-			vl.append(idx);
+			{
 			vl.reserve(2);
 			vl.emplace_back(NewRef{}, this);
-		auto result = f->Call(&vl);
+			ListVal* idx_list = idx->AsListVal();
 			// Flatten if only one element
 			if ( idx_list->Length() == 1 )
 				vl.emplace_back(NewRef{}, idx_list->Index(0));
 			else
 				vl.emplace_back(std::move(idx));
 			}
 		auto result = f->Call(vl);
 		if ( result )
 			secs = result->AsInterval();
@ -2531,9 +2510,8 @@ IntrusivePtr<Val> TableVal::DoClone(CloneState* state)
 		if ( subnets )
 			{
-			Val* idx = RecoverIndex(key);
+			auto idx = RecoverIndex(key);
-			tv->subnets->Insert(idx, nval);
+			tv->subnets->Insert(idx.get(), nval);
 			Unref(idx);
 			}
 		delete key;
@ -2622,7 +2600,7 @@ TableVal::ParseTimeTableState TableVal::DumpTableState()
 	while ( (val = tbl->NextEntry(key, cookie)) )
 		{
-		rval.emplace_back(IntrusivePtr<Val>{AdoptRef{}, RecoverIndex(key)},
+		rval.emplace_back(RecoverIndex(key),
 		                  IntrusivePtr<Val>{NewRef{}, val->Value()});
 		delete key;
@ -3321,6 +3299,24 @@ void describe_vals(const val_list* vals, ODesc* d, int offset)
 		}
 	}
 void describe_vals(const std::vector<IntrusivePtr<Val>>& vals,
                   ODesc* d, size_t offset)
 	{
 	if ( ! d->IsReadable() )
 		{
 		d->Add(static_cast<uint64_t>(vals.size()));
 		d->SP();
 		}
 	for ( auto i = offset; i < vals.size(); ++i )
 		{
 		if ( i > offset && d->IsReadable() && d->Style() != RAW_STYLE )
 			d->Add(", ");
 		vals[i]->Describe(d);
 		}
 	}
 void delete_vals(val_list* vals)
 	{
 	if ( vals )
--- a/src/Val.h
+++ b/src/Val.h
@ -766,7 +766,7 @@ public:
 	bool UpdateTimestamp(Val* index);
 	// Returns the index corresponding to the given HashKey.
-	ListVal* RecoverIndex(const HashKey* k) const;
+	IntrusivePtr<ListVal> RecoverIndex(const HashKey* k) const;
 	// Returns the element if it was in the table, false otherwise.
 	IntrusivePtr<Val> Delete(const Val* index);
@ -851,8 +851,7 @@ protected:
 	double GetExpireTime();
 	// Calls &expire_func and returns its return interval;
-	// takes ownership of the reference.
+	double CallExpireFunc(IntrusivePtr<ListVal> idx);
 	double CallExpireFunc(Val *idx);
 	// Enum for the different kinds of changes an &on_change handler can see
 	enum OnChangeType { ELEMENT_NEW, ELEMENT_CHANGED, ELEMENT_REMOVED, ELEMENT_EXPIRED };
@ -1043,6 +1042,8 @@ extern int same_val(const Val* v1, const Val* v2);
 extern int same_atomic_val(const Val* v1, const Val* v2);
 extern bool is_atomic_val(const Val* v);
 extern void describe_vals(const val_list* vals, ODesc* d, int offset=0);
 extern void describe_vals(const std::vector<IntrusivePtr<Val>>& vals,
                          ODesc* d, size_t offset = 0);
 extern void delete_vals(val_list* vals);
 // True if the given Val* has a vector type.
--- a/src/ZeekArgs.cc
+++ b/src/ZeekArgs.cc
@ -0,0 +1,15 @@
 #include "ZeekArgs.h"
 #include "IntrusivePtr.h"
 #include "Val.h"
 zeek::Args zeek::val_list_to_args(const val_list& vl)
 	{
 	zeek::Args rval;
 	rval.reserve(vl.length());
 	for ( auto& v : vl )
 		rval.emplace_back(AdoptRef{}, v);
 	return rval;
 	}
--- a/src/ZeekArgs.h
+++ b/src/ZeekArgs.h
@ -0,0 +1,26 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 #include "BroList.h"
 #include <vector>
 class Val;
 template <class T> class IntrusivePtr;
 namespace zeek {
 using Args = std::vector<IntrusivePtr<Val>>;
 /**
 * Converts a legacy-style argument list for use in modern Zeek function
 * calling or event queueing APIs.
 * @param vl  the argument list to convert, the returned value takes ownership
 * of a reference to each element in the list
 * @return  the converted argument list
 *
 */
 Args val_list_to_args(const val_list& vl);
 } // namespace zeek
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@ -688,13 +688,12 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 		return;
 	EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
 	Ref(tval);
-	mgr.QueueEventFast(protocol_confirmation, {
+	mgr.Enqueue(protocol_confirmation,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		tval,
+		IntrusivePtr{NewRef{}, tval},
-		val_mgr->GetCount(id),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}
-	});
+	);
 	}
 void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -716,14 +715,13 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 		r = new StringVal(reason);
 	EnumVal* tval = tag.AsEnumVal();
 	Ref(tval);
-	mgr.QueueEventFast(protocol_violation, {
+	mgr.Enqueue(protocol_violation,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		tval,
+		IntrusivePtr{NewRef{}, tval},
-		val_mgr->GetCount(id),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)},
-		r,
+		IntrusivePtr{AdoptRef{}, r}
-	});
+	);
 	}
 void Analyzer::AddTimer(analyzer_timer_func timer, double t,
@ -805,17 +803,29 @@ void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)
 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
 	{
-	conn->ConnectionEvent(f, this, vl);
+	auto args = zeek::val_list_to_args(*vl);
 	if ( f )
 		conn->EnqueueEvent(f, this, std::move(args));
 	}
 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
 	{
-	conn->ConnectionEvent(f, this, std::move(vl));
+	auto args = zeek::val_list_to_args(vl);
 	if ( f )
 		conn->EnqueueEvent(f, this, std::move(args));
 	}
 void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl)
 	{
-	conn->ConnectionEventFast(f, this, std::move(vl));
+	auto args = zeek::val_list_to_args(vl);
 	conn->EnqueueEvent(f, this, std::move(args));
 	}
 void Analyzer::EnqueueConnEvent(EventHandlerPtr f, zeek::Args args)
 	{
 	conn->EnqueueEvent(f, this, std::move(args));
 	}
 void Analyzer::Weird(const char* name, const char* addl)
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@ -7,9 +7,12 @@
 #include "../Obj.h"
 #include "../EventHandler.h"
 #include "../Timer.h"
 #include "../IntrusivePtr.h"
 #include <list>
 #include <vector>
 #include <tuple>
 #include <type_traits>
 #include <sys/types.h> // for u_char
@ -567,20 +570,39 @@ public:
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
 	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list* vl);
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
 	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list vl);
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEventFast().
 	 */
 	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEventFast(EventHandlerPtr f, val_list vl);
 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::EnqueueEvent().
 	 */
 	void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args);
 	/**
 	 * A version of EnqueueConnEvent() taking a variable number of arguments.
 	 */
 	template <class... Args>
 	std::enable_if_t<
 	  std::is_convertible_v<
 	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
 	EnqueueConnEvent(EventHandlerPtr h, Args&&... args)
 		{ return EnqueueConnEvent(h, zeek::Args{std::forward<Args>(args)...}); }
 	/**
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Weird().
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@ -191,13 +191,13 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
 	if ( ! bad_arp )
 		return;
-	mgr.QueueEventFast(bad_arp, {
+	mgr.Enqueue(bad_arp,
-		ConstructAddrVal(ar_spa(hdr)),
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(ar_spa(hdr))},
-		EthAddrToStr((const u_char*) ar_sha(hdr)),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) ar_sha(hdr))},
-		ConstructAddrVal(ar_tpa(hdr)),
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(ar_tpa(hdr))},
-		EthAddrToStr((const u_char*) ar_tha(hdr)),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) ar_tha(hdr))},
-		new StringVal(msg),
+		make_intrusive<StringVal>(msg)
-	});
+	);
 	}
 void ARP_Analyzer::Corrupted(const char* msg)
@ -213,14 +213,14 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
 	if ( ! e )
 		return;
-	mgr.QueueEventFast(e, {
+	mgr.Enqueue(e,
-		EthAddrToStr(src),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr(src)},
-		EthAddrToStr(dst),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr(dst)},
-		ConstructAddrVal(spa),
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(spa)},
-		EthAddrToStr((const u_char*) sha),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) sha)},
-		ConstructAddrVal(tpa),
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(tpa)},
-		EthAddrToStr((const u_char*) tha),
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) tha)}
-	});
+	);
 	}
 AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@ -119,11 +119,9 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
-		{
+		EnqueueConnEvent(bittorrent_peer_weird,
-		ConnectionEventFast(bittorrent_peer_weird, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			val_mgr->GetBool(orig),
+			make_intrusive<StringVal>(msg)
-			new StringVal(msg),
+		);
 		});
 		}
 	}
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@ -246,13 +246,11 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
 void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bt_tracker_weird )
-		{
+		EnqueueConnEvent(bt_tracker_weird,
-		ConnectionEventFast(bt_tracker_weird, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			val_mgr->GetBool(orig),
+			make_intrusive<StringVal>(msg)
-			new StringVal(msg),
+		);
 		});
 		}
 	}
 bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@ -349,11 +347,11 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
 	ProtocolConfirmation();
 	if ( bt_tracker_request )
-		ConnectionEventFast(bt_tracker_request, {
+		EnqueueConnEvent(bt_tracker_request,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			req_val_uri,
+			IntrusivePtr{AdoptRef{}, req_val_uri},
-			req_val_headers,
+			IntrusivePtr{AdoptRef{}, req_val_headers}
-		});
+		);
 	req_val_uri = 0;
 	req_val_headers = 0;
@ -403,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			if ( res_status != 200 )
 				{
 				if ( bt_tracker_response_not_ok )
-					ConnectionEventFast(bt_tracker_response_not_ok, {
+					EnqueueConnEvent(bt_tracker_response_not_ok,
-						BuildConnVal(),
+						IntrusivePtr{AdoptRef{}, BuildConnVal()},
-						val_mgr->GetCount(res_status),
+						IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
-						res_val_headers,
+						IntrusivePtr{AdoptRef{}, res_val_headers}
-					});
+					);
 				res_val_headers = 0;
 				res_buf_pos = res_buf + res_buf_len;
 				res_state = BTT_RES_DONE;
@ -790,13 +788,13 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
 	ProtocolConfirmation();
 	if ( bt_tracker_response )
-		ConnectionEventFast(bt_tracker_response, {
+		EnqueueConnEvent(bt_tracker_response,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetCount(res_status),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
-			res_val_headers,
+			IntrusivePtr{AdoptRef{}, res_val_headers},
-			res_val_peers,
+			IntrusivePtr{AdoptRef{}, res_val_peers},
-			res_val_benc,
+			IntrusivePtr{AdoptRef{}, res_val_benc}
-		});
+		);
 	res_val_headers = 0;
 	res_val_peers = 0;
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@ -50,11 +50,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 	if ( ! f )
 		return;
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		val_mgr->GetCount(threshold),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
-		val_mgr->GetBool(is_orig),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-	});
+	);
 	}
 void ConnSize_Analyzer::CheckThresholds(bool is_orig)
@ -92,11 +92,11 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
 		{
 		if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed )
 			{
-			ConnectionEventFast(conn_duration_threshold_crossed, {
+			EnqueueConnEvent(conn_duration_threshold_crossed,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					new Val(duration_thresh, TYPE_INTERVAL),
+					make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
-					val_mgr->GetBool(is_orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-			});
+			);
 			duration_thresh = 0;
 			}
 		}
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -48,14 +48,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	first_message = false;
 	if ( dns_message )
-		{
+		analyzer->EnqueueConnEvent(dns_message,
-		analyzer->ConnectionEventFast(dns_message, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
-			val_mgr->GetBool(is_query),
+			IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
-			msg.BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
-			val_mgr->GetCount(len),
+		);
 		});
 		}
 	// There is a great deal of non-DNS traffic that runs on port 53.
 	// This should weed out most of it.
@ -136,10 +134,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
 	{
 	if ( dns_end )
-		analyzer->ConnectionEventFast(dns_end, {
+		analyzer->EnqueueConnEvent(dns_end,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
-		});
+		);
 	return 1;
 	}
@ -341,13 +339,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 		default:
 			if ( dns_unknown_reply && ! msg->skip_event )
-				{
+				analyzer->EnqueueConnEvent(dns_unknown_reply,
-				analyzer->ConnectionEventFast(dns_unknown_reply, {
+					IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-					analyzer->BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-					msg->BuildHdrVal(),
+					IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
-					msg->BuildAnswerVal(),
+				);
 				});
 				}
 			analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
 			data += rdlength;
@ -556,14 +552,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 	}
 	if ( reply_event && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(reply_event,
-		analyzer->ConnectionEventFast(reply_event, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildAnswerVal(),
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1))
-			new StringVal(new BroString(name, name_end - name, 1)),
+		);
 		});
 		}
 	return 1;
 	}
@ -602,7 +596,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 	if ( dns_SOA_reply && ! msg->skip_event )
 		{
-		RecordVal* r = new RecordVal(dns_soa);
+		auto r = make_intrusive<RecordVal>(dns_soa);
 		r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1)));
 		r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1)));
 		r->Assign(2, val_mgr->GetCount(serial));
@ -611,12 +605,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 		r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
 		r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));
-		analyzer->ConnectionEventFast(dns_SOA_reply, {
+		analyzer->EnqueueConnEvent(dns_SOA_reply,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			r
+			std::move(r)
-		});
+		);
 		}
 	return 1;
@ -641,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");
 	if ( dns_MX_reply && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(dns_MX_reply,
-		analyzer->ConnectionEventFast(dns_MX_reply, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildAnswerVal(),
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
-			new StringVal(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
-			val_mgr->GetCount(preference),
+		);
 		});
 		}
 	return 1;
 	}
@ -684,17 +676,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");
 	if ( dns_SRV_reply && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(dns_SRV_reply,
-		analyzer->ConnectionEventFast(dns_SRV_reply, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildAnswerVal(),
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
-			new StringVal(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
-			val_mgr->GetCount(priority),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
-			val_mgr->GetCount(weight),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
-			val_mgr->GetCount(port),
+		);
 		});
 		}
 	return 1;
 	}
@ -707,13 +697,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
 	// out to the policy side of the house if rdlength > 0.
