Merge remote-tracking branch 'origin/topic/jsiwek/runtime-exception-leak-cleanup'

* origin/topic/jsiwek/runtime-exception-leak-cleanup: Func::DescribeDebug: move a NumFields() call out of loop Use const-ref parameter for zeek::val_list_to_args() Fix missing IntrusivePtr.h include and ambiguous ODesc::Add call Remove TimerMgr arg from event queuing/scheduling methods Deprecate Analyzer::ConnectionEvent() Deprecate file_analysis::File::FileEvent methods using val_list args Deprecate Connection::ConnectionEvent methods Deprecate EventMgr::QueueEventFast() and update usages to Enqueue() Deprecate EventMgr::QueueEvent() and update usages to Enqueue() Deprecate Func::Call(val_list*, ...) Use vector<IntrusivePtr<Val>> for Func::Call and Event queuing args Fix memory leak in Zeek when-statement bodies with runtime errors Change TableVal::RecoverIndex() to return IntrusivePtr Use IntrusivePtr in TableVal::CallExpireFunc Fix memory leak when runtime error occurs in a Zeek for-loop Enable leak checks for btests that produce runtime exceptions
2025-10-02 14:48:21 +00:00 · 2020-03-27 11:48:46 -07:00 · 2020-03-27 11:48:46 -07:00 · 85c6c2b9ee
commit 85c6c2b9ee
parent 75d7396f2d 29a7222563
133 changed files with 2044 additions and 1999 deletions
--- a/54
+++ b/54
@ -1,3 +1,57 @@
+3.2.0-dev.300 | 2020-03-27 11:48:46 -0700
+
+  * Func::DescribeDebug: move a NumFields() call out of loop (Jon Siwek, Corelight)
+
+  * Use const-ref parameter for zeek::val_list_to_args()
+
+    It ended up being used a bit more than initially expected and this
+    is closer to the style we're generally aiming for. (Jon Siwek, Corelight)
+
+  * Fix missing IntrusivePtr.h include and ambiguous ODesc::Add call (Jon Siwek, Corelight)
+
+  * Remove TimerMgr arg from event queuing/scheduling methods
+
+    It's not useful for anything since there's only ever a single TimerMgr. (Jon Siwek, Corelight)
+
+  * Deprecate Analyzer::ConnectionEvent()
+
+    And update usages to Analyzer::EnqueueConnEvent() (Jon Siwek, Corelight)
+
+  * Deprecate file_analysis::File::FileEvent methods using val_list args
+
+    And update usages to the overload that takes a zeek::Args instead. (Jon Siwek, Corelight)
+
+  * Deprecate Connection::ConnectionEvent methods
+
+    And update usages to Connection::EnqueueEvent (Jon Siwek, Corelight)
+
+  * Deprecate EventMgr::QueueEventFast() and update usages to Enqueue() (Jon Siwek, Corelight)
+
+  * Deprecate EventMgr::QueueEvent() and update usages to Enqueue() (Jon Siwek, Corelight)
+
+  * Deprecate Func::Call(val_list*, ...)
+
+    The version taking a vector of intrusive pointers should be used
+    instead.  A variadic version is also added that forwards all arguments. (Jon Siwek, Corelight)
+
+  * Use vector<IntrusivePtr<Val>> for Func::Call and Event queuing args
+
+    This change may break BIFs that use @ARGS@, @ARG@, or @ARGC@ since their
+    types have changed. (Jon Siwek, Corelight)
+
+  * Fix memory leak in Zeek when-statement bodies with runtime errors (Jon Siwek, Corelight)
+
+  * Change TableVal::RecoverIndex() to return IntrusivePtr (Jon Siwek, Corelight)
+
+  * Use IntrusivePtr in TableVal::CallExpireFunc (Jon Siwek, Corelight)
+
+  * Fix memory leak when runtime error occurs in a Zeek for-loop (Jon Siwek, Corelight)
+
+  * Enable leak checks for btests that produce runtime exceptions
+
+    These were previously reporting leaks due to various allocations not
+    getting cleaned up during the stack unwind, but at the current state of
+    the transition toward IntrusivePtr usage, theses tests no longer leak. (Jon Siwek, Corelight)

 3.2.0-dev.280 | 2020-03-24 13:49:43 -0700

--- a/26
+++ b/26
@ -27,10 +27,14 @@ Changed Functionality
 ---------------------

 - Several C++ functions have been changed to pass smart pointers
-  (`class IntrusivePtr<>`) instead of raw pointers.  This makes the
+  (``class IntrusivePtr<>``) instead of raw pointers.  This makes the
  code more robust.  External plugins may need to be updated to this
  API change.