 	if ( dns_EDNS_addl && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(dns_EDNS_addl,
-		analyzer->ConnectionEventFast(dns_EDNS_addl, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
-			msg->BuildEDNS_Val(),
+		);
 		});
 		}
 	// Currently EDNS supports the movement of type:data pairs
 	// in the RR_DATA section.  Here's where we should put together
@ -786,11 +774,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 		tsig.orig_id = orig_id;
 		tsig.rr_error = rr_error;
-		analyzer->ConnectionEventFast(dns_TSIG_addl, {
+		analyzer->EnqueueConnEvent(dns_TSIG_addl,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildTSIG_Val(&tsig),
+			IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
-		});
+		);
 		}
 	return 1;
@ -887,12 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 		rrsig.signer_name = new BroString(name, name_end - name, 1);
 		rrsig.signature = sign;
-		analyzer->ConnectionEventFast(dns_RRSIG, {
+		analyzer->EnqueueConnEvent(dns_RRSIG,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildRRSIG_Val(&rrsig),
+			IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
-		});
+		);
 		}
 	return 1;
@ -982,12 +970,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 		dnskey.dprotocol = dprotocol;
 		dnskey.public_key = key;
-		analyzer->ConnectionEventFast(dns_DNSKEY, {
+		analyzer->EnqueueConnEvent(dns_DNSKEY,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildDNSKEY_Val(&dnskey),
+			IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
-		});
+		);
 		}
 	return 1;
@ -1014,7 +1002,7 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 	int typebitmaps_len = rdlength - (data - data_start);
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	while ( typebitmaps_len > 0 && len > 0 )
 		{
@ -1034,15 +1022,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 		}
 	if ( dns_NSEC )
-		analyzer->ConnectionEventFast(dns_NSEC, {
+		analyzer->EnqueueConnEvent(dns_NSEC,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			new StringVal(new BroString(name, name_end - name, 1)),
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
-			char_strings,
+			std::move(char_strings)
-		});
+		);
 	else
 		Unref(char_strings);
 	return 1;
 	}
@ -1122,12 +1108,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		nsec3.nsec_hash = hash_val;
 		nsec3.bitmaps = char_strings;
-		analyzer->ConnectionEventFast(dns_NSEC3, {
+		analyzer->EnqueueConnEvent(dns_NSEC3,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildNSEC3_Val(&nsec3),
+			IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
-		});
+		);
 		}
 	else
 		Unref(char_strings);
@ -1182,12 +1168,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
 		ds.digest_type = ds_dtype;
 		ds.digest_val = ds_digest;
-		analyzer->ConnectionEventFast(dns_DS, {
+		analyzer->EnqueueConnEvent(dns_DS,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildDS_Val(&ds),
+			IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
-		});
+		);
 		}
 	return 1;
@ -1205,14 +1191,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 	uint32_t addr = ExtractLong(data, len);
 	if ( dns_A_reply && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(dns_A_reply,
-		analyzer->ConnectionEventFast(dns_A_reply, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildAnswerVal(),
+			make_intrusive<AddrVal>(htonl(addr))
-			new AddrVal(htonl(addr)),
+		);
 		});
 		}
 	return 1;
 	}
@ -1241,15 +1225,14 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 		event = dns_AAAA_reply;
 	else
 		event = dns_A6_reply;
 	if ( event && ! msg->skip_event )
-		{
+		analyzer->EnqueueConnEvent(event,
-		analyzer->ConnectionEventFast(event, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			msg->BuildAnswerVal(),
+			make_intrusive<AddrVal>(addr)
-			new AddrVal(addr),
+		);
 		});
 		}
 	return 1;
 	}
@ -1311,21 +1294,19 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 		return 1;
 		}
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;
 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);
 	if ( dns_TXT_reply )
-		analyzer->ConnectionEventFast(dns_TXT_reply, {
+		analyzer->EnqueueConnEvent(dns_TXT_reply,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			char_strings,
+			std::move(char_strings)
-		});
+		);
 	else
 		Unref(char_strings);
 	return rdlength == 0;
 	}
@ -1341,21 +1322,19 @@ int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
 		return 1;
 		}
-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;
 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);
 	if ( dns_SPF_reply )
-		analyzer->ConnectionEventFast(dns_SPF_reply, {
+		analyzer->EnqueueConnEvent(dns_SPF_reply,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			char_strings,
+			std::move(char_strings)
-		});
+		);
 	else
 		Unref(char_strings);
 	return rdlength == 0;
 	}
@ -1391,14 +1370,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 	rdlength -= value->Len();
 	if ( dns_CAA_reply )
-		analyzer->ConnectionEventFast(dns_CAA_reply, {
+		analyzer->EnqueueConnEvent(dns_CAA_reply,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			msg->BuildHdrVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-			msg->BuildAnswerVal(),
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
-			val_mgr->GetCount(flags),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
-			new StringVal(tag),
+			make_intrusive<StringVal>(tag),
-			new StringVal(value),
+			make_intrusive<StringVal>(value)
-		});
+		);
 	else
 		{
 		delete tag;
@ -1419,13 +1398,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 	assert(event);
-	analyzer->ConnectionEventFast(event, {
+	analyzer->EnqueueConnEvent(event,
-		analyzer->BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-		msg->BuildHdrVal(),
+		IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
-		new StringVal(question_name),
+		make_intrusive<StringVal>(question_name),
-		val_mgr->GetCount(qtype),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
-		val_mgr->GetCount(qclass),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
-	});
+	);
 	}
--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@ -79,10 +79,10 @@ void File_Analyzer::Identify()
 	                               : *(matches.begin()->second.begin());
 	if ( file_transferred )
-		ConnectionEventFast(file_transferred, {
+		EnqueueConnEvent(file_transferred,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			new StringVal(buffer_len, buffer),
+			make_intrusive<StringVal>(buffer_len, buffer),
-			new StringVal("<unknown>"),
+			make_intrusive<StringVal>("<unknown>"),
-			new StringVal(match),
+			make_intrusive<StringVal>(match)
-		});
+		);
 	}
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@ -67,14 +67,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 			host = at + 1;
 		if ( finger_request )
-			{
+			EnqueueConnEvent(finger_request,
-			ConnectionEventFast(finger_request, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
-				val_mgr->GetBool(long_cnt),
+				make_intrusive<StringVal>(at - line, line),
-				new StringVal(at - line, line),
+				make_intrusive<StringVal>(end_of_line - host, host)
-				new StringVal(end_of_line - host, host),
+			);
 			});
 			}
 		Conn()->Match(Rule::FINGER, (const u_char *) line,
 			  end_of_line - line, true, true, 1, true);
@ -87,9 +85,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		if ( ! finger_reply )
 			return;
-		ConnectionEventFast(finger_reply, {
+		EnqueueConnEvent(finger_reply,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			new StringVal(end_of_line - line, line),
+			make_intrusive<StringVal>(end_of_line - line, line)
-		});
+		);
 		}
 	}
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -75,7 +75,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		// Could emit "ftp empty request/reply" weird, but maybe not worth it.
 		return;
-	val_list vl;
+	zeek::Args vl;
 	EventHandlerPtr f;
 	if ( orig )
@ -96,10 +96,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		else
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();
-		vl = val_list{
+		vl = {
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			cmd_str,
+			IntrusivePtr{AdoptRef{}, cmd_str},
-			new StringVal(end_of_line - line, line),
+			make_intrusive<StringVal>(end_of_line - line, line),
 		};
 		f = ftp_request;
@ -175,17 +175,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				}
 			}
-		vl = val_list{
+		vl = {
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetCount(reply_code),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
-			new StringVal(end_of_line - line, line),
+			make_intrusive<StringVal>(end_of_line - line, line),
-			val_mgr->GetBool(cont_resp),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
 		};
 		f = ftp_reply;
 		}
-	ConnectionEvent(f, std::move(vl));
+	EnqueueConnEvent(f, std::move(vl));
 	ForwardStream(length, data, orig);
 	}
--- a/src/analyzer/protocol/gnutella/Gnutella.cc
+++ b/src/analyzer/protocol/gnutella/Gnutella.cc
@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
 		if ( Established() && gnutella_establish )
-			ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		else if ( ! Established () && gnutella_not_establish )
-			ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		}
 	if ( gnutella_partial_binary_msg )
@ -71,14 +71,12 @@ void Gnutella_Analyzer::Done()
 		for ( int i = 0; i < 2; ++i, p = resp_msg_state )
 			{
 			if ( ! p->msg_sent && p->msg_pos )
-				{
+				EnqueueConnEvent(gnutella_partial_binary_msg,
-				ConnectionEventFast(gnutella_partial_binary_msg, {
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					BuildConnVal(),
+					make_intrusive<StringVal>(p->msg),
-					new StringVal(p->msg),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
-					val_mgr->GetBool((i == 0)),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
-					val_mgr->GetCount(p->msg_pos),
+				);
 				});
 				}
 			else if ( ! p->msg_sent && p->payload_left )
 				SendEvents(p, (i == 0));
@ -120,9 +118,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
 		return 0;
 	if ( gnutella_http_notify )
-		{
+		EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
 		}
 	analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());
@ -180,13 +176,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 		else
 			{
 			if ( gnutella_text_msg )
-				{
+				EnqueueConnEvent(gnutella_text_msg,
-				ConnectionEventFast(gnutella_text_msg, {
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					val_mgr->GetBool(orig),
+					make_intrusive<StringVal>(ms->headers.data())
-					new StringVal(ms->headers.data()),
+				);
 				});
 				}
 			ms->headers = "";
 			state |= new_state;
@ -195,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 				{
 				sent_establish = 1;
-				ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+				EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 				}
 			}
 		}
@ -220,20 +214,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 		return;
 	if ( gnutella_binary_msg )
-		{
+		EnqueueConnEvent(gnutella_binary_msg,
-		ConnectionEventFast(gnutella_binary_msg, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
-			val_mgr->GetCount(p->msg_type),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
-			val_mgr->GetCount(p->msg_ttl),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
-			val_mgr->GetCount(p->msg_hops),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
-			val_mgr->GetCount(p->msg_len),
+			make_intrusive<StringVal>(p->payload),
-			new StringVal(p->payload),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
-			val_mgr->GetCount(p->payload_len),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
-			val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
-			val_mgr->GetBool((p->payload_left == 0)),
+		);
 		});
 		}
 	}
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -649,13 +649,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}
 	if ( http_message_done )
-		{
+		GetAnalyzer()->EnqueueConnEvent(http_message_done,
-		GetAnalyzer()->ConnectionEventFast(http_message_done, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
-			BuildMessageStat(interrupted, detail),
+		);
 		});
 		}
 	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
 	}
@ -682,12 +680,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 	current_entity = (HTTP_Entity*) entity;
 	if ( http_begin_entity )
-		{
+		analyzer->EnqueueConnEvent(http_begin_entity,
-		analyzer->ConnectionEventFast(http_begin_entity, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-			val_mgr->GetBool(is_orig),
+		);
 		});
 		}
 	}
 void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
@ -699,12 +695,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	header_length += ((HTTP_Entity*) entity)->HeaderLength();
 	if ( http_end_entity )
-		{
+		analyzer->EnqueueConnEvent(http_end_entity,
-		analyzer->ConnectionEventFast(http_end_entity, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-			val_mgr->GetBool(is_orig),
+		);
 		});
 		}
 	current_entity = (HTTP_Entity*) entity->Parent();
@ -740,27 +734,23 @@ void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
 void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
-		{
+		analyzer->EnqueueConnEvent(http_all_headers,
-		analyzer->ConnectionEventFast(http_all_headers, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
-			BuildHeaderTable(hlist),
+		);
 		});
 		}
 	if ( http_content_type )
 		{
 		StringVal* ty = current_entity->ContentType();
 		StringVal* subty = current_entity->ContentSubType();
 		ty->Ref();
 		subty->Ref();
-		analyzer->ConnectionEventFast(http_content_type, {
+		analyzer->EnqueueConnEvent(http_content_type,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			ty,
+			IntrusivePtr{NewRef{}, ty},
-			subty,
+			IntrusivePtr{NewRef{}, subty}
-		});
+		);
 		}
 	}
@ -1182,14 +1172,14 @@ void HTTP_Analyzer::GenStats()
 	{
 	if ( http_stats )
 		{
-		RecordVal* r = new RecordVal(http_stats_rec);
+		auto r = make_intrusive<RecordVal>(http_stats_rec);
 		r->Assign(0, val_mgr->GetCount(num_requests));
 		r->Assign(1, val_mgr->GetCount(num_replies));
 		r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
 		r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));
 		// DEBUG_MSG("%.6f http_stats\n", network_time);
-		ConnectionEventFast(http_stats, {BuildConnVal(), r});
+		EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
 		}
 	}
@ -1387,16 +1377,14 @@ void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
 void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
 	{
 	if ( http_event )
 		{
 		// DEBUG_MSG("%.6f http_event\n", network_time);
-		ConnectionEventFast(http_event, {
+		EnqueueConnEvent(http_event,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			new StringVal(category),
+			make_intrusive<StringVal>(category),
-			detail,
+			IntrusivePtr{AdoptRef{}, detail}
-		});
+		);
 		}
 	else
-		delete detail;
+		Unref(detail);
 	}
 StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
@ -1428,33 +1416,27 @@ void HTTP_Analyzer::HTTP_Request()
 		connect_request = true;
 	if ( http_request )
 		{
 		Ref(request_method);
 		// DEBUG_MSG("%.6f http_request\n", network_time);
-		ConnectionEventFast(http_request, {
+		EnqueueConnEvent(http_request,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			request_method,
+			IntrusivePtr{NewRef{}, request_method},
-			TruncateURI(request_URI->AsStringVal()),
+			IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
-			TruncateURI(unescaped_URI->AsStringVal()),
+			IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
-			new StringVal(fmt("%.1f", request_version.ToDouble())),
+			make_intrusive<StringVal>(fmt("%.1f", request_version.ToDouble()))
-		});
+		);
 		}
 	}
 void HTTP_Analyzer::HTTP_Reply()
 	{
 	if ( http_reply )
-		{
+		EnqueueConnEvent(http_reply,
-		ConnectionEventFast(http_reply, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
-			new StringVal(fmt("%.1f", reply_version.ToDouble())),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
 			val_mgr->GetCount(reply_code),
 			reply_reason_phrase ?