+- BIFs that use @ARG@, @ARGS@, or @ARGC@ may break since their type has
+  changed: BIF arguments are now passed as a ``std::vector<IntrusivePtr<Val>>``
+  rather than a ``val_list`` (i.e. ``List<Val*>``).
+
 Removed Functionality
 ---------------------

@ -43,6 +47,26 @@ Removed Functionality
 Deprecated Functionality
 ------------------------

+- The ``Func::Call(val_list*, ...)`` method is now deprecated.  The alternate
+  overload taking a ``zeek::Args`` (``std::vector<IntrusivePtr<Val>>``) should
+  be used instead.  There's also now a variadic template that forwards all
+  arguments.
+
+- The ``EventMgr::QueueEvent()`` and EventMgr::QueueEventFast()`` methods
+  are now deprecated, use ``EventMgr::Enqueue()`` instead.
+
+- The ``Connection::ConnectionEvent()`` and
+  ``Connection::ConnectionEventFast()`` methods are now deprecated, use
+  ``Connection::EnqueueEvent()`` instead.
+
+- The ``file_analysis::File::FileEvent()`` methods taking ``val_list``
+  arguments are now deprecated, use the overload that takes a ``zeek::Args``
+  instead.
+
+- The ``analyzer::Analyzer::ConnectionEvent()`` and
+  ``analyzer::Analyzer::ConectionEventFast()`` methods are deprecated, use
+  ``analyzer::Analyzer::EnqueueConnEvent()`` instead.
+
 Zeek 3.1.0
 ==========

--- a/2
+++ b/2
@ -1 +1 @@
-3.2.0-dev.280
+3.2.0-dev.300
--- a/aux/bifcl
+++ b/aux/bifcl
@ -1 +1 @@
-Subproject commit b3a5d01c041b78a9e50544ac891c5e0d35c116f7
+Subproject commit 92377e064d925389b1732d105a674f2f761615e6
--- a/src/Anon.cc
+++ b/src/Anon.cc
@ -421,12 +421,10 @@ ipaddr32_t anonymize_ip(ipaddr32_t ip, enum ip_addr_anonymization_class_t cl)
 void log_anonymization_mapping(ipaddr32_t input, ipaddr32_t output)
 	{
 	if ( anonymization_mapping )
-		{
-		mgr.QueueEventFast(anonymization_mapping, {
-			new AddrVal(input),
-			new AddrVal(output)
-		});
-		}
+		mgr.Enqueue(anonymization_mapping,
+			make_intrusive<AddrVal>(input),
+			make_intrusive<AddrVal>(output)
+		);
 	}

 #endif
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@ -282,6 +282,7 @@ set(MAIN_SRCS
    Val.cc
    Var.cc
    WeirdState.cc
+    ZeekArgs.cc
    bsd-getopt-long.c
    bro_inet_ntop.c
    cq.c
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@ -207,7 +207,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,

 			auto tbl = tv->AsTable();
 			auto it = tbl->InitForIteration();
-			ListVal* lv = new ListVal(TYPE_ANY);
+			auto lv = make_intrusive<ListVal>(TYPE_ANY);

 			struct HashKeyComparer {
 				bool operator()(const HashKey* a, const HashKey* b) const
@ -229,7 +229,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,
 			while ( tbl->NextEntry(k, it) )
 				{
 				hashkeys[k] = idx++;
-				lv->Append(tv->RecoverIndex(k));
+				lv->Append(tv->RecoverIndex(k).release());
 				}

 			for ( auto& kv : hashkeys )
@ -242,10 +242,7 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,

 				if ( ! (kp1 = SingleValHash(type_check, kp1, key->Type(), key,
 				                            false)) )
-					{
-					Unref(lv);
 					return 0;
-					}

 				if ( ! v->Type()->IsSet() )
 					{
@ -253,14 +250,10 @@ char* CompositeHash::SingleValHash(int type_check, char* kp0,

 					if ( ! (kp1 = SingleValHash(type_check, kp1, val->Type(),
 								    val.get(), false)) )
-						{
-						Unref(lv);
 						return 0;
 					}
 				}
-				}

-			Unref(lv);
 			}
 			break;

--- a/src/Conn.cc
+++ b/src/Conn.cc
@ -203,7 +203,7 @@ void Connection::NextPacket(double t, int is_orig,
 			is_successful = true;

 		if ( ! was_successful && is_successful && connection_successful )
-			ConnectionEventFast(connection_successful, nullptr, {BuildConnVal()});
+			EnqueueEvent(connection_successful, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		}
 	else
 		last_time = t;
@ -259,11 +259,11 @@ void Connection::HistoryThresholdEvent(EventHandlerPtr e, bool is_orig,
 		// and at this stage it's not a *multiple* instance.
 		return;

-	ConnectionEventFast(e, 0, {
-		BuildConnVal(),
-		val_mgr->GetBool(is_orig),
-		val_mgr->GetCount(threshold)
-	});
+	EnqueueEvent(e, nullptr,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)}
+	);
 	}

 void Connection::DeleteTimer(double /* t */)
@ -323,7 +323,7 @@ void Connection::EnableStatusUpdateTimer()

 void Connection::StatusUpdateTimer(double t)
 	{
-	ConnectionEventFast(connection_status_update, 0, { BuildConnVal() });
+	EnqueueEvent(connection_status_update, nullptr, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	ADD_TIMER(&Connection::StatusUpdateTimer,
 			network_time + connection_status_update_interval, 0,
 			TIMER_CONN_STATUS_UPDATE);
@ -446,15 +446,13 @@ void Connection::Match(Rule::PatternType type, const u_char* data, int len, bool

 void Connection::RemovalEvent()
 	{
-	auto cv = BuildConnVal();
+	auto cv = IntrusivePtr{AdoptRef{}, BuildConnVal()};

 	if ( connection_state_remove )
-		ConnectionEventFast(connection_state_remove, nullptr, {cv->Ref()});
+		EnqueueEvent(connection_state_remove, nullptr, cv);

 	if ( is_successful && successful_connection_remove )
-		ConnectionEventFast(successful_connection_remove, nullptr, {cv->Ref()});
-
-	Unref(cv);
+		EnqueueEvent(successful_connection_remove, nullptr, cv);
 	}

 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const char* name)
@ -463,10 +461,9 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, const ch
 		return;

 	if ( name )
-		ConnectionEventFast(f, analyzer, {new StringVal(name), BuildConnVal()});
+		EnqueueEvent(f, analyzer, make_intrusive<StringVal>(name), IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	else
-		ConnectionEventFast(f, analyzer, {BuildConnVal()});
-
+		EnqueueEvent(f, analyzer, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}

 void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1, Val* v2)
@ -479,39 +476,50 @@ void Connection::Event(EventHandlerPtr f, analyzer::Analyzer* analyzer, Val* v1,
 		}

 	if ( v2 )
-		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1, v2});
+		EnqueueEvent(f, analyzer,
+		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		             IntrusivePtr{AdoptRef{}, v1},
+		             IntrusivePtr{AdoptRef{}, v2});
 	else
-		ConnectionEventFast(f, analyzer, {BuildConnVal(), v1});
+		EnqueueEvent(f, analyzer,
+		             IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		             IntrusivePtr{AdoptRef{}, v1});
 	}

 void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
+	auto args = zeek::val_list_to_args(vl);
+
 	if ( ! f )
-		{
 		// This may actually happen if there is no local handler
 		// and a previously existing remote handler went away.
-		for ( const auto& v : vl)
-			Unref(v);
-
 		return;
-		}

 	// "this" is passed as a cookie for the event
-	mgr.QueueEvent(f, std::move(vl), SOURCE_LOCAL,
-			a ? a->GetID() : 0, timer_mgr, this);
+	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}

 void Connection::ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* a, val_list vl)
 	{
 	// "this" is passed as a cookie for the event
-	mgr.QueueEventFast(f, std::move(vl), SOURCE_LOCAL,
-			a ? a->GetID() : 0, timer_mgr, this);
+	mgr.Enqueue(f, zeek::val_list_to_args(vl), SOURCE_LOCAL,
+	            a ? a->GetID() : 0, this);
 	}

 void Connection::ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* a, val_list* vl)
 	{
-	ConnectionEvent(f, a, std::move(*vl));
+	auto args = zeek::val_list_to_args(*vl);
 	delete vl;
+
+	if ( f )
+		EnqueueEvent(f, a, std::move(args));
+	}
+
+void Connection::EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* a,
+                              zeek::Args args)
+	{
+	// "this" is passed as a cookie for the event
+	mgr.Enqueue(f, std::move(args), SOURCE_LOCAL, a ? a->GetID() : 0, this);
 	}

 void Connection::Weird(const char* name, const char* addl)
@ -688,12 +696,12 @@ void Connection::CheckFlowLabel(bool is_orig, uint32_t flow_label)
 		if ( connection_flow_label_changed &&
 		     (is_orig ? saw_first_orig_packet : saw_first_resp_packet) )
 			{
-			ConnectionEventFast(connection_flow_label_changed, 0, {
-				BuildConnVal(),
-				val_mgr->GetBool(is_orig),
-				val_mgr->GetCount(my_flow_label),
-				val_mgr->GetCount(flow_label),
-			});
+			EnqueueEvent(connection_flow_label_changed, 0,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(my_flow_label)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flow_label)}
+			);
 			}

 		my_flow_label = flow_label;
--- a/src/Conn.h
+++ b/src/Conn.h
@ -5,6 +5,8 @@
 #include <sys/types.h>