-				reply_reason_phrase->Ref() :
+				IntrusivePtr{NewRef{}, reply_reason_phrase} :
-				new StringVal("<empty>"),
+				make_intrusive<StringVal>("<empty>")
-		});
+		);
 		}
 	else
 		{
 		Unref(reply_reason_phrase);
@ -1524,12 +1506,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		RemoveSupportAnalyzer(content_line_resp);
 		if ( http_connection_upgrade )
-			{
+			EnqueueConnEvent(http_connection_upgrade,
-			ConnectionEventFast(http_connection_upgrade, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				make_intrusive<StringVal>(upgrade_protocol)
-				new StringVal(upgrade_protocol),
+			);
 			});
 			}
 		}
 	reply_code = 0;
@ -1690,26 +1670,24 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 		if ( DEBUG_http )
 			DEBUG_MSG("%.6f http_header\n", network_time);
-		ConnectionEventFast(http_header, {
+		EnqueueConnEvent(http_header,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			mime::new_string_val(h->get_name())->ToUpper(),
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
-			mime::new_string_val(h->get_value()),
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
-		});
+		);
 		}
 	}
 void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
-		{
+		EnqueueConnEvent(http_entity_data,
-		ConnectionEventFast(http_entity_data, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
-			val_mgr->GetCount(entity_data->Len()),
+			make_intrusive<StringVal>(entity_data)
-			new StringVal(entity_data),
+		);
 		});
 		}
 	else
 		delete entity_data;
 	}
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@ -202,22 +202,20 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
                              const IP_Hdr* ip_hdr)
    {
 	if ( icmp_sent )
-		{
+		EnqueueConnEvent(icmp_sent,
-		ConnectionEventFast(icmp_sent, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
+		);
 		});
 		}
 	if ( icmp_sent_payload )
 		{
 		BroString* payload = new BroString(data, min(len, caplen), 0);
-		ConnectionEventFast(icmp_sent_payload, {
+		EnqueueConnEvent(icmp_sent_payload,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
-			new StringVal(payload),
+			make_intrusive<StringVal>(payload)
-		});
+		);
 		}
 	}
@ -516,13 +514,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,
 	BroString* payload = new BroString(data, caplen, 0);
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
-		val_mgr->GetCount(iid),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
-		val_mgr->GetCount(iseq),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
-		new StringVal(payload),
+		make_intrusive<StringVal>(payload)
-	});
+	);
 	}
@ -544,21 +542,21 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(reachable) + sizeof(retrans);
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
-		val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
-		val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
-		new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
+		make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
-		new IntervalVal((double)ntohl(reachable), Milliseconds),
+		make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
-		new IntervalVal((double)ntohl(retrans), Milliseconds),
+		make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
-	});
+	);
 	}
@ -577,15 +575,15 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(in6_addr);
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
-		new AddrVal(tgtaddr),
+		make_intrusive<AddrVal>(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
-	});
+	);
 	}
@ -604,12 +602,12 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,
 	int opt_offset = sizeof(in6_addr);
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		new AddrVal(tgtaddr),
+		make_intrusive<AddrVal>(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
-	});
+	);
 	}
@ -631,13 +629,13 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,
 	int opt_offset = 2 * sizeof(in6_addr);
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		new AddrVal(tgtaddr),
+		make_intrusive<AddrVal>(tgtaddr),
-		new AddrVal(dstaddr),
+		make_intrusive<AddrVal>(dstaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
-	});
+	);
 	}
@ -649,11 +647,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 	if ( ! f )
 		return;
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-		BuildNDOptionsVal(caplen, data),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
-	});
+	);
 	}
@ -674,14 +672,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 		}
 	if ( f )
-		{
+		EnqueueConnEvent(f,
-		ConnectionEventFast(f, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
-			BuildICMPVal(icmpp, len, 0, ip_hdr),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
-			val_mgr->GetCount(icmpp->icmp_code),
+			IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
-			ExtractICMP4Context(caplen, data),
+		);
 		});
 		}
 	}
@ -714,14 +710,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 		}
 	if ( f )
-		{
+		EnqueueConnEvent(f,
-		ConnectionEventFast(f, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
-			BuildICMPVal(icmpp, len, 1, ip_hdr),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
-			val_mgr->GetCount(icmpp->icmp_code),
+			IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
-			ExtractICMP6Context(caplen, data),
+		);
 		});
 		}
 	}
 VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@ -84,11 +84,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			Weird("ident_request_addendum", s.CheckString());
 			}
-		ConnectionEventFast(ident_request, {
+		EnqueueConnEvent(ident_request,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetPort(local_port, TRANSPORT_TCP),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
-			val_mgr->GetPort(remote_port, TRANSPORT_TCP),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
-		});
+		);
 		did_deliver = true;
 		}
@ -145,12 +145,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		if ( is_error )
 			{
 			if ( ident_error )
-				ConnectionEventFast(ident_error, {
+				EnqueueConnEvent(ident_error,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetPort(local_port, TRANSPORT_TCP),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
-					val_mgr->GetPort(remote_port, TRANSPORT_TCP),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
-					new StringVal(end_of_line - line, line),
+					make_intrusive<StringVal>(end_of_line - line, line)
-				});
+				);
 			}
 		else
@ -178,13 +178,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			line = skip_whitespace(colon + 1, end_of_line);
-			ConnectionEventFast(ident_reply, {
+			EnqueueConnEvent(ident_reply,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetPort(local_port, TRANSPORT_TCP),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
-				val_mgr->GetPort(remote_port, TRANSPORT_TCP),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
-				new StringVal(end_of_line - line, line),
+				make_intrusive<StringVal>(end_of_line - line, line),
-				new StringVal(sys_type_s),
+				make_intrusive<StringVal>(sys_type_s)
-			});
+			);
 			}
 		}
 	}
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@ -233,13 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
-			ConnectionEventFast(irc_network_info, {
+			EnqueueConnEvent(irc_network_info,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				val_mgr->GetInt(users),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
-				val_mgr->GetInt(services),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
-				val_mgr->GetInt(servers),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
-			});
+			);
 			}
 			break;
@ -270,24 +270,23 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
 				if ( parts[i][0] == '@' )
 					parts[i] = parts[i].substr(1);
-				Val* idx = new StringVal(parts[i].c_str());
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
-				set->Assign(idx, 0);
+				set->Assign(idx.get(), 0);
 				Unref(idx);
 				}
-			ConnectionEventFast(irc_names_info, {
+			EnqueueConnEvent(irc_names_info,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(type.c_str()),
+				make_intrusive<StringVal>(type.c_str()),
-				new StringVal(channel.c_str()),
+				make_intrusive<StringVal>(channel.c_str()),
-				set,
+				std::move(set)
-			});
+			);
 			}
 			break;
@ -315,13 +314,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}
-			ConnectionEventFast(irc_server_info, {
+			EnqueueConnEvent(irc_server_info,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				val_mgr->GetInt(users),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
-				val_mgr->GetInt(services),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
-				val_mgr->GetInt(servers),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
-			});
+			);
 			}
 			break;
@ -337,11 +336,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( parts[i] == ":channels" )
 					channels = atoi(parts[i - 1].c_str());
-			ConnectionEventFast(irc_channel_info, {
+			EnqueueConnEvent(irc_channel_info,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				val_mgr->GetInt(channels),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
-			});
+			);
 			}
 			break;
@ -369,12 +368,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				break;
 				}
-			ConnectionEventFast(irc_global_users, {
+			EnqueueConnEvent(irc_global_users,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(eop - prefix, prefix),
+				make_intrusive<StringVal>(eop - prefix, prefix),
-				new StringVal(++msg),
+				make_intrusive<StringVal>(++msg)
-			});
+			);
 			break;
 			}
@ -394,12 +393,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
-			val_list vl(6);
+			zeek::Args vl;
-			vl.push_back(BuildConnVal());
+			vl.reserve(6);
-			vl.push_back(val_mgr->GetBool(orig));
+			vl.emplace_back(AdoptRef{}, BuildConnVal());
-			vl.push_back(new StringVal(parts[0].c_str()));
+			vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
-			vl.push_back(new StringVal(parts[1].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
-			vl.push_back(new StringVal(parts[2].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
 			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
 			parts.erase(parts.begin(), parts.begin() + 4);
@ -410,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( real_name[0] == ':' )
 				real_name = real_name.substr(1);
-			vl.push_back(new StringVal(real_name.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));
-			ConnectionEventFast(irc_whois_user_line, std::move(vl));
+			EnqueueConnEvent(irc_whois_user_line, std::move(vl));
 			}
 			break;
@ -433,11 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}
-			ConnectionEventFast(irc_whois_operator_line, {
+			EnqueueConnEvent(irc_whois_operator_line,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[0].c_str())
-			});
+			);
 			}
 			break;
@ -463,21 +463,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);
-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
-				Val* idx = new StringVal(parts[i].c_str());
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
-				set->Assign(idx, 0);
+				set->Assign(idx.get(), 0);
 				Unref(idx);
 				}
-			ConnectionEventFast(irc_whois_channel_line, {
+			EnqueueConnEvent(irc_whois_channel_line,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(nick.c_str()),
+				make_intrusive<StringVal>(nick.c_str()),
-				set,
+				std::move(set)
-			});
+			);
 			}
 			break;
@ -503,12 +502,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( *t == ':' )
 					++t;
-				ConnectionEventFast(irc_channel_topic, {
+				EnqueueConnEvent(irc_channel_topic,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					new StringVal(parts[1].c_str()),
+					make_intrusive<StringVal>(parts[1].c_str()),
-					new StringVal(t),
+					make_intrusive<StringVal>(t)
-				});
+				);
 				}
 			else
 				{
@ -537,19 +536,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[7][0] == ':' )
 				parts[7] = parts[7].substr(1);
-			ConnectionEventFast(irc_who_line, {
+			EnqueueConnEvent(irc_who_line,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str()),
-				new StringVal(parts[2].c_str()),
+				make_intrusive<StringVal>(parts[2].c_str()),
-				new StringVal(parts[3].c_str()),
+				make_intrusive<StringVal>(parts[3].c_str()),
-				new StringVal(parts[4].c_str()),
+				make_intrusive<StringVal>(parts[4].c_str()),
-				new StringVal(parts[5].c_str()),
+				make_intrusive<StringVal>(parts[5].c_str()),
-				new StringVal(parts[6].c_str()),
+				make_intrusive<StringVal>(parts[6].c_str()),
-				val_mgr->GetInt(atoi(parts[7].c_str())),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
-				new StringVal(parts[8].c_str()),
+				make_intrusive<StringVal>(parts[8].c_str())
-			});
+			);
 			}
 			break;
@ -559,25 +558,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 433:
 		case 436:
 			if ( irc_invalid_nick )
-				{
+				EnqueueConnEvent(irc_invalid_nick,
-				ConnectionEventFast(irc_invalid_nick, {
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
-					val_mgr->GetBool(orig),
+				);
 				});
 				}
 			break;
 		// Operator responses.
 		case 381:  // User is operator
 		case 491:  // user is not operator
 			if ( irc_oper_response )
-				{
+				EnqueueConnEvent(irc_oper_response,
-				ConnectionEventFast(irc_oper_response, {
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
-					val_mgr->GetBool(code == 381),
+				);
 				});
 				}
 			break;
 		case 670:
@ -588,13 +583,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// All other server replies.
 		default:
 			if ( irc_reply )
-				ConnectionEventFast(irc_reply, {
+				EnqueueConnEvent(irc_reply,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					new StringVal(prefix.c_str()),
+					make_intrusive<StringVal>(prefix.c_str()),
-					val_mgr->GetCount(code),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
-					new StringVal(params.c_str()),
+					make_intrusive<StringVal>(params.c_str())
-				});
+				);
 			break;
 		}
 		return;
@ -659,31 +654,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( irc_dcc_message )
-				ConnectionEventFast(irc_dcc_message, {
+				EnqueueConnEvent(irc_dcc_message,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					new StringVal(prefix.c_str()),
+					make_intrusive<StringVal>(prefix.c_str()),
-					new StringVal(target.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
-					new StringVal(parts[1].c_str()),
+					make_intrusive<StringVal>(parts[1].c_str()),
-					new StringVal(parts[2].c_str()),
+					make_intrusive<StringVal>(parts[2].c_str()),
-					new AddrVal(htonl(raw_ip)),
+					make_intrusive<AddrVal>(htonl(raw_ip)),
-					val_mgr->GetCount(atoi(parts[4].c_str())),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
-					parts.size() >= 6 ?
+					IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
 						val_mgr->GetCount(atoi(parts[5].c_str())) :
-						val_mgr->GetCount(0),
+						val_mgr->GetCount(0)}
-				});
+				);
 			}
 		else
 			{
 			if ( irc_privmsg_message )
-				ConnectionEventFast(irc_privmsg_message, {
+				EnqueueConnEvent(irc_privmsg_message,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					new StringVal(prefix.c_str()),
+					make_intrusive<StringVal>(prefix.c_str()),
-					new StringVal(target.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
-					new StringVal(message.c_str()),
+					make_intrusive<StringVal>(message.c_str())
-				});
+				);
 			}
 		}
@ -702,13 +697,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
-		ConnectionEventFast(irc_notice_message, {
+		EnqueueConnEvent(irc_notice_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(prefix.c_str()),
+			make_intrusive<StringVal>(prefix.c_str()),
-			new StringVal(target.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
-			new StringVal(message.c_str()),
+			make_intrusive<StringVal>(message.c_str())
-		});
+		);
 		}
 	else if ( irc_squery_message && command == "SQUERY" )
@ -726,34 +721,35 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);
-		ConnectionEventFast(irc_squery_message, {
+		EnqueueConnEvent(irc_squery_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(prefix.c_str()),
+			make_intrusive<StringVal>(prefix.c_str()),
-			new StringVal(target.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
-			new StringVal(message.c_str()),
+			make_intrusive<StringVal>(message.c_str())
-		});
+		);
 		}
 	else if ( irc_user_message && command == "USER" )
 		{
 		// extract username and real name
 		vector<string> parts = SplitWords(params, ' ');
-		val_list vl(6);
+		zeek::Args vl;
-		vl.push_back(BuildConnVal());
+		vl.reserve(6);
-		vl.push_back(val_mgr->GetBool(orig));
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
 		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
 		if ( parts.size() > 0 )
-			vl.push_back(new StringVal(parts[0].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		if ( parts.size() > 1 )
-			vl.push_back(new StringVal(parts[1].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		if ( parts.size() > 2 )
-			vl.push_back(new StringVal(parts[2].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		string realname;
 		for ( unsigned int i = 3; i < parts.size(); i++ )
@ -764,9 +760,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}
 		const char* name = realname.c_str();
-		vl.push_back(new StringVal(*name == ':' ? name + 1 : name));
+		vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));
-		ConnectionEventFast(irc_user_message, std::move(vl));
+		EnqueueConnEvent(irc_user_message, std::move(vl));
 		}
 	else if ( irc_oper_message && command == "OPER" )
@ -774,14 +770,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// extract username and password
 		vector<string> parts = SplitWords(params, ' ');
 		if ( parts.size() == 2 )
-			{
+			EnqueueConnEvent(irc_oper_message,
-			ConnectionEventFast(irc_oper_message, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				val_mgr->GetBool(orig),
+				make_intrusive<StringVal>(parts[0].c_str()),
-				new StringVal(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
-				new StringVal(parts[1].c_str()),
+			);
 			});
 			}
 		else
 			Weird("irc_invalid_oper_message_format");
@ -797,12 +791,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			return;
 			}
-		val_list vl(6);
+		zeek::Args vl;
-		vl.push_back(BuildConnVal());
+		vl.reserve(6);
-		vl.push_back(val_mgr->GetBool(orig));
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
-		vl.push_back(new StringVal(prefix.c_str()));
+		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
-		vl.push_back(new StringVal(parts[0].c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
-		vl.push_back(new StringVal(parts[1].c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
 		vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
 		if ( parts.size() > 2 )
 			{
 			string comment = parts[2];
@ -812,12 +808,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( comment[0] == ':' )
 				comment = comment.substr(1);
-			vl.push_back(new StringVal(comment.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
 			}
 		else
-			vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
-		ConnectionEventFast(irc_kick_message, std::move(vl));
+		EnqueueConnEvent(irc_kick_message, std::move(vl));
 		}
 	else if ( irc_join_message && command == "JOIN" )
@ -841,7 +837,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
 		vector<string> channels = SplitWords(parts[0], ',');
 		vector<string> passwords;
@ -865,11 +861,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(info);
 			}
-		ConnectionEventFast(irc_join_message, {
+		EnqueueConnEvent(irc_join_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			list,
+			std::move(list)
-		});
+		);
 		}
 	else if ( irc_join_message && command == "NJOIN" )
@ -886,13 +882,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[1] = parts[1].substr(1);
 		vector<string> users = SplitWords(parts[1], ',');
-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});
 		string empty_string = "";
 		for ( unsigned int i = 0; i < users.size(); ++i )
 			{
-			RecordVal* info = new RecordVal(irc_join_info);
+			auto info = make_intrusive<RecordVal>(irc_join_info);
 			string nick = users[i];
 			string mode = "none";
@ -922,15 +918,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
 			// User mode:
 			info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
-			list->Assign(info, 0);
+			list->Assign(info.get(), 0);
 			Unref(info);
 			}
-		ConnectionEventFast(irc_join_message, {
+		EnqueueConnEvent(irc_join_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			list,
+			std::move(list)
-		});
+		);
 		}
 	else if ( irc_part_message && command == "PART" )
@ -957,22 +952,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			nick = nick.substr(0, pos);
 		vector<string> channelList = SplitWords(channels, ',');
-		TableVal* set = new TableVal({NewRef{}, string_set});
+		auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});
 		for ( unsigned int i = 0; i < channelList.size(); ++i )
 			{
-			Val* idx = new StringVal(channelList[i].c_str());
+			auto idx = make_intrusive<StringVal>(channelList[i].c_str());
-			set->Assign(idx, 0);
+			set->Assign(idx.get(), 0);
 			Unref(idx);
 			}
-		ConnectionEventFast(irc_part_message, {
+		EnqueueConnEvent(irc_part_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(nick.c_str()),
+			make_intrusive<StringVal>(nick.c_str()),
-			set,
+			std::move(set),
-			new StringVal(message.c_str()),
+			make_intrusive<StringVal>(message.c_str())
-		});
+		);
 		}
 	else if ( irc_quit_message && command == "QUIT" )
@ -989,12 +983,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}
-		ConnectionEventFast(irc_quit_message, {
+		EnqueueConnEvent(irc_quit_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(nickname.c_str()),
+			make_intrusive<StringVal>(nickname.c_str()),
-			new StringVal(message.c_str()),
+			make_intrusive<StringVal>(message.c_str())
-		});
+		);
 		}
 	else if ( irc_nick_message && command == "NICK" )
@ -1003,12 +997,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( nick[0] == ':' )
 			nick = nick.substr(1);
-		ConnectionEventFast(irc_nick_message, {
+		EnqueueConnEvent(irc_nick_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(prefix.c_str()),
+			make_intrusive<StringVal>(prefix.c_str()),
-			new StringVal(nick.c_str())
+			make_intrusive<StringVal>(nick.c_str())
-		});
+		);
 		}
 	else if ( irc_who_message && command == "WHO" )
@ -1028,14 +1022,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);
-		ConnectionEventFast(irc_who_message, {
+		EnqueueConnEvent(irc_who_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
 			parts.size() > 0 ?
-				new StringVal(parts[0].c_str()) :
+				make_intrusive<StringVal>(parts[0].c_str()) :
-				val_mgr->GetEmptyString(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
-			val_mgr->GetBool(oper),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
-		});
+		);
 		}
 	else if ( irc_whois_message && command == "WHOIS" )
@ -1058,12 +1052,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			users = parts[0];
-		ConnectionEventFast(irc_whois_message, {
+		EnqueueConnEvent(irc_whois_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(server.c_str()),
+			make_intrusive<StringVal>(server.c_str()),
-			new StringVal(users.c_str()),
+			make_intrusive<StringVal>(users.c_str())
-		});
+		);
 		}
 	else if ( irc_error_message && command == "ERROR" )
@ -1071,12 +1065,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( params[0] == ':' )
 			params = params.substr(1);
-		ConnectionEventFast(irc_error_message, {
+		EnqueueConnEvent(irc_error_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(prefix.c_str()),
+			make_intrusive<StringVal>(prefix.c_str()),
-			new StringVal(params.c_str()),
+			make_intrusive<StringVal>(params.c_str())
-		});
+		);
 		}
 	else if ( irc_invite_message && command == "INVITE" )
@ -1087,13 +1081,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[1].size() > 0 && parts[1][0] == ':' )
 				parts[1] = parts[1].substr(1);
-			ConnectionEventFast(irc_invite_message, {
+			EnqueueConnEvent(irc_invite_message,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(prefix.c_str()),
+				make_intrusive<StringVal>(prefix.c_str()),
-				new StringVal(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
-			});
+			);
 			}
 		else
 			Weird("irc_invalid_invite_message_format");
@ -1102,14 +1096,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_mode_message && command == "MODE" )
 		{
 		if ( params.size() > 0 )
-			{
+			EnqueueConnEvent(irc_mode_message,
-			ConnectionEventFast(irc_mode_message, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				val_mgr->GetBool(orig),
+				make_intrusive<StringVal>(prefix.c_str()),
-				new StringVal(prefix.c_str()),
+				make_intrusive<StringVal>(params.c_str())
-				new StringVal(params.c_str()),
+			);
 			});
 			}
 		else
 			Weird("irc_invalid_mode_message_format");
@ -1117,11 +1109,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_password_message && command == "PASS" )
 		{
-		ConnectionEventFast(irc_password_message, {
+		EnqueueConnEvent(irc_password_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(params.c_str()),
+			make_intrusive<StringVal>(params.c_str())
-		});
+		);
 		}
 	else if ( irc_squit_message && command == "SQUIT" )
@ -1139,13 +1131,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				message = message.substr(1);
 			}
-		ConnectionEventFast(irc_squit_message, {
+		EnqueueConnEvent(irc_squit_message,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-			new StringVal(prefix.c_str()),
+			make_intrusive<StringVal>(prefix.c_str()),
-			new StringVal(server.c_str()),
+			make_intrusive<StringVal>(server.c_str()),
-			new StringVal(message.c_str()),
+			make_intrusive<StringVal>(message.c_str())
-		});
+		);
 		}
@ -1153,13 +1145,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_request )
 			{
-			ConnectionEventFast(irc_request, {
+			EnqueueConnEvent(irc_request,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(prefix.c_str()),
+				make_intrusive<StringVal>(prefix.c_str()),
-				new StringVal(command.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
-				new StringVal(params.c_str()),
+				make_intrusive<StringVal>(params.c_str())
-			});
+			);
 			}
 		}
@ -1167,13 +1159,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_message )
 			{
-			ConnectionEventFast(irc_message, {
+			EnqueueConnEvent(irc_message,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-				new StringVal(prefix.c_str()),
+				make_intrusive<StringVal>(prefix.c_str()),
-				new StringVal(command.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
-				new StringVal(params.c_str()),
+				make_intrusive<StringVal>(params.c_str())
-			});
+			);
 			}
 		}
@ -1203,7 +1195,7 @@ void IRC_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 	if ( irc_starttls )
-		ConnectionEventFast(irc_starttls, {BuildConnVal()});
+		EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 vector<string> IRC_Analyzer::SplitWords(const string& input, char split)
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@ -290,9 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
 	else if ( IsSkipAuthentication(line) )
 		{
 		if ( authentication_skipped )
-			{
+			EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 			ConnectionEventFast(authentication_skipped, {BuildConnVal()});
 			}
 		state = LOGIN_STATE_SKIP;
 		SetSkip(1);
@ -333,28 +331,22 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 			}
 		else if ( login_terminal && streq(name, "TERM") )
-			{
+			EnqueueConnEvent(login_terminal,
-			ConnectionEventFast(login_terminal, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				make_intrusive<StringVal>(val)
-				new StringVal(val),
+			);
 			});
 			}
 		else if ( login_display && streq(name, "DISPLAY") )
-			{
+			EnqueueConnEvent(login_display,
-			ConnectionEventFast(login_display, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				make_intrusive<StringVal>(val)
-				new StringVal(val),
+			);
 			});
 			}
 		else if ( login_prompt && streq(name, "TTYPROMPT") )
-			{
+			EnqueueConnEvent(login_prompt,
-			ConnectionEventFast(login_prompt, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				make_intrusive<StringVal>(val)
-				new StringVal(val),
+			);
 			});
 			}
 		}
 	delete [] name;
@ -427,13 +419,14 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
 	Val* password = HaveTypeahead() ?
 				PopUserTextVal() : new StringVal("<none>");
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		username->Ref(),
+		IntrusivePtr{NewRef{}, username},
-		client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
+		client_name ? IntrusivePtr{NewRef{}, client_name}
-		password,
+		            : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
-		new StringVal(line),
+		IntrusivePtr{AdoptRef{}, password},
-	});
+		make_intrusive<StringVal>(line)
 	);
 	}
 const char* Login_Analyzer::GetUsername(const char* line) const
@ -449,10 +442,10 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
 	if ( ! f )
 		return;
-	ConnectionEventFast(f, {
+	EnqueueConnEvent(f,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		new StringVal(line),
+		make_intrusive<StringVal>(line)
-	});
+	);
 	}
@ -461,13 +454,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 	state = LOGIN_STATE_CONFUSED;	// to suppress further messages
 	if ( login_confused )
-		{
+		EnqueueConnEvent(login_confused,
-		ConnectionEventFast(login_confused, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			make_intrusive<StringVal>(msg),
-			new StringVal(msg),
+			make_intrusive<StringVal>(line)
-			new StringVal(line),
+		);
 		});
 		}
 	if ( login_confused_text )
 		{
@ -487,12 +478,10 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 void Login_Analyzer::ConfusionText(const char* line)
 	{
 	if ( login_confused_text )
-		{
+		EnqueueConnEvent(login_confused_text,
-		ConnectionEventFast(login_confused_text, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			make_intrusive<StringVal>(line)
-			new StringVal(line),
+		);
 		});
 		}
 	}
 int Login_Analyzer::IsPloy(const char* line)
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@ -462,12 +462,10 @@ const char* NVT_Analyzer::PeerAuthName() const
 void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
 	{
 	if ( login_terminal )
-		{
+		EnqueueConnEvent(login_terminal,
-		ConnectionEventFast(login_terminal, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			make_intrusive<StringVal>(new BroString(terminal, len, 0))
-			new StringVal(new BroString(terminal, len, 0)),
+		);
 		});
 		}
 	}
 void NVT_Analyzer::SetEncrypting(int mode)
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@ -168,27 +168,37 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			return;
 		}
-	val_list vl(4 + orig);
+	zeek::Args vl;
 	vl.reserve(4 + orig);
 	const char* line = (const char*) data;
 	line = skip_whitespace(line);
-	vl.push_back(BuildConnVal());
+	vl.emplace_back(AdoptRef{}, BuildConnVal());
-	vl.push_back(client_name ? client_name->Ref() : new StringVal("<none>"));
+
-	vl.push_back(username ? username->Ref() : new StringVal("<none>"));
+	if ( client_name )
-	vl.push_back(new StringVal(line));
+		vl.emplace_back(NewRef{}, client_name);
 	else
 		vl.emplace_back(make_intrusive<StringVal>("<none>"));
 	if ( username )
 		vl.emplace_back(NewRef{}, username);
 	else
 		vl.emplace_back(make_intrusive<StringVal>("<none>"));
 	vl.emplace_back(make_intrusive<StringVal>(line));
 	if ( orig )
 		{
 		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
 			// First input
-			vl.push_back(val_mgr->GetTrue());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
 		else
-			vl.push_back(val_mgr->GetFalse());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());
-		ConnectionEventFast(rsh_request, std::move(vl));
+		EnqueueConnEvent(rsh_request, std::move(vl));
 		}
 	else
-		ConnectionEventFast(rsh_reply, std::move(vl));
+		EnqueueConnEvent(rsh_reply, std::move(vl));
 	}
 void Rsh_Analyzer::ClientUserName(const char* s)
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@ -244,10 +244,8 @@ void Rlogin_Analyzer::ServerUserName(const char* s)
 void Rlogin_Analyzer::TerminalType(const char* s)
 	{
 	if ( login_terminal )
-		{
+		EnqueueConnEvent(login_terminal,
-		ConnectionEventFast(login_terminal, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			make_intrusive<StringVal>(s)
-			new StringVal(s),
+		);
 		});
 		}
 	}
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@ -1365,11 +1365,11 @@ void MIME_Mail::Done()
 		hash_final(md5_hash, digest);
 		md5_hash = nullptr;
-		analyzer->ConnectionEventFast(mime_content_hash, {
+		analyzer->EnqueueConnEvent(mime_content_hash,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			val_mgr->GetCount(content_hash_length),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
-			new StringVal(new BroString(1, digest, 16)),
+			make_intrusive<StringVal>(new BroString(1, digest, 16))
-		});
+		);
 		}
 	MIME_Message::Done();
@ -1393,7 +1393,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
 	cur_entity_id.clear();
 	if ( mime_begin_entity )
-		analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
 	buffer_start = data_start = 0;
 	ASSERT(entity_content.size() == 0);
@ -1405,11 +1405,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		{
 		BroString* s = concatenate(entity_content);
-		analyzer->ConnectionEventFast(mime_entity_data, {
+		analyzer->EnqueueConnEvent(mime_entity_data,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			val_mgr->GetCount(s->Len()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
-			new StringVal(s),
+			make_intrusive<StringVal>(s)
-		});
+		);
 		if ( ! mime_all_data )
 			delete_strings(entity_content);
@ -1418,7 +1418,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		}
 	if ( mime_end_entity )
-		analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
 	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
@ -1427,23 +1427,19 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 void MIME_Mail::SubmitHeader(MIME_Header* h)
 	{
 	if ( mime_one_header )
-		{
+		analyzer->EnqueueConnEvent(mime_one_header,
-		analyzer->ConnectionEventFast(mime_one_header, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
-			BuildHeaderVal(h),
+		);
 		});
 		}
 	}
 void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 	{
 	if ( mime_all_headers )
-		{
+		analyzer->EnqueueConnEvent(mime_all_headers,
-		analyzer->ConnectionEventFast(mime_all_headers, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
-			BuildHeaderTable(hlist),
+		);
 		});
 		}
 	}
 void MIME_Mail::SubmitData(int len, const char* buf)
@ -1476,11 +1472,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		const char* data = (char*) data_buffer->Bytes() + data_start;
 		int data_len = (buf + len) - data;
-		analyzer->ConnectionEventFast(mime_segment_data, {
+		analyzer->EnqueueConnEvent(mime_segment_data,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			val_mgr->GetCount(data_len),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
-			new StringVal(data_len, data),
+			make_intrusive<StringVal>(data_len, data)
-		});
+		);
 		}
 	cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1523,11 +1519,11 @@ void MIME_Mail::SubmitAllData()
 		BroString* s = concatenate(all_content);
 		delete_strings(all_content);
-		analyzer->ConnectionEventFast(mime_all_data, {
+		analyzer->EnqueueConnEvent(mime_all_data,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			val_mgr->GetCount(s->Len()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
-			new StringVal(s),
+			make_intrusive<StringVal>(s)
-		});
+		);
 		}
 	}
@ -1551,11 +1547,9 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 	}
 	if ( mime_event )
-		{
+		analyzer->EnqueueConnEvent(mime_event,
-		analyzer->ConnectionEventFast(mime_event, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			make_intrusive<StringVal>(category),
-			new StringVal(category),
+			make_intrusive<StringVal>(detail)
-			new StringVal(detail),
+		);
 		});
 		}
 	}
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@ -62,26 +62,21 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 	if ( f )
 		{
 		if ( frame->is_orig() )
-			{
+			analyzer->EnqueueConnEvent(f,
-			analyzer->ConnectionEventFast(f, {
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-				analyzer->BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
-				val_mgr->GetCount(frame->frame_type()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
-				val_mgr->GetCount(frame->body_length()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
-				val_mgr->GetCount(req_func),
+			);
 			});
 			}
 		else
-			{
+			analyzer->EnqueueConnEvent(f,
-			analyzer->ConnectionEventFast(f, {
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-				analyzer->BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
-				val_mgr->GetCount(frame->frame_type()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
-				val_mgr->GetCount(frame->body_length()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
-				val_mgr->GetCount(req_frame_type),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
-				val_mgr->GetCount(req_func),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
-				val_mgr->GetCount(frame->reply()->completion_code()),
+			);
 			});
 			}
 		}
 	}
--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@ -59,14 +59,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
 				const u_char* data, int len, int is_query)
 	{
 	if ( netbios_session_message )
-		{
+		analyzer->EnqueueConnEvent(netbios_session_message,
-		analyzer->ConnectionEventFast(netbios_session_message, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
-			val_mgr->GetBool(is_query),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
-			val_mgr->GetCount(type),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
-			val_mgr->GetCount(len),
+		);
 		});
 		}
 	switch ( type ) {
 	case NETBIOS_SSN_MSG:
@ -331,18 +329,16 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
 		return;
 	if ( is_orig >= 0 )
-		{
+		analyzer->EnqueueConnEvent(event,
-		analyzer->ConnectionEventFast(event, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			val_mgr->GetBool(is_orig),
+			make_intrusive<StringVal>(new BroString(data, len, 0))
-			new StringVal(new BroString(data, len, 0)),
+		);
 		});
 		}
 	else
-		analyzer->ConnectionEventFast(event, {
+		analyzer->EnqueueConnEvent(event,
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			new StringVal(new BroString(data, len, 0)),
+			make_intrusive<StringVal>(new BroString(data, len, 0))
-		});
+		);
 	}
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@ -157,12 +157,11 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 			{
 			// Queue late match event
 			EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
 			Ref(tval);
-			mgr.QueueEventFast(protocol_late_match, {
+			mgr.Enqueue(protocol_late_match,
-			    BuildConnVal(),
+			    IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			    tval,
+			    IntrusivePtr{NewRef{}, tval}
-			});
+			);
 			}
 		pkt_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
@ -306,12 +305,11 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 			{
 			// Queue late match event
 			EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
 			Ref(tval);
-			mgr.QueueEventFast(protocol_late_match, {
+			mgr.Enqueue(protocol_late_match,
-			    BuildConnVal(),
+			    IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			    tval
+			    IntrusivePtr{NewRef{}, tval}
-			});
+			);
 			}
 		stream_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@ -830,7 +830,7 @@ void POP3_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 	if ( pop3_starttls )
-		ConnectionEventFast(pop3_starttls, {BuildConnVal()});
+		EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
 void POP3_Analyzer::AuthSuccessfull()
@ -920,14 +920,16 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
 	if ( ! event )
 		return;
-	val_list vl(2 + (bool)arg1 + (bool)arg2);
+	zeek::Args vl;
 	vl.reserve(2 + (bool)arg1 + (bool)arg2);
 	vl.emplace_back(AdoptRef{}, BuildConnVal());
 	vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));
 	vl.push_back(BuildConnVal());
 	vl.push_back(val_mgr->GetBool(is_orig));
 	if ( arg1 )
-		vl.push_back(new StringVal(arg1));
+		vl.emplace_back(make_intrusive<StringVal>(arg1));
 	if ( arg2 )
-		vl.push_back(new StringVal(arg2));
+		vl.emplace_back(make_intrusive<StringVal>(arg2));
-	ConnectionEventFast(event, std::move(vl));
+	EnqueueConnEvent(event, std::move(vl));
 	}
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@ -96,7 +96,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 		{
 		auto vl = event_common_vl(c, rpc_status, mount_status,
 					   start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(mount_reply_status, std::move(vl));
 		}
 	if ( ! rpc_success )
@ -169,19 +169,19 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
 	return 1;
 	}
-val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 		      BifEnum::rpc_status rpc_status,
 				      BifEnum::MOUNT3::status_t mount_status,
 				      double rep_start_time,
@ -189,16 +189,17 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	{
 	// Returns a new val_list that already has a conn_val, and mount3_info.