 #include <string>
+#include <tuple>
+#include <type_traits>

 #include "Dict.h"
 #include "Timer.h"
@ -12,6 +14,8 @@
 #include "IPAddr.h"
 #include "UID.h"
 #include "WeirdState.h"
+#include "ZeekArgs.h"
+#include "IntrusivePtr.h"
 #include "iosource/Packet.h"

 #include "analyzer/Tag.h"
@ -187,6 +191,7 @@ public:
 	// If a handler exists for 'f', an event will be generated.  In any case,
 	// reference count for each element in the 'vl' list are decremented.  The
 	// arguments used for the event are whatevever is provided in 'vl'.
+	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);

@ -194,6 +199,7 @@ public:
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' and also for decrementing the reference count
 	// of each of its elements.
+	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list* vl);

@ -205,9 +211,26 @@ public:
 	// the case where there's no handlers (one usually also does that because
 	// it would be a waste of effort to construct all the event arguments when
 	// there's no handlers to consume them).
+	[[deprecated("Remove in v4.1.  Use EnqueueEvent() instead.")]]
 	void ConnectionEventFast(EventHandlerPtr f, analyzer::Analyzer* analyzer,
 				val_list vl);

+	/**
+	 * Enqueues an event associated with this connection and given analyzer.
+	 */
+	void EnqueueEvent(EventHandlerPtr f, analyzer::Analyzer* analyzer,
+	                  zeek::Args args);
+
+	/**
+	 * A version of EnqueueEvent() taking a variable number of arguments.
+	 */
+	template <class... Args>
+	std::enable_if_t<
+	  std::is_convertible_v<
+	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
+	EnqueueEvent(EventHandlerPtr h, analyzer::Analyzer* analyzer, Args&&... args)
+		{ return EnqueueEvent(h, analyzer, zeek::Args{std::forward<Args>(args)...}); }
+
 	void Weird(const char* name, const char* addl = "");
 	bool DidWeird() const	{ return weird != 0; }

--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@ -704,7 +704,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm)
 	if ( ! e )
 		return;

-	mgr.QueueEventFast(e, {BuildMappingVal(dm).release()});
+	mgr.Enqueue(e, BuildMappingVal(dm));
 	}

 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
@ -713,11 +713,11 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* dm,
 	if ( ! e )
 		return;

-	mgr.QueueEventFast(e, {
-		BuildMappingVal(dm).release(),
-		l1->ConvertToSet(),
-		l2->ConvertToSet(),
-	});
+	mgr.Enqueue(e,
+		BuildMappingVal(dm),
+		IntrusivePtr{AdoptRef{}, l1->ConvertToSet()},
+		IntrusivePtr{AdoptRef{}, l2->ConvertToSet()}
+	);
 	}

 void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
@ -725,10 +725,7 @@ void DNS_Mgr::Event(EventHandlerPtr e, DNS_Mapping* old_dm, DNS_Mapping* new_dm)
 	if ( ! e )
 		return;

-	mgr.QueueEventFast(e, {
-		BuildMappingVal(old_dm).release(),
-		BuildMappingVal(new_dm).release(),
-	});
+	mgr.Enqueue(e, BuildMappingVal(old_dm), BuildMappingVal(new_dm));
 	}

 IntrusivePtr<Val> DNS_Mgr::BuildMappingVal(DNS_Mapping* dm)
--- a/src/Discard.cc
+++ b/src/Discard.cc
@ -39,11 +39,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)

 	if ( check_ip )
 		{
-		val_list args{ip->BuildPktHdrVal()};
+		zeek::Args args{{AdoptRef{}, ip->BuildPktHdrVal()}};

 		try
 			{
-			discard_packet = check_ip->Call(&args)->AsBool();
+			discard_packet = check_ip->Call(args)->AsBool();
 			}

 		catch ( InterpreterException& e )
@ -91,14 +91,14 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct tcphdr* tp = (const struct tcphdr*) data;
 			int th_len = tp->th_off * 4;

-			val_list args{
-				ip->BuildPktHdrVal(),
-				BuildData(data, th_len, len, caplen),
+			zeek::Args args{
+				{AdoptRef{}, ip->BuildPktHdrVal()},
+				{AdoptRef{}, BuildData(data, th_len, len, caplen)},
 			};

 			try
 				{
-				discard_packet = check_tcp->Call(&args)->AsBool();
+				discard_packet = check_tcp->Call(args)->AsBool();
 				}

 			catch ( InterpreterException& e )
@ -115,14 +115,14 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			const struct udphdr* up = (const struct udphdr*) data;
 			int uh_len = sizeof (struct udphdr);

-			val_list args{
-				ip->BuildPktHdrVal(),
-				BuildData(data, uh_len, len, caplen),
+			zeek::Args args{
+				{AdoptRef{}, ip->BuildPktHdrVal()},
+				{AdoptRef{}, BuildData(data, uh_len, len, caplen)},
 			};

 			try
 				{
-				discard_packet = check_udp->Call(&args)->AsBool();
+				discard_packet = check_udp->Call(args)->AsBool();
 				}

 			catch ( InterpreterException& e )
@ -138,11 +138,11 @@ int Discarder::NextPacket(const IP_Hdr* ip, int len, int caplen)
 			{
 			const struct icmp* ih = (const struct icmp*) data;

-			val_list args{ip->BuildPktHdrVal()};
+			zeek::Args args{{AdoptRef{}, ip->BuildPktHdrVal()}};

 			try
 				{
-				discard_packet = check_icmp->Call(&args)->AsBool();
+				discard_packet = check_icmp->Call(args)->AsBool();
 				}

 			catch ( InterpreterException& e )
--- a/src/Event.cc
+++ b/src/Event.cc
@ -18,14 +18,12 @@ EventMgr mgr;
 uint64_t num_events_queued = 0;
 uint64_t num_events_dispatched = 0;

-Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
-		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
-		BroObj* arg_obj)
+Event::Event(EventHandlerPtr arg_handler, zeek::Args arg_args,
+             SourceID arg_src, analyzer::ID arg_aid, BroObj* arg_obj)
 	: handler(arg_handler),
 	  args(std::move(arg_args)),
 	  src(arg_src),
 	  aid(arg_aid),
-	  mgr(arg_mgr ? arg_mgr : timer_mgr),
 	  obj(arg_obj),
 	  next_event(nullptr)
 	{
@ -33,14 +31,6 @@ Event::Event(EventHandlerPtr arg_handler, val_list arg_args,
 		Ref(obj);
 	}

-Event::Event(EventHandlerPtr arg_handler, val_list* arg_args,
-		SourceID arg_src, analyzer::ID arg_aid, TimerMgr* arg_mgr,
-		BroObj* arg_obj)
-	: Event(arg_handler, std::move(*arg_args), arg_src, arg_aid, arg_mgr, arg_obj)
-	{
-	delete arg_args;
-	}
-
 void Event::Describe(ODesc* d) const
 	{
 	if ( d->IsReadable() )
@ -53,7 +43,7 @@ void Event::Describe(ODesc* d) const

 	if ( ! d->IsBinary() )
 		d->Add("(");
-	describe_vals(&args, d);
+	describe_vals(args, d);
 	if ( ! d->IsBinary() )
 		d->Add("(");
 	}
@ -68,7 +58,7 @@ void Event::Dispatch(bool no_remote)

 	try
 		{
-		handler->Call(&args, no_remote);
+		handler->Call(args, no_remote);
 		}

 	catch ( InterpreterException& e )
@ -88,7 +78,6 @@ EventMgr::EventMgr()
 	{
 	head = tail = 0;
 	current_src = SOURCE_LOCAL;
-	current_mgr = timer_mgr;
 	current_aid = 0;
 	src_val = 0;
 	draining = 0;
@ -106,17 +95,38 @@ EventMgr::~EventMgr()
 	Unref(src_val);
 	}

+void EventMgr::QueueEventFast(const EventHandlerPtr &h, val_list vl,
+                              SourceID src, analyzer::ID aid, TimerMgr* mgr,
+                              BroObj* obj)
+	{
+	QueueEvent(new Event(h, zeek::val_list_to_args(vl), src, aid, obj));
+	}
+
 void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list vl,
                          SourceID src, analyzer::ID aid,
                          TimerMgr* mgr, BroObj* obj)
 	{
+	auto args = zeek::val_list_to_args(vl);
+
 	if ( h )
-		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
-	else
-		{
-		for ( const auto& v : vl )
-			Unref(v);
+		Enqueue(h, std::move(args), src, aid, obj);
 	}
+
+void EventMgr::QueueEvent(const EventHandlerPtr &h, val_list* vl,
+                          SourceID src, analyzer::ID aid,
+                          TimerMgr* mgr, BroObj* obj)
+	{
+	auto args = zeek::val_list_to_args(*vl);
+	delete vl;
+
+	if ( h )
+		Enqueue(h, std::move(args), src, aid, obj);
+	}
+
+void EventMgr::Enqueue(const EventHandlerPtr& h, zeek::Args vl,
+                       SourceID src, analyzer::ID aid, BroObj* obj)
+	{
+	QueueEvent(new Event(h, std::move(vl), src, aid, obj));
 	}