 	// These are the first parameters for each mount_* event ...
-	val_list vl(2 + extra_elements);
+	zeek::Args vl;
-	vl.push_back(analyzer->BuildConnVal());
+	vl.reserve(2 + extra_elements);
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
 	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
 	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
 		{
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
 		}
-	RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -211,9 +212,9 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));
-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}
--- a/src/analyzer/protocol/rpc/MOUNT.h
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@ -16,10 +16,10 @@ protected:
 				const u_char*& buf, int& n, double start_time,
 				double last_time, int reply_len) override;
-	// Returns a new val_list that already has a conn_val, rpc_status and
+	// Returns a new arg list that already has a conn_val, rpc_status and
 	// mount_status. These are the first parameters for each mount_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::MOUNT3::status_t mount_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@ -150,7 +150,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		{
 		auto vl = event_common_vl(c, rpc_status, nfs_status,
 					       start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(nfs_reply_status, std::move(vl));
 		}
 	if ( ! rpc_success )
@ -281,12 +281,12 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 					start_time, last_time, reply_len, (bool)request + (bool)reply);
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
@ -318,21 +318,22 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
 	return 0;
 	}
-val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				      BifEnum::NFS3::status_t nfs_status,
 				      double rep_start_time,
 				      double rep_last_time, int reply_len, int extra_elements)
 	{
 	// Returns a new val_list that already has a conn_val, and nfs3_info.
 	// These are the first parameters for each nfs_* event ...
-	val_list vl(2 + extra_elements);
+	zeek::Args vl;
-	vl.push_back(analyzer->BuildConnVal());
+	vl.reserve(2 + extra_elements);
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	vl.emplace_back(IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
 	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());
 	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
-	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -345,9 +346,9 @@ val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_st
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));
-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}
--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@ -20,7 +20,7 @@ protected:
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::NFS3::status_t nfs_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@ -261,10 +261,10 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
 		{
 		if ( pm_bad_port )
 			{
-			analyzer->ConnectionEventFast(pm_bad_port, {
+			analyzer->EnqueueConnEvent(pm_bad_port,
-				analyzer->BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-				val_mgr->GetCount(port),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
-			});
+			);
 			}
 		port = 0;
@ -282,25 +282,26 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
 		return;
 		}
-	val_list vl;
+	zeek::Args vl;
-	vl.push_back(analyzer->BuildConnVal());
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
 	if ( status == BifEnum::RPC_SUCCESS )
 		{
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
 		}
 	else
 		{
-		vl.push_back(BifType::Enum::rpc_status->GetVal(status).release());
+		vl.emplace_back(BifType::Enum::rpc_status->GetVal(status));
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		}
-	analyzer->ConnectionEventFast(f, std::move(vl));
+	analyzer->EnqueueConnEvent(f, std::move(vl));
 	}
 Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@ -338,46 +338,40 @@ void RPC_Interpreter::Timeout()
 void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_dialogue )
-		{
+		analyzer->EnqueueConnEvent(rpc_dialogue,
-		analyzer->ConnectionEventFast(rpc_dialogue, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
-			val_mgr->GetCount(c->Program()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
-			val_mgr->GetCount(c->Version()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
-			val_mgr->GetCount(c->Proc()),
+			BifType::Enum::rpc_status->GetVal(status),
-			BifType::Enum::rpc_status->GetVal(status).release(),
+			make_intrusive<Val>(c->StartTime(), TYPE_TIME),
-			new Val(c->StartTime(), TYPE_TIME),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())},
-			val_mgr->GetCount(c->CallLen()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
-			val_mgr->GetCount(reply_len),
+		);
 		});
 		}
 	}
 void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
 	{
 	if ( rpc_call )
-		{
+		analyzer->EnqueueConnEvent(rpc_call,
-		analyzer->ConnectionEventFast(rpc_call, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->XID())},
-			val_mgr->GetCount(c->XID()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
-			val_mgr->GetCount(c->Program()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
-			val_mgr->GetCount(c->Version()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
-			val_mgr->GetCount(c->Proc()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())}
-			val_mgr->GetCount(c->CallLen()),
+		);
 		});
 		}
 	}
 void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_reply )
-		{
+		analyzer->EnqueueConnEvent(rpc_reply,
-		analyzer->ConnectionEventFast(rpc_reply, {
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
-			analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(xid)},
-			val_mgr->GetCount(xid),
+			BifType::Enum::rpc_status->GetVal(status),
-			BifType::Enum::rpc_status->GetVal(status).release(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
-			val_mgr->GetCount(reply_len),
+		);
 		});
 		}
 	}
 void RPC_Interpreter::Weird(const char* msg, const char* addl)
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@ -219,11 +219,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 			if ( smtp_data && ! skip_data )
 				{
-				ConnectionEventFast(smtp_data, {
+				EnqueueConnEvent(smtp_data,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					new StringVal(data_len, line),
+					make_intrusive<StringVal>(data_len, line)
-				});
+				);
 				}
 			}
@ -349,14 +349,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 						break;
 				}
-				ConnectionEventFast(smtp_reply, {
+				EnqueueConnEvent(smtp_reply,
-					BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
-					val_mgr->GetBool(orig),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
-					val_mgr->GetCount(reply_code),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
-					new StringVal(cmd),
+					make_intrusive<StringVal>(cmd),
-					new StringVal(end_of_line - line, line),
+					make_intrusive<StringVal>(end_of_line - line, line),
-					val_mgr->GetBool((pending_reply > 0)),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((pending_reply > 0))}
-				});
+				);
 				}
 			}
@ -410,7 +410,7 @@ void SMTP_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);
 	if ( smtp_starttls )
-		ConnectionEventFast(smtp_starttls, {BuildConnVal()});
+		EnqueueConnEvent(smtp_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}
@ -854,12 +854,17 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
 	ProtocolConfirmation();
 	if ( smtp_request )
-		ConnectionEventFast(smtp_request, {
+		{
-			BuildConnVal(),
+		auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
-			val_mgr->GetBool(orig_is_sender),
+		cmd_arg->ToUpper();
-			(new StringVal(cmd_len, cmd))->ToUpper(),
+
-			new StringVal(arg_len, arg),
+		EnqueueConnEvent(smtp_request,
-		});
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
 			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig_is_sender)},
 			std::move(cmd_arg),
 			make_intrusive<StringVal>(arg_len, arg)
 		);
 		}
 	}
 void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,12 +879,12 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
 		if ( ! orig_is_sender )
 			is_orig = ! is_orig;
-		ConnectionEventFast(smtp_unexpected, {
+		EnqueueConnEvent(smtp_unexpected,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			new StringVal(msg),
+			make_intrusive<StringVal>(msg),
-			new StringVal(detail_len, detail),
+			make_intrusive<StringVal>(detail_len, detail)
-		});
+		);
 		}
 	}
--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@ -135,10 +135,10 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
 		return;
 	if ( id2 >= 0 )
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)},
 		                                 IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id2)});
 	else
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)});
 	}
 void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
@ -146,11 +146,11 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
 	if ( ! stp_create_endp )
 		return;
-	endp->TCP()->ConnectionEventFast(stp_create_endp, {
+	endp->TCP()->EnqueueConnEvent(stp_create_endp,
-		endp->TCP()->BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
-		val_mgr->GetInt(stp_id),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetInt(stp_id)},
-		val_mgr->GetBool(is_orig),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-	});
+	);
 	}
 SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -785,17 +785,17 @@ void TCP_Analyzer::GeneratePacketEvent(
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags)
 	{
-	ConnectionEventFast(tcp_packet, {
+	EnqueueConnEvent(tcp_packet,
-		BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
-		val_mgr->GetBool(is_orig),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-		new StringVal(flags.AsString()),
+		make_intrusive<StringVal>(flags.AsString()),
-		val_mgr->GetCount(rel_seq),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(rel_seq)},
-		val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags.ACK() ? rel_ack : 0)},
-		val_mgr->GetCount(len),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
 		// We need the min() here because Ethernet padding can lead to
 		// caplen > len.
-		new StringVal(min(caplen, len), (const char*) data),
+		make_intrusive<StringVal>(min(caplen, len), (const char*) data)
-	});
+	);
 	}
 int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1101,12 +1101,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		            base_seq, ack_seq);
 		if ( connection_SYN_packet )
-			{
+			EnqueueConnEvent(connection_SYN_packet,
-			ConnectionEventFast(connection_SYN_packet, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				IntrusivePtr{NewRef{}, SYN_vals}
-				SYN_vals->Ref(),
+			);
 			});
 			}
 		Unref(SYN_vals);
 		}
@ -1347,17 +1345,17 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			{
 			auto kind = o[0];
 			auto length = kind < 2 ? 1 : o[1];
-			ConnectionEventFast(tcp_option, {
+			EnqueueConnEvent(tcp_option,
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				val_mgr->GetBool(is_orig),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-				val_mgr->GetCount(kind),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(kind)},
-				val_mgr->GetCount(length),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(length)}
-				});
+				);
 			}
 	if ( tcp_options )
 		{
-		auto option_list = new VectorVal(BifType::Vector::TCP::OptionList);
+		auto option_list = make_intrusive<VectorVal>(BifType::Vector::TCP::OptionList);
 		auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen)
 			{
@ -1460,11 +1458,11 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			}
 			}
-		ConnectionEventFast(tcp_options, {
+		EnqueueConnEvent(tcp_options,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-			option_list,
+			std::move(option_list)
-			});
+			);
 		}
 	if ( options < opt_end )
@ -1782,12 +1780,10 @@ int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
 void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	{
 	if ( connection_EOF )
-		{
+		EnqueueConnEvent(connection_EOF,
-		ConnectionEventFast(connection_EOF, {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())}
-			val_mgr->GetBool(endp->IsOrig()),
+		);
 		});
 		}
 	const analyzer_list& children(GetChildren());
 	LOOP_OVER_CONST_CHILDREN(i)
@ -2064,16 +2060,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caple
 		 	network_time, seq, len, max_top_seq, data_in_flight);
 		if ( tcp_rexmit )
-			{
+			endp->TCP()->EnqueueConnEvent(tcp_rexmit,
-			endp->TCP()->ConnectionEventFast(tcp_rexmit, {
+				IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
-				endp->TCP()->BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())},
-				val_mgr->GetBool(endp->IsOrig()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
-				val_mgr->GetCount(seq),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
-				val_mgr->GetCount(len),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_in_flight)},
-				val_mgr->GetCount(data_in_flight),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(endp->peer->window)}
-				val_mgr->GetCount(endp->peer->window),
+			);
 			});
 			}
 		}
 	else
 		max_top_seq = top_seq;
@ -2121,11 +2115,11 @@ void TCPStats_Analyzer::Done()
 	TCP_ApplicationAnalyzer::Done();
 	if ( conn_stats )
-		ConnectionEventFast(conn_stats, {
+		EnqueueConnEvent(conn_stats,
-			BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
-			orig_stats->BuildStats(),
+			IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()},
-			resp_stats->BuildStats(),
+			IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()}
-		});
+		);
 	}
 void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@ -237,13 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
 			reporter->Error("TCP contents write failed: %s", buf);
 			if ( contents_file_write_failure )
-				{
+				tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
-				tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
+					IntrusivePtr{AdoptRef{}, Conn()->BuildConnVal()},
-					Conn()->BuildConnVal(),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
-					val_mgr->GetBool(IsOrig()),
+					make_intrusive<StringVal>(buf)
-					new StringVal(buf),
+				);
 				});
 				}
 			}
 		}
--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@ -151,14 +151,12 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
 		endp->Gap(seq, len);
 	if ( report_gap(endp, endp->peer) )
-		{
+		dst_analyzer->EnqueueConnEvent(content_gap,
-		dst_analyzer->ConnectionEventFast(content_gap, {
+			IntrusivePtr{AdoptRef{}, dst_analyzer->BuildConnVal()},
-			dst_analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
-			val_mgr->GetBool(IsOrig()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
-			val_mgr->GetCount(seq),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
-			val_mgr->GetCount(len),
+		);
 		});
 		}
 	if ( type == Direct )
 		dst_analyzer->NextUndelivered(seq, len, IsOrig());
@ -363,13 +361,11 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, BroFile* f)
 	reporter->Error("TCP_Reassembler contents write failed");
 	if ( contents_file_write_failure )
-		{
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
-			Endpoint()->Conn()->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
-			val_mgr->GetBool(IsOrig()),
+			make_intrusive<StringVal>("TCP reassembler content write failure")
-			new StringVal("TCP reassembler content write failure"),
+		);
 		});
 		}
 	}
 void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f)
@ -380,13 +376,11 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile*
 	reporter->Error("TCP_Reassembler contents gap write failed");
 	if ( contents_file_write_failure )
-		{
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
-			Endpoint()->Conn()->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
-			val_mgr->GetBool(IsOrig()),
+			make_intrusive<StringVal>("TCP reassembler gap write failure")
-			new StringVal("TCP reassembler gap write failure"),
+		);
 		});
 		}
 	}
 void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it)
@ -462,12 +456,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n)
 		BroString* b1_s = new BroString((const u_char*) b1, n, 0);
 		BroString* b2_s = new BroString((const u_char*) b2, n, 0);
-		tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
+		tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency,
-			tcp_analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
-			new StringVal(b1_s),
+			make_intrusive<StringVal>(b1_s),
-			new StringVal(b2_s),
+			make_intrusive<StringVal>(b2_s),
-			new StringVal(flags.AsString()),
+			make_intrusive<StringVal>(flags.AsString())
-		});
+		);
 		}
 	}
@ -618,14 +612,12 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
 		}
 	if ( deliver_tcp_contents )
-		{
+		tcp_analyzer->EnqueueConnEvent(tcp_contents,
-		tcp_analyzer->ConnectionEventFast(tcp_contents, {
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
-			tcp_analyzer->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
-			val_mgr->GetBool(IsOrig()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
-			val_mgr->GetCount(seq),
+			make_intrusive<StringVal>(len, (const char*) data)
-			new StringVal(len, (const char*) data),
+		);
 		});
 		}
 	// Q. Can we say this because it is already checked in DataSent()?