 void EventMgr::QueueEvent(Event* event)
@ -150,7 +160,7 @@ void EventMgr::Dispatch(Event* event, bool no_remote)
 void EventMgr::Drain()
 	{
 	if ( event_queue_flush_point )
-		QueueEventFast(event_queue_flush_point, val_list{});
+		Enqueue(event_queue_flush_point, zeek::Args{});

 	SegmentProfiler prof(segment_logger, "draining-events");

@ -176,7 +186,6 @@ void EventMgr::Drain()
 			Event* next = current->NextEvent();

 			current_src = current->Source();
-			current_mgr = current->Mgr();
 			current_aid = current->Analyzer();
 			current->Dispatch();
 			Unref(current);
--- a/src/Event.h
+++ b/src/Event.h
@ -6,29 +6,27 @@
 #include "analyzer/Analyzer.h"
 #include "iosource/IOSource.h"
 #include "Flare.h"
+#include "ZeekArgs.h"
+#include "IntrusivePtr.h"
+
+#include <tuple>
+#include <type_traits>

 class EventMgr;

-// We don't Unref() the individual arguments by using delete_vals()
-// in a dtor because Func::Call already does that.
 class Event : public BroObj {
 public:
-	Event(EventHandlerPtr handler, val_list args,
+	Event(EventHandlerPtr handler, zeek::Args args,
 	      SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-		TimerMgr* mgr = 0, BroObj* obj = 0);
-
-	Event(EventHandlerPtr handler, val_list* args,
-		SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-		TimerMgr* mgr = 0, BroObj* obj = 0);
+	      BroObj* obj = nullptr);

 	void SetNext(Event* n)		{ next_event = n; }
 	Event* NextEvent() const	{ return next_event; }

 	SourceID Source() const		{ return src; }
 	analyzer::ID Analyzer() const	{ return aid; }
-	TimerMgr* Mgr() const		{ return mgr; }
 	EventHandlerPtr Handler() const	{ return handler; }
-	const val_list* Args() const	{ return &args; }
+	const zeek::Args& Args() const	{ return args; }

 	void Describe(ODesc* d) const override;

@ -40,10 +38,9 @@ protected:
 	void Dispatch(bool no_remote = false);

 	EventHandlerPtr handler;
-	val_list args;
+	zeek::Args args;
 	SourceID src;
 	analyzer::ID aid;
-	TimerMgr* mgr;
 	BroObj* obj;
 	Event* next_event;
 };
@ -64,12 +61,10 @@ public:
 	// against the case where there's no handlers (one usually also does that
 	// because it would be a waste of effort to construct all the event
 	// arguments when there's no handlers to consume them).
+	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEventFast(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-			TimerMgr* mgr = 0, BroObj* obj = 0)
-		{
-		QueueEvent(new Event(h, std::move(vl), src, aid, mgr, obj));
-		}
+			TimerMgr* mgr = 0, BroObj* obj = 0);

 	// Queues an event if there's an event handler (or remote consumer).  This
 	// function always takes ownership of decrementing the reference count of
@ -77,6 +72,7 @@ public:
 	// checked for event handler existence, you may wish to call
 	// QueueEventFast() instead of this function to prevent the redundant
 	// existence check.
+	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEvent(const EventHandlerPtr &h, val_list vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
 			TimerMgr* mgr = 0, BroObj* obj = 0);
@ -85,13 +81,36 @@ public:
 	// pointer instead of by value.  This function takes ownership of the
 	// memory pointed to by 'vl' as well as decrementing the reference count of
 	// each of its elements.
+	[[deprecated("Remove in v4.1.  Use Enqueue() instead.")]]
 	void QueueEvent(const EventHandlerPtr &h, val_list* vl,
 			SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
-			TimerMgr* mgr = 0, BroObj* obj = 0)
-		{
-		QueueEvent(h, std::move(*vl), src, aid, mgr, obj);
-		delete vl;
-		}
+			TimerMgr* mgr = 0, BroObj* obj = 0);
+
+	/**
+	 * Adds an event to the queue.  If no handler is found for the event
+	 * when later going to call it, nothing happens except for having
+	 * wasted a bit of time/resources, so callers may want to first check
+	 * if any handler/consumer exists before enqueuing an event.
+	 * @param h  reference to the event handler to later call.
+	 * @param vl  the argument list to the event handler call.
+	 * @param src  indicates the origin of the event (local versus remote).
+	 * @param aid  identifies the protocol analyzer generating the event.
+	 * @param obj  an arbitrary object to use as a "cookie" or just hold a
+	 * reference to until dispatching the event.
+	 */
+	void Enqueue(const EventHandlerPtr& h, zeek::Args vl,
+	             SourceID src = SOURCE_LOCAL, analyzer::ID aid = 0,
+	             BroObj* obj = nullptr);
+
+	/**
+	 * A version of Enqueue() taking a variable number of arguments.
+	 */
+	template <class... Args>
+	std::enable_if_t<
+	  std::is_convertible_v<
+	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
+	Enqueue(const EventHandlerPtr& h, Args&&... args)
+		{ return Enqueue(h, zeek::Args{std::forward<Args>(args)...}); }

 	void Dispatch(Event* event, bool no_remote = false);

@ -107,9 +126,6 @@ public:
 	// non-analyzer event.
 	analyzer::ID CurrentAnalyzer() const	{ return current_aid; }

-	// Returns the timer mgr associated with the last raised event.
-	TimerMgr* CurrentTimerMgr() const	{ return current_mgr; }
-
 	int Size() const
 		{ return num_events_queued - num_events_dispatched; }

@ -127,7 +143,6 @@ protected:
 	Event* tail;
 	SourceID current_src;
 	analyzer::ID current_aid;
-	TimerMgr* current_mgr;
 	RecordVal* src_val;
 	bool draining;
 	bro::Flare queue_flare;
--- a/src/EventHandler.cc
+++ b/src/EventHandler.cc
@ -60,7 +60,7 @@ void EventHandler::SetLocalHandler(Func* f)
 	local = f;
 	}

-void EventHandler::Call(val_list* vl, bool no_remote)
+void EventHandler::Call(const zeek::Args& vl, bool no_remote)
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Event: %s\n", Name());
@ -75,12 +75,12 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 			{
 			// Send event in form [name, xs...] where xs represent the arguments.
 			broker::vector xs;
-			xs.reserve(vl->length());
+			xs.reserve(vl.size());
 			bool valid_args = true;

-			for ( auto i = 0; i < vl->length(); ++i )
+			for ( auto i = 0u; i < vl.size(); ++i )
 				{
-				auto opt_data = bro_broker::val_to_data((*vl)[i]);
+				auto opt_data = bro_broker::val_to_data(vl[i].get());

 				if ( opt_data )
 					xs.emplace_back(move(*opt_data));
@ -115,14 +115,9 @@ void EventHandler::Call(val_list* vl, bool no_remote)
 	if ( local )
 		// No try/catch here; we pass exceptions upstream.
 		local->Call(vl);
-	else
-		{
-		for ( auto v : *vl )
-			Unref(v);
-		}
 	}

-void EventHandler::NewEvent(val_list* vl)
+void EventHandler::NewEvent(const zeek::Args& vl)
 	{
 	if ( ! new_event )
 		return;
@ -132,7 +127,7 @@ void EventHandler::NewEvent(val_list* vl)
 		return;

 	RecordType* args = FType()->Args();
-	VectorVal* vargs = new VectorVal(call_argument_vector);
+	auto vargs = make_intrusive<VectorVal>(call_argument_vector);

 	for ( int i = 0; i < args->NumFields(); i++ )
 		{
@ -151,19 +146,15 @@ void EventHandler::NewEvent(val_list* vl)
 		if ( fdefault )
 			rec->Assign(2, std::move(fdefault));

-		if ( i < vl->length() && (*vl)[i] )
-			{
-			Val* val = (*vl)[i];
-			Ref(val);
-			rec->Assign(3, val);
-			}
+		if ( i < static_cast<int>(vl.size()) && vl[i] )
+			rec->Assign(3, vl[i]);

 		vargs->Assign(i, std::move(rec));
 		}

 	Event* ev = new Event(new_event, {
-		new StringVal(name),
-		vargs,
+		make_intrusive<StringVal>(name),
+		std::move(vargs),
 	});
 	mgr.Dispatch(ev);
 	}
--- a/src/EventHandler.h
+++ b/src/EventHandler.h
@ -3,6 +3,7 @@
 #pragma once

 #include "BroList.h"
+#include "ZeekArgs.h"