 	// ASSERT(!Conn()->Skipping() && !SkipDeliveries());
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@ -153,13 +153,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			}
 		if ( do_udp_contents )
-			{
+			EnqueueConnEvent(udp_contents,
-			ConnectionEventFast(udp_contents, {
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
-				BuildConnVal(),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
-				val_mgr->GetBool(is_orig),
+				make_intrusive<StringVal>(len, (const char*) data)
-				new StringVal(len, (const char*) data),
+			);
 			});
 			}
 		Unref(port_val);
 		}
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@ -898,29 +898,14 @@ broker::expected<broker::data> bro_broker::val_to_data(const Val* v)
 		else
 			rval = broker::table();
-		struct iter_guard {
+		HashKey* hk;
 			iter_guard(HashKey* arg_k, ListVal* arg_lv)
 			    : k(arg_k), lv(arg_lv)
 				{}
 			~iter_guard()
 				{
 				delete k;
 				Unref(lv);
 				}
 			HashKey* k;
 			ListVal* lv;
 		};
 		HashKey* k;
 		TableEntryVal* entry;
 		auto c = table->InitForIteration();
-		while ( (entry = table->NextEntry(k, c)) )
+		while ( (entry = table->NextEntry(hk, c)) )
 			{
-			auto vl = table_val->RecoverIndex(k);
+			auto vl = table_val->RecoverIndex(hk);
-			iter_guard ig(k, vl);
+			delete hk;
 			broker::vector composite_key;
 			composite_key.reserve(vl->Length());
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@ -545,12 +545,8 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 	std::string serial_data(data, len);
 	free(data);
-	val_list vl{
+	auto v = log_topic_func->Call(IntrusivePtr{NewRef{}, stream},
-		stream->Ref(),
+	                              make_intrusive<StringVal>(path));
 		new StringVal(path),
 	};
 	auto v = log_topic_func->Call(&vl);
 	if ( ! v )
 		{
@ -988,7 +984,8 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		return;
 		}
-	val_list vl(args.size());
+	zeek::Args vl;
 	vl.reserve(args.size());
 	for ( auto i = 0u; i < args.size(); ++i )
 		{
@ -997,7 +994,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		auto val = data_to_val(std::move(args[i]), expected_type);
 		if ( val )
-			vl.push_back(val.release());
+			vl.emplace_back(std::move(val));
 		else
 			{
 			auto expected_name = type_name(expected_type->Tag());
@ -1018,13 +1015,8 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 			}
 		}
-	if ( static_cast<size_t>(vl.length()) == args.size() )
+	if ( vl.size() == args.size() )
-		mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER);
+		mgr.Enqueue(handler, std::move(vl), SOURCE_BROKER);
 	else
 		{
 		for ( const auto& v : vl )
 			Unref(v);
 		}
 	}
 bool bro_broker::Manager::ProcessLogCreate(broker::zeek::LogCreate lc)
@ -1247,7 +1239,7 @@ void Manager::ProcessStatus(broker::status stat)
 		return;
 	auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
-	auto endpoint_info = new RecordVal(ei);
+	auto endpoint_info = make_intrusive<RecordVal>(ei);
 	if ( ctx )
 		{
@ -1272,9 +1264,9 @@ void Manager::ProcessStatus(broker::status stat)
 		}
 	auto str = stat.message();
-	auto msg = new StringVal(str ? *str : "");
+	auto msg = make_intrusive<StringVal>(str ? *str : "");
-	mgr.QueueEventFast(event, {endpoint_info, msg});
+	mgr.Enqueue(event, std::move(endpoint_info), std::move(msg));
 	}
 void Manager::ProcessError(broker::error err)
@ -1351,10 +1343,10 @@ void Manager::ProcessError(broker::error err)
 		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
 		}
-	mgr.QueueEventFast(Broker::error, {
+	mgr.Enqueue(Broker::error,
-		BifType::Enum::Broker::ErrorCode->GetVal(ec).release(),
+		BifType::Enum::Broker::ErrorCode->GetVal(ec),
-		new StringVal(msg),
+		make_intrusive<StringVal>(msg)
-	});
+	);
 	}
 void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@ -40,7 +40,6 @@ std::set<std::string> val_to_topic_set(Val* val)
 			{
 			auto index = val->AsTableVal()->RecoverIndex(k);
 			rval.emplace(index->Index(0)->AsString()->CheckString());
 			Unref(index);
 			delete k;
 			}
 		}
@ -84,7 +83,13 @@ type Broker::Event: record;
 function Broker::make_event%(...%): Broker::Event
 	%{
 	bro_broker::Manager::ScriptScopeGuard ssg;
-	auto rval = broker_mgr->MakeEvent(@ARGS@, frame);
+	const auto& bif_args = @ARGS@;
 	val_list args(bif_args->size());
 	for ( auto i = 0u; i < bif_args->size(); ++i )
 		args.push_back((*bif_args)[i].get());
 	auto rval = broker_mgr->MakeEvent(&args, frame);
 	return rval;
 	%}
@ -99,11 +104,11 @@ function Broker::make_event%(...%): Broker::Event
 ## Returns: true if the message is sent.
 function Broker::publish%(topic: string, ...%): bool
 	%{
-	val_list* bif_args = @ARGS@;
+	const auto& bif_args = @ARGS@;
-	val_list args(bif_args->length() - 1);
+	val_list args(bif_args->size() - 1);
-	for ( auto i = 1; i < bif_args->length(); ++i )
+	for ( auto i = 1u; i < bif_args->size(); ++i )
-		args.push_back((*bif_args)[i]);
+		args.push_back((*bif_args)[i].get());
 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
@ -183,17 +188,17 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();
-	val_list vl{pool->Ref(), key->Ref()};
+	zeek::Args vl{{NewRef{}, pool}, {NewRef{}, key}};
-	auto topic = topic_func->Call(&vl);
+	auto topic = topic_func->Call(vl);
 	if ( ! topic->AsString()->Len() )
 		return val_mgr->GetFalse();
-	val_list* bif_args = @ARGS@;
+	const auto& bif_args = @ARGS@;
-	val_list args(bif_args->length() - 2);
+	val_list args(bif_args->size() - 2);
-	for ( auto i = 2; i < bif_args->length(); ++i )
+	for ( auto i = 2u; i < bif_args->size(); ++i )
-		args.push_back((*bif_args)[i]);
+		args.push_back((*bif_args)[i].get());
 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
@ -220,17 +225,17 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();
-	val_list vl{pool->Ref(), key->Ref()};
+	zeek::Args vl{{NewRef{}, pool}, {NewRef{}, key}};
-	auto topic = topic_func->Call(&vl);
+	auto topic = topic_func->Call(vl);
 	if ( ! topic->AsString()->Len() )
 		return val_mgr->GetFalse();
-	val_list* bif_args = @ARGS@;
+	const auto& bif_args = @ARGS@;
-	val_list args(bif_args->length() - 2);
+	val_list args(bif_args->size() - 2);
-	for ( auto i = 2; i < bif_args->length(); ++i )
+	for ( auto i = 2u; i < bif_args->size(); ++i )
-		args.push_back((*bif_args)[i]);
+		args.push_back((*bif_args)[i].get());
 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -155,9 +155,9 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
 	if ( conn && FileEventAvailable(file_over_new_connection) )
 		{
 		FileEvent(file_over_new_connection, {
-			val->Ref(),
+			IntrusivePtr{NewRef{}, val},
-			conn->BuildConnVal(),
+			IntrusivePtr{AdoptRef{}, conn->BuildConnVal()},
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
 		});
 		}
 	}
@ -299,11 +299,11 @@ bool File::SetMime(const string& mime_type)
 	if ( ! FileEventAvailable(file_sniff) )
 		return false;
-	RecordVal* meta = new RecordVal(fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(fa_metadata_type);
 	meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
 	meta->Assign(meta_inferred_idx, val_mgr->GetBool(0));
-	FileEvent(file_sniff, {val->Ref(), meta});
+	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
 	return true;
 	}
@ -332,7 +332,7 @@ void File::InferMetadata()
 	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);
-	RecordVal* meta = new RecordVal(fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(fa_metadata_type);
 	if ( ! matches.empty() )
 		{
@ -342,8 +342,7 @@ void File::InferMetadata()
 		             file_analysis::GenMIMEMatchesVal(matches));
 		}
-	FileEvent(file_sniff, {val->Ref(), meta});
+	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
 	return;
 	}
 bool File::BufferBOF(const u_char* data, uint64_t len)
@ -455,9 +454,9 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 			if ( FileEventAvailable(file_reassembly_overflow) )
 				{
 				FileEvent(file_reassembly_overflow, {
-					val->Ref(),
+					IntrusivePtr{NewRef{}, val},
-					val_mgr->GetCount(current_offset),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(current_offset)},
-					val_mgr->GetCount(gap_bytes),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(gap_bytes)}
 				});
 				}
 			}
@ -600,9 +599,9 @@ void File::Gap(uint64_t offset, uint64_t len)
 	if ( FileEventAvailable(file_gap) )
 		{
 		FileEvent(file_gap, {
-			val->Ref(),
+			IntrusivePtr{NewRef{}, val},
-			val_mgr->GetCount(offset),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(offset)},
-			val_mgr->GetCount(len),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
 		});
 		}
@ -622,18 +621,23 @@ void File::FileEvent(EventHandlerPtr h)
 	if ( ! FileEventAvailable(h) )
 		return;
-	FileEvent(h, {val->Ref()});
+	FileEvent(h, zeek::Args{{NewRef{}, val}});
 	}
 void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	{
-	FileEvent(h, std::move(*vl));
+	FileEvent(h, zeek::val_list_to_args(*vl));
 	delete vl;
 	}
 void File::FileEvent(EventHandlerPtr h, val_list vl)
 	{
-	mgr.QueueEventFast(h, std::move(vl));
+	FileEvent(h, zeek::val_list_to_args(vl));
 	}
 void File::FileEvent(EventHandlerPtr h, zeek::Args args)
 	{
 	mgr.Enqueue(h, std::move(args));
 	if ( h == file_new || h == file_over_new_connection ||
 	     h == file_sniff ||
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -10,6 +10,7 @@
 #include "AnalyzerSet.h"
 #include "BroString.h"
 #include "BroList.h" // for val_list
 #include "ZeekArgs.h"
 #include "WeirdState.h"
 using std::string;
@ -175,6 +176,7 @@ public:
 	 * @param h pointer to an event handler.
 	 * @param vl list of argument values to pass to event call.
 	 */
 	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
 	void FileEvent(EventHandlerPtr h, val_list* vl);
 	/**
@ -182,8 +184,16 @@ public:
 	 * @param h pointer to an event handler.
 	 * @param vl list of argument values to pass to event call.
 	 */
 	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
 	void FileEvent(EventHandlerPtr h, val_list vl);
 	/**
 	 * Raises an event related to the file's life-cycle.
 	 * @param h pointer to an event handler.
 	 * @param args list of argument values to pass to event call.
 	 */
 	void FileEvent(EventHandlerPtr h, zeek::Args args);
 	/**
 	 * Sets the MIME type for a file to a specific value.
 	 *
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -432,13 +432,12 @@ string Manager::GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig)
 		analyzer_mgr->GetComponentName(tag).c_str());
 	EnumVal* tagval = tag.AsEnumVal();
 	Ref(tagval);
-	mgr.QueueEventFast(get_file_handle, {
+	mgr.Enqueue(get_file_handle,
-		tagval,
+		IntrusivePtr{NewRef{}, tagval},
-		c->BuildConnVal(),
+		IntrusivePtr{AdoptRef{}, c->BuildConnVal()},
-		val_mgr->GetBool(is_orig),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
-	});
+	);
 	mgr.Drain(); // need file handle immediately so we don't have to buffer data
 	return current_file_id;
 	}
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@ -42,11 +42,11 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 	{
 	if ( ! chunk_event ) return true;
-	mgr.QueueEventFast(chunk_event, {
+	mgr.Enqueue(chunk_event,
-		GetFile()->GetVal()->Ref(),
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		new StringVal(new BroString(data, len, 0)),
+		make_intrusive<StringVal>(new BroString(data, len, 0)),
-		val_mgr->GetCount(offset),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(offset)}
-	});
+	);
 	return true;
 	}
@ -55,10 +55,10 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
 	{
 	if ( ! stream_event ) return true;
-	mgr.QueueEventFast(stream_event, {
+	mgr.Enqueue(stream_event,
-		GetFile()->GetVal()->Ref(),
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		new StringVal(new BroString(data, len, 0)),
+		make_intrusive<StringVal>(new BroString(data, len, 0))
-	});
+	);
 	return true;
 	}
--- a/src/file_analysis/analyzer/entropy/Entropy.cc
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@ -60,15 +60,15 @@ void Entropy::Finalize()
 	montepi = scc = ent = mean = chisq = 0.0;
 	entropy->Get(&ent, &chisq, &mean, &montepi, &scc);
-	RecordVal* ent_result = new RecordVal(entropy_test_result);
+	auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
 	ent_result->Assign(0, make_intrusive<Val>(ent,     TYPE_DOUBLE));
 	ent_result->Assign(1, make_intrusive<Val>(chisq,   TYPE_DOUBLE));
 	ent_result->Assign(2, make_intrusive<Val>(mean,    TYPE_DOUBLE));
 	ent_result->Assign(3, make_intrusive<Val>(montepi, TYPE_DOUBLE));
 	ent_result->Assign(4, make_intrusive<Val>(scc,     TYPE_DOUBLE));
-	mgr.QueueEventFast(file_entropy, {
+	mgr.Enqueue(file_entropy,
-		GetFile()->GetVal()->Ref(),
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		ent_result,
+		std::move(ent_result)
-	});
+	);
 	}
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@ -92,10 +92,10 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
 		{
 		File* f = GetFile();
 		f->FileEvent(file_extraction_limit, {
-			f->GetVal()->Ref(),
+			IntrusivePtr{NewRef{}, f->GetVal()},
-			Args()->Ref(),
+			IntrusivePtr{NewRef{}, Args()},
-			val_mgr->GetCount(limit),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(limit)},
-			val_mgr->GetCount(len),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
 		});
 		// Limit may have been modified by a BIF, re-check it.
--- a/src/file_analysis/analyzer/hash/Hash.cc
+++ b/src/file_analysis/analyzer/hash/Hash.cc
@ -51,9 +51,9 @@ void Hash::Finalize()
 	if ( ! file_hash )
 		return;
-	mgr.QueueEventFast(file_hash, {
+	mgr.Enqueue(file_hash,
-		GetFile()->GetVal()->Ref(),
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		new StringVal(kind),
+		make_intrusive<StringVal>(kind),
-		hash->Get().release(),
+		hash->Get()
-	});
+	);
 	}
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@ -42,7 +42,7 @@ refine flow File += {
 		%{
 		if ( pe_dos_header )
 			{
-			RecordVal* dh = new RecordVal(BifType::Record::PE::DOSHeader);
+			auto dh = make_intrusive<RecordVal>(BifType::Record::PE::DOSHeader);
 			dh->Assign(0, make_intrusive<StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
 			dh->Assign(1, val_mgr->GetCount(${h.UsedBytesInTheLastPage}));
 			dh->Assign(2, val_mgr->GetCount(${h.FileSizeInPages}));
@ -61,10 +61,9 @@ refine flow File += {
 			dh->Assign(15, val_mgr->GetCount(${h.OEMinfo}));
 			dh->Assign(16, val_mgr->GetCount(${h.AddressOfNewExeHeader}));
-			mgr.QueueEventFast(pe_dos_header, {
+			mgr.Enqueue(pe_dos_header,
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-			    dh
+			    std::move(dh));
 			    });
 			}
 		return true;
 		%}
@ -72,12 +71,10 @@ refine flow File += {
 	function proc_dos_code(code: bytestring): bool
 		%{
 		if ( pe_dos_code )
-			{
+			mgr.Enqueue(pe_dos_code,
-			mgr.QueueEventFast(pe_dos_code, {
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			    make_intrusive<StringVal>(code.length(), (const char*) code.data())
-			    new StringVal(code.length(), (const char*) code.data())
+			    );
 			    });
 			}
 		return true;
 		%}
@ -95,7 +92,7 @@ refine flow File += {
 		%{
 		if ( pe_file_header )
 			{
-			RecordVal* fh = new RecordVal(BifType::Record::PE::FileHeader);
+			auto fh = make_intrusive<RecordVal>(BifType::Record::PE::FileHeader);
 			fh->Assign(0, val_mgr->GetCount(${h.Machine}));
 			fh->Assign(1, make_intrusive<Val>(static_cast<double>(${h.TimeDateStamp}), TYPE_TIME));
 			fh->Assign(2, val_mgr->GetCount(${h.PointerToSymbolTable}));
@ -103,10 +100,9 @@ refine flow File += {
 			fh->Assign(4, val_mgr->GetCount(${h.SizeOfOptionalHeader}));
 			fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));
-			mgr.QueueEventFast(pe_file_header, {
+			mgr.Enqueue(pe_file_header,
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-			    fh
+			    std::move(fh));
 			    });
 			}
 		return true;
@ -124,7 +120,7 @@ refine flow File += {
 		if ( pe_optional_header )
 			{
-			RecordVal* oh = new RecordVal(BifType::Record::PE::OptionalHeader);
+			auto oh = make_intrusive<RecordVal>(BifType::Record::PE::OptionalHeader);
 			oh->Assign(0, val_mgr->GetCount(${h.magic}));
 			oh->Assign(1, val_mgr->GetCount(${h.major_linker_version}));
@ -155,10 +151,9 @@ refine flow File += {
 			oh->Assign(23, process_rvas(${h.rvas}));
-			mgr.QueueEventFast(pe_optional_header, {
+			mgr.Enqueue(pe_optional_header,
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-			    oh
+			    std::move(oh));
 			    });
 			}
 		return true;
 		%}
@ -167,7 +162,7 @@ refine flow File += {
 		%{
 		if ( pe_section_header )
 			{
-			RecordVal* section_header = new RecordVal(BifType::Record::PE::SectionHeader);
+			auto section_header = make_intrusive<RecordVal>(BifType::Record::PE::SectionHeader);
 			// Strip null characters from the end of the section name.
 			u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length());
@ -188,10 +183,10 @@ refine flow File += {
 			section_header->Assign(8, val_mgr->GetCount(${h.non_used_num_of_line_nums}));
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));
-			mgr.QueueEventFast(pe_section_header, {
+			mgr.Enqueue(pe_section_header,
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-			    section_header
+			    std::move(section_header)
-			    });
+			    );
 			}
 		return true;
 		%}
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@ -66,7 +66,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_event )
 			{
-			RecordVal* ids_event = new RecordVal(BifType::Record::Unified2::IDSEvent);
+			auto ids_event = make_intrusive<RecordVal>(BifType::Record::Unified2::IDSEvent);
 			ids_event->Assign(0, val_mgr->GetCount(${ev.sensor_id}));
 			ids_event->Assign(1, val_mgr->GetCount(${ev.event_id}));
 			ids_event->Assign(2, make_intrusive<Val>(ts_to_double(${ev.ts}), TYPE_TIME));
@ -81,11 +81,9 @@ refine flow Flow += {
 			ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
 			ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action}));
-			mgr.QueueEventFast(::unified2_event, {
+			mgr.Enqueue(::unified2_event,
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-					ids_event,
+					std::move(ids_event));
 					},
 				SOURCE_LOCAL);
 			}
 		return true;
 		%}
@ -94,7 +92,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_event )
 			{
-			RecordVal* ids_event = new RecordVal(BifType::Record::Unified2::IDSEvent);
+			auto ids_event = make_intrusive<RecordVal>(BifType::Record::Unified2::IDSEvent);
 			ids_event->Assign(0, val_mgr->GetCount(${ev.sensor_id}));
 			ids_event->Assign(1, val_mgr->GetCount(${ev.event_id}));
 			ids_event->Assign(2, make_intrusive<Val>(ts_to_double(${ev.ts}), TYPE_TIME));
@ -113,11 +111,9 @@ refine flow Flow += {
 			ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label}));
 			ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id}));
-			mgr.QueueEventFast(::unified2_event, {
+			mgr.Enqueue(::unified2_event,
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-					ids_event,
+					std::move(ids_event));
 					},
 				SOURCE_LOCAL);
 			}
 		return true;
@ -127,7 +123,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_packet )
 			{
-			RecordVal* packet = new RecordVal(BifType::Record::Unified2::Packet);
+			auto packet = make_intrusive<RecordVal>(BifType::Record::Unified2::Packet);
 			packet->Assign(0, val_mgr->GetCount(${pkt.sensor_id}));
 			packet->Assign(1, val_mgr->GetCount(${pkt.event_id}));
 			packet->Assign(2, val_mgr->GetCount(${pkt.event_second}));
@ -135,11 +131,9 @@ refine flow Flow += {
 			packet->Assign(4, val_mgr->GetCount(${pkt.link_type}));
 			packet->Assign(5, bytestring_to_val(${pkt.packet_data}));
-			mgr.QueueEventFast(::unified2_packet, {
+			mgr.Enqueue(::unified2_packet,
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
-					packet,
+					std::move(packet));
 					},
 				SOURCE_LOCAL);
 			}
 		return true;
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@ -75,7 +75,7 @@ static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
 	return true;
 	}
-bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
+static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bio)
 	{
 	ASN1_OBJECT*       hash_alg         = nullptr;
 	ASN1_OCTET_STRING* issuer_name_hash = nullptr;
@ -89,10 +89,10 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 	if ( ! res )
 		{
 		reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		return false;
 		}
@ -101,22 +101,22 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 	i2a_ASN1_OBJECT(bio, hash_alg);
 	int len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 	i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 	i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 	i2a_ASN1_INTEGER(bio, serial_number);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 	return true;
@ -420,24 +420,27 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 #endif
 	if ( ocsp_request )
-		mgr.QueueEventFast(ocsp_request, {
+		mgr.Enqueue(ocsp_request,
-			GetFile()->GetVal()->Ref(),
+			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			val_mgr->GetCount(version),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(version)}
-		});
+		);
 	BIO *bio = BIO_new(BIO_s_mem());
 	int req_count = OCSP_request_onereq_count(req);
 	for ( int i=0; i<req_count; i++ )
 		{
-		val_list rvl(5);
+		zeek::Args rvl;
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		rvl.reserve(5);
 		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
 		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
 		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);
 		ocsp_add_cert_id(cert_id, &rvl, bio);
-		mgr.QueueEvent(ocsp_request_certificate, std::move(rvl));
+
 		if ( ocsp_request_certificate )
 			mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
 		}
 	BIO_free(bio);
@ -463,10 +466,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	StringVal* status_val = new StringVal(strlen(status_str), status_str);
 	if ( ocsp_response_status )
-		mgr.QueueEventFast(ocsp_response_status, {
+		mgr.Enqueue(ocsp_response_status,
-			GetFile()->GetVal()->Ref(),
+			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			status_val->Ref(),
+			IntrusivePtr{NewRef{}, status_val}
-		});
+		);
 	//if (!resp_bytes)
 	//	{
@ -479,7 +482,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//int len = BIO_read(bio, buf, sizeof(buf));
 	//BIO_reset(bio);
-	val_list vl(8);
+	zeek::Args vl;
 	vl.reserve(8);
 	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
@ -498,26 +502,26 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		}
 #endif
-	vl.push_back(GetFile()->GetVal()->Ref());
+	vl.emplace_back(NewRef{}, GetFile()->GetVal());
-	vl.push_back(status_val);
+	vl.emplace_back(AdoptRef{}, status_val);
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
-	vl.push_back(val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
+	vl.emplace_back(AdoptRef{}, val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
 #else
-	vl.push_back(parse_basic_resp_data_version(basic_resp));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_data_version(basic_resp));
 #endif
 	// responderID
 	if ( OCSP_RESPID_bio(basic_resp, bio) )
 		{
 		len = BIO_read(bio, buf, sizeof(buf));
-		vl.push_back(new StringVal(len, buf));
+		vl.emplace_back(make_intrusive<StringVal>(len, buf));
 		BIO_reset(bio);
 		}
 	else
 		{
 		reporter->Weird("OpenSSL failed to get OCSP responder id");
-		vl.push_back(val_mgr->GetEmptyString());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		}
 	// producedAt
@ -527,7 +531,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	produced_at = OCSP_resp_get0_produced_at(basic_resp);
 #endif
-	vl.push_back(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
+	vl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
 	// responses
@ -540,8 +544,9 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		if ( !single_resp )
 			continue;
-		val_list rvl(10);
+		zeek::Args rvl;
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		rvl.reserve(10);
 		rvl.emplace_back(NewRef{}, GetFile()->GetVal());
 		// cert id
 		const OCSP_CERTID* cert_id = nullptr;
@ -569,38 +574,39 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			reporter->Weird("OpenSSL failed to find status of OCSP response");
 		const char* cert_status_str = OCSP_cert_status_str(status);
-		rvl.push_back(new StringVal(strlen(cert_status_str), cert_status_str));
+		rvl.emplace_back(make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));
 		// revocation time and reason if revoked
 		if ( status == V_OCSP_CERTSTATUS_REVOKED )
 			{
-			rvl.push_back(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
-				rvl.push_back(new StringVal(strlen(revoke_reason), revoke_reason));
+				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else
-				rvl.push_back(new StringVal(0, ""));
+				rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}
 		else
 			{
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
-			rvl.push_back(new StringVal(0, ""));
+			rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}
 		if ( this_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
 		if ( next_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
-		mgr.QueueEvent(ocsp_response_certificate, std::move(rvl));
+		if ( ocsp_response_certificate )
 			mgr.Enqueue(ocsp_response_certificate, std::move(rvl));
 		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
 		for ( int k = 0; k < num_ext; ++k )
@ -616,10 +622,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl.push_back(new StringVal(len, buf));
+	vl.emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 #else
-	vl.push_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
 #endif
 	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
@ -628,7 +634,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//BIO_reset(bio);
 	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
-	vl.push_back(certs_vector);
+	vl.emplace_back(AdoptRef{}, certs_vector);
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	certs = basic_resp->certs;
@ -650,7 +656,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			}
 	  }
-	mgr.QueueEvent(ocsp_response_bytes, std::move(vl));
+	if ( ocsp_response_bytes )
 		mgr.Enqueue(ocsp_response_bytes, std::move(vl));
 	// ok, now that we are done with the actual certificate - let's parse extensions :)
 	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -60,11 +60,9 @@ bool file_analysis::X509::EndOfFile()
 				return false;
 			// yup, let's call the callback.
-			val_list vl(3);
+			cache_hit_callback->Call(IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			vl.push_back(GetFile()->GetVal()->Ref());
+			                         std::move(entry),
-			vl.push_back(entry.release());
+			                         make_intrusive<StringVal>(cert_sha256));
 			vl.push_back(new StringVal(cert_sha256));
 			cache_hit_callback->Call(&vl);
 			return false;
 			}
 		}
@ -84,11 +82,11 @@ bool file_analysis::X509::EndOfFile()
 	RecordVal* cert_record = ParseCertificate(cert_val, GetFile());
 	// and send the record on to scriptland
-	mgr.QueueEvent(x509_certificate, {
+	if ( x509_certificate )
-		GetFile()->GetVal()->Ref(),
+		mgr.Enqueue(x509_certificate,
-		cert_val->Ref(),
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-		cert_record->Ref(), // we Ref it here, because we want to keep a copy around for now...
+		            IntrusivePtr{NewRef{}, cert_val},
-	});
+		            IntrusivePtr{NewRef{}, cert_record});
 	// after parsing the certificate - parse the extensions...
@ -291,16 +289,16 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		{
 		if ( x509_ext_basic_constraints )
 			{
-			RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
+			auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
 			pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0));
 			if ( constr->pathlen )
 				pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen)));
-			mgr.QueueEventFast(x509_ext_basic_constraints, {
+			mgr.Enqueue(x509_ext_basic_constraints,
-				GetFile()->GetVal()->Ref(),
+				IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-				pBasicConstraint,
+				std::move(pBasicConstraint)
-			});
+			);
 			}
 		BASIC_CONSTRAINTS_free(constr);
@ -422,7 +420,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 			}
 		}
-		RecordVal* sanExt = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
+		auto sanExt = make_intrusive<RecordVal>(BifType::Record::X509::SubjectAlternativeName);
 		if ( names != 0 )
 			sanExt->Assign(0, names);
@ -438,10 +436,9 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 		sanExt->Assign(4, val_mgr->GetBool(otherfields));
-		mgr.QueueEvent(x509_ext_subject_alternative_name, {
+		mgr.Enqueue(x509_ext_subject_alternative_name,
-			GetFile()->GetVal()->Ref(),
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			sanExt,
+		            std::move(sanExt));
 		});
 	GENERAL_NAMES_free(altname);
 	}
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@ -257,12 +257,19 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 			}
 		}
-	StringVal* ext_val = GetExtensionFromBIO(bio, GetFile());
+	auto ext_val = GetExtensionFromBIO(bio, GetFile());
 	if ( ! h )
 		{
 		// let individual analyzers parse more.
 		ParseExtensionsSpecific(ex, global, ext_asn, oid);
 		return;
 		}
 	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
+		ext_val = make_intrusive<StringVal>(0, "");
-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
 	pX509Ext->Assign(0, make_intrusive<StringVal>(name));
 	if ( short_name and strlen(short_name) > 0 )
@ -280,22 +287,18 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 	// but I am not sure if there is a better way to do it...
 	if ( h == ocsp_extension )
-		mgr.QueueEvent(h, {
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			GetFile()->GetVal()->Ref(),
+					std::move(pX509Ext),
-			pX509Ext,
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(global)});
 			val_mgr->GetBool(global ? 1 : 0),
 		});
 	else
-		mgr.QueueEvent(h, {
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
-			GetFile()->GetVal()->Ref(),
+		            std::move(pX509Ext));
 			pX509Ext,
 		});
 	// let individual analyzers parse more.
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);
 	}
-StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
+IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	{
 	BIO_flush(bio);
 	ERR_clear_error();
@ -313,7 +316,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	if ( length == 0 )
 		{
 		BIO_free_all(bio);
-		return val_mgr->GetEmptyString();
+		return {AdoptRef{}, val_mgr->GetEmptyString()};
 		}
 	char* buffer = (char*) malloc(length);
@ -328,7 +331,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 		}
 	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
+	auto ext_val = make_intrusive<StringVal>(length, buffer);
 	free(buffer);
 	BIO_free_all(bio);
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@ -13,6 +13,7 @@
 class EventHandlerPtr;
 class Reporter;
 class StringVal;
 template <class T> class IntrusivePtr;
 namespace file_analysis {
@ -34,7 +35,7 @@ public:
 	 *
 	 * @return The X509 extension value.
 	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio, File* f = 0);
+	static IntrusivePtr<StringVal> GetExtensionFromBIO(BIO* bio, File* f = 0);
 	static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter);
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@ -189,12 +189,12 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());
-	StringVal* ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
+	auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
 	if ( ! ext_val )
-		ext_val = val_mgr->GetEmptyString();
+		ext_val = {AdoptRef{}, val_mgr->GetEmptyString()};
-	return ext_val;
+	return ext_val.release();
 	%}
 ## Verifies an OCSP reply.
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@ -38,15 +38,15 @@ refine connection MockConnection += {
 		if ( ! x509_ocsp_ext_signed_certificate_timestamp )
 			return true;
-		mgr.QueueEventFast(x509_ocsp_ext_signed_certificate_timestamp, {
+		mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
-			bro_analyzer()->GetFile()->GetVal()->Ref(),
+			IntrusivePtr{NewRef{}, bro_analyzer()->GetFile()->GetVal()},
-			val_mgr->GetCount(version),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(version)},
-			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			val_mgr->GetCount(timestamp),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(timestamp)},
-			val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm())},
-			val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm())},
-			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+			make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
-			});
+			);
 		return true;
 		%}
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@ -283,11 +283,10 @@ bool Manager::CreateStream(Stream* info, RecordVal* description)
 		TableEntryVal* v;
 		while ( (v = info->config->AsTable()->NextEntry(k, c)) )
 			{
-			ListVal* index = info->config->RecoverIndex(k);
+			auto index = info->config->RecoverIndex(k);
 			string key = index->Index(0)->AsString()->CheckString();
 			string value = v->Value()->AsString()->CheckString();
 			rinfo.config.insert(std::make_pair(copy_string(key.c_str()), copy_string(value.c_str())));
 			Unref(index);
 			delete k;
 			}
 		}
@ -1335,7 +1334,6 @@ void Manager::EndCurrentSend(ReaderFrontend* reader)
 	while ( ( ih = stream->lastDict->NextEntry(lastDictIdxKey, c) ) )
 		{
 		ListVal * idx = 0;
 		IntrusivePtr<Val> val;
 		Val* predidx = 0;
@ -1344,12 +1342,11 @@ void Manager::EndCurrentSend(ReaderFrontend* reader)
 		if ( stream->pred || stream->event )
 			{
-			idx = stream->tab->RecoverIndex(ih->idxkey);
+			auto idx = stream->tab->RecoverIndex(ih->idxkey);
-			assert(idx != 0);
+			assert(idx != nullptr);
-			val = stream->tab->Lookup(idx);
+			val = stream->tab->Lookup(idx.get());
 			assert(val != 0);
-			predidx = ListValToRecordVal(idx, stream->itype, &startpos);
+			predidx = ListValToRecordVal(idx.get(), stream->itype, &startpos);
 			Unref(idx);
 			ev = BifType::Enum::Input::Event->GetVal(BifEnum::Input::EVENT_REMOVED).release();
 			}
@ -1785,16 +1782,18 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
 bool Manager::CallPred(Func* pred_func, const int numvals, ...) const
 	{
 	bool result = false;
-	val_list vl(numvals);
+	zeek::Args vl;
 	vl.reserve(numvals);
 	va_list lP;
 	va_start(lP, numvals);
 	for ( int i = 0; i < numvals; i++ )
-		vl.push_back( va_arg(lP, Val*) );
+		vl.emplace_back(AdoptRef{}, va_arg(lP, Val*));
 	va_end(lP);
-	auto v = pred_func->Call(&vl);
+	auto v = pred_func->Call(vl);
 	if ( v )
 		result = v->AsBool();
@ -1838,12 +1837,14 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	bool convert_error = false;
-	val_list vl(num_vals);
+	zeek::Args vl;
 	vl.reserve(num_vals);
 	for ( int j = 0; j < num_vals; j++)
 		{
 		Val* v = ValueToVal(i, vals[j], convert_error);
-		vl.push_back(v);
+		vl.emplace_back(AdoptRef{}, v);
 		if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) )
 			{
 			convert_error = true;
@ -1854,21 +1855,17 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	delete_value_ptr_array(vals, num_vals);
 	if ( convert_error )
 		{
 		for ( const auto& v : vl )
 			Unref(v);
 		return false;
-		}
+	else if ( handler )
-	else
+		mgr.Enqueue(handler, std::move(vl), SOURCE_LOCAL);
 		mgr.QueueEvent(handler, std::move(vl), SOURCE_LOCAL);
 	return true;
 }
 void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	{
-	val_list vl(numvals);
+	zeek::Args vl;
 	vl.reserve(numvals);
 #ifdef DEBUG
 	DBG_LOG(DBG_INPUT, "SendEvent with %d vals",
@ -1878,16 +1875,18 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	va_list lP;
 	va_start(lP, numvals);
 	for ( int i = 0; i < numvals; i++ )
-		vl.push_back( va_arg(lP, Val*) );
+		vl.emplace_back(AdoptRef{}, va_arg(lP, Val*));
 	va_end(lP);
-	mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
+	if ( ev )
 		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}
 void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 	{
-	val_list vl(events.size());
+	zeek::Args vl;
 	vl.reserve(events.size());
 #ifdef DEBUG
 	DBG_LOG(DBG_INPUT, "SendEvent with %" PRIuPTR " vals (list)",
@ -1895,9 +1894,10 @@ void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 #endif
 	for ( list<Val*>::iterator i = events.begin(); i != events.end(); i++ )
-		vl.push_back( *i );
+		vl.emplace_back(AdoptRef{}, *i);
-	mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
+	if ( ev )
 		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}
 // Convert a bro list value to a bro record value.
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@ -48,7 +48,7 @@ void PcapSource::Close()
 	Closed();
 	if ( Pcap::file_done )
-		mgr.QueueEventFast(Pcap::file_done, {new StringVal(props.path)});
+		mgr.Enqueue(Pcap::file_done, make_intrusive<StringVal>(props.path));
 	}
 void PcapSource::OpenLive()
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@ -710,7 +710,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 	// Raise the log event.
 	if ( stream->event )
-		mgr.QueueEventFast(stream->event, {columns->Ref()}, SOURCE_LOCAL);
+		mgr.Enqueue(stream->event, columns);
 	// Send to each of our filters.
 	for ( list<Filter*>::iterator i = stream->filters.begin();
@ -723,11 +723,9 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 			{
 			// See whether the predicates indicates that we want
 			// to log this record.
 			val_list vl{columns->Ref()};
 			int result = 1;
 			auto v = filter->pred->Call(columns);
 			auto v = filter->pred->Call(&vl);
 			if ( v )
 				result = v->AsBool();
@ -737,23 +735,25 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 		if ( filter->path_func )
 			{
-			Val* path_arg;
+			IntrusivePtr<Val> path_arg;
 			if ( filter->path_val )
 				path_arg = filter->path_val->Ref();
 			else
 				path_arg = val_mgr->GetEmptyString();
-			Val* rec_arg;
+			if ( filter->path_val )
 				path_arg = {NewRef{}, filter->path_val};
 			else
 				path_arg = {AdoptRef{}, val_mgr->GetEmptyString()};
 			IntrusivePtr<Val> rec_arg;
 			BroType* rt = filter->path_func->FType()->Args()->FieldType("rec");
 			if ( rt->Tag() == TYPE_RECORD )
-				rec_arg = columns->CoerceTo(rt->AsRecordType(), true).release();
+				rec_arg = columns->CoerceTo(rt->AsRecordType(), true);
 			else
 				// Can be TYPE_ANY here.
-				rec_arg = columns->Ref();
+				rec_arg = columns;
-			val_list vl{id->Ref(), path_arg, rec_arg};
+			auto v = filter->path_func->Call(IntrusivePtr{NewRef{}, id},
-			auto v = filter->path_func->Call(&vl);
+			                                 std::move(path_arg),
 			                                 std::move(rec_arg));
 			if ( ! v )
 				return false;
@ -868,11 +868,10 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 			TableEntryVal* v;
 			while ( (v = filter->config->AsTable()->NextEntry(k, c)) )
 				{
-				ListVal* index = filter->config->RecoverIndex(k);
+				auto index = filter->config->RecoverIndex(k);
 				string key = index->Index(0)->AsString()->CheckString();
 				string value = v->Value()->AsString()->CheckString();
 				info->config.insert(std::make_pair(copy_string(key.c_str()), copy_string(value.c_str())));
 				Unref(index);
 				delete k;
 				}
@ -1059,8 +1058,7 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,
 	if ( filter->num_ext_fields > 0 )
 		{
-		val_list vl{filter->path_val->Ref()};
+		auto res = filter->ext_func->Call(IntrusivePtr{NewRef{}, filter->path_val});
 		auto res = filter->ext_func->Call(&vl);
 		if ( res )
 			ext_rec = {AdoptRef{}, res.release()->AsRecordVal()};
@ -1516,7 +1514,7 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
 		return true;
 	// Create the RotationInfo record.
-	RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo);
+	auto info = make_intrusive<RecordVal>(BifType::Record::Log::RotationInfo);
 	info->Assign(0, winfo->type->Ref());
 	info->Assign(1, make_intrusive<StringVal>(new_name));
 	info->Assign(2, make_intrusive<StringVal>(winfo->writer->Info().path));
@ -1535,11 +1533,9 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
 	assert(func);
 	// Call the postprocessor function.
 	val_list vl{info};
 	int result = 0;
-	auto v = func->Call(&vl);
+	auto v = func->Call(std::move(info));
 	if ( v )
 		result = v->AsBool();
--- a/src/main.cc
+++ b/src/main.cc
@ -218,7 +218,7 @@ void done_with_network()
 		mgr.Drain();
 		// Don't propagate this event to remote clients.
 		mgr.Dispatch(new Event(net_done,
-		                       {new Val(timer_mgr->Time(), TYPE_TIME)}),
+		                       {make_intrusive<Val>(timer_mgr->Time(), TYPE_TIME)}),
 		             true);
 		}
@ -269,7 +269,7 @@ void terminate_bro()
 	EventHandlerPtr zeek_done = internal_handler("zeek_done");
 	if ( zeek_done )
-		mgr.QueueEventFast(zeek_done, val_list{});
+		mgr.Enqueue(zeek_done, zeek::Args{});
 	timer_mgr->Expire();
 	mgr.Drain();
@ -826,7 +826,7 @@ int main(int argc, char** argv)
 	EventHandlerPtr zeek_init = internal_handler("zeek_init");
 	if ( zeek_init )	//### this should be a function
-		mgr.QueueEventFast(zeek_init, val_list{});
+		mgr.Enqueue(zeek_init, zeek::Args{});
 	EventRegistry::string_list dead_handlers =
 		event_registry->UnusedHandlers();
@ -873,10 +873,10 @@ int main(int argc, char** argv)
 			if ( i->skipped )
 				continue;
-			mgr.QueueEventFast(zeek_script_loaded, {
+			mgr.Enqueue(zeek_script_loaded,
-				new StringVal(i->name.c_str()),
+				make_intrusive<StringVal>(i->name.c_str()),
-				val_mgr->GetCount(i->include_level),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(i->include_level)}
-			});
+			);
 			}
 		}
--- a/src/option.bif
+++ b/src/option.bif
@ -16,14 +16,15 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i,
 		for ( auto handler_function : i->GetOptionHandlers() )
 			{
 			bool add_loc = handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3;
-			val_list vl(2 + add_loc);
+			zeek::Args vl;
-			vl.push_back(name->Ref());
+			vl.reserve(2 + add_loc);
-			vl.push_back(val->Ref());
+			vl.emplace_back(NewRef{}, name);
 			vl.emplace_back(val);
 			if ( add_loc )
-				vl.push_back(location->Ref());
+				vl.emplace_back(NewRef{}, location);
-			val = handler_function->Call(&vl); // consumed by next call.
+			val = handler_function->Call(vl); // consumed by next call.
 			if ( ! val )
 				{
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #include <optional>
 #include <sstream>
 #include <fstream>
 #include <dirent.h>
@ -619,15 +620,21 @@ int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const
 	return rc;
 	}
-std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs) const
+std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent, const zeek::Args& vecargs) const
 	{
 	HookArgumentList args;
 	std::optional<val_list> vargs;
 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
 		vargs = val_list(vecargs.size());
 		for ( const auto& v : vecargs )
 			vargs->push_back(v.get());
 		args.push_back(HookArgument(func));
 		args.push_back(HookArgument(parent));
-		args.push_back(HookArgument(vargs));
+		args.push_back(HookArgument(&vargs.value()));
 		MetaHookPre(HOOK_CALL_FUNCTION, args);
 		}
@ -637,11 +644,19 @@ std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent,
 	if ( l )
 		{
 		if ( ! vargs )
 			{
 			vargs = val_list(vecargs.size());
 			for ( const auto& v : vecargs )
 				vargs->push_back(v.get());
 			}
 		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
 			{
 			Plugin* p = (*i).second;
-			v = p->HookCallFunction(func, parent, vargs);
+			v = p->HookCallFunction(func, parent, &vargs.value());
 			if ( v.first )
 				break;
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@ -6,11 +6,11 @@
 #include <map>
 #include <string_view>
 #include "Plugin.h"
 #include "Component.h"
 #include "../Reporter.h"
 #include "../ZeekArgs.h"
 namespace plugin {
@ -253,7 +253,7 @@ public:
 	 * functions and events, it may be any Val and must be ignored). If no
 	 * plugin handled the call, the method returns null.
 	 */
-	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame *parent, val_list* args) const;
+	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* parent, const zeek::Args& args) const;
 	/**
 	 * Hook that filters the queuing of an event.
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@ -19,6 +19,7 @@ class ODesc;
 class Frame;
 class Func;
 class Event;
 template <class T> class IntrusivePtr;
 namespace threading {
 struct Field;
--- a/src/reporter.bif
+++ b/src/reporter.bif
@ -182,7 +182,6 @@ function Reporter::set_weird_sampling_whitelist%(weird_sampling_whitelist: strin
 		auto index = wl_val->RecoverIndex(k);
 		string key = index->Index(0)->AsString()->CheckString();
 		whitelist_set.emplace(move(key));
 		Unref(index);
 		delete k;
 		}
 	reporter->SetWeirdSamplingWhitelist(whitelist_set);
--- a/Show more
+++ b/Show more
		`@ -1 +1 @@`
			`Subproject commit b3a5d01c041b78a9e50544ac891c5e0d35c116f7`				`Subproject commit 92377e064d925389b1732d105a674f2f761615e6`