 #include <unordered_set>
 #include <string>
@ -31,7 +32,7 @@ public:
 		auto_publish.erase(topic);
 		}

-	void Call(val_list* vl, bool no_remote = false);
+	void Call(const zeek::Args& vl, bool no_remote = false);

 	// Returns true if there is at least one local or remote handler.
 	explicit operator  bool() const;
@ -52,7 +53,7 @@ public:
 	bool GenerateAlways()	{ return generate_always; }

 private:
-	void NewEvent(val_list* vl);	// Raise new_event() meta event.
+	void NewEvent(const zeek::Args& vl);	// Raise new_event() meta event.

 	const char* name;
 	Func* local;
--- a/src/Expr.cc
+++ b/src/Expr.cc
@ -3884,12 +3884,11 @@ IntrusivePtr<Val> FlattenExpr::Fold(Val* v) const
 	return l;
 	}

-ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, val_list* arg_args,
-                             double t, TimerMgr* arg_tmgr)
+ScheduleTimer::ScheduleTimer(EventHandlerPtr arg_event, zeek::Args arg_args,
+                             double t)
 	: Timer(t, TIMER_SCHEDULE),
-	  event(arg_event), args(std::move(*arg_args)), tmgr(arg_tmgr)
+	  event(arg_event), args(std::move(arg_args))
 	{
-	delete arg_args;
 	}

 ScheduleTimer::~ScheduleTimer()
@ -3898,7 +3897,8 @@ ScheduleTimer::~ScheduleTimer()

 void ScheduleTimer::Dispatch(double /* t */, int /* is_expire */)
 	{
-	mgr.QueueEvent(event, std::move(args), SOURCE_LOCAL, 0, tmgr);
+	if ( event )
+		mgr.Enqueue(event, std::move(args));
 	}

 ScheduleExpr::ScheduleExpr(IntrusivePtr<Expr> arg_when,
@ -3937,17 +3937,10 @@ IntrusivePtr<Val> ScheduleExpr::Eval(Frame* f) const
 	if ( when->Type()->Tag() == TYPE_INTERVAL )
 		dt += network_time;

-	val_list* args = eval_list(f, event->Args());
+	auto args = eval_list(f, event->Args());

 	if ( args )
-		{
-		TimerMgr* tmgr = mgr.CurrentTimerMgr();
-
-		if ( ! tmgr )
-			tmgr = timer_mgr;
-
-		tmgr->Add(new ScheduleTimer(event->Handler(), args, dt, tmgr));
-		}
+		timer_mgr->Add(new ScheduleTimer(event->Handler(), std::move(*args), dt));

 	return nullptr;
 	}
@ -4236,7 +4229,7 @@ IntrusivePtr<Val> CallExpr::Eval(Frame* f) const

 	IntrusivePtr<Val> ret;
 	auto func_val = func->Eval(f);
-	val_list* v = eval_list(f, args.get());
+	auto v = eval_list(f, args.get());

 	if ( func_val && v )
 		{
@ -4246,16 +4239,11 @@ IntrusivePtr<Val> CallExpr::Eval(Frame* f) const
 		if ( f )
 			f->SetCall(this);

-		ret = func->Call(v, f);
+		ret = func->Call(*v, f);

 		if ( f )
 			f->SetCall(current_call);
-
-		// Don't Unref() the arguments, as Func::Call already did that.
-		delete v;
 		}
-	else
-		delete_vals(v);

 	return ret;
 	}
@ -4448,9 +4436,10 @@ IntrusivePtr<Val> EventExpr::Eval(Frame* f) const
 	if ( IsError() )
 		return nullptr;

-	val_list* v = eval_list(f, args.get());
-	mgr.QueueEvent(handler, std::move(*v));
-	delete v;
+	auto v = eval_list(f, args.get());
+
+	if ( handler )
+		mgr.Enqueue(handler, std::move(*v));

 	return nullptr;
 	}
@ -5176,36 +5165,23 @@ int check_and_promote_exprs_to_type(ListExpr* const elements, BroType* type)
 	return 1;
 	}

-val_list* eval_list(Frame* f, const ListExpr* l)
+std::optional<std::vector<IntrusivePtr<Val>>> eval_list(Frame* f, const ListExpr* l)
 	{
 	const expr_list& e = l->Exprs();
-	val_list* v = new val_list(e.length());
-	bool success = true;
+	auto rval = std::make_optional<std::vector<IntrusivePtr<Val>>>();
+	rval->reserve(e.length());

 	for ( const auto& expr : e )
 		{
 		auto ev = expr->Eval(f);

 		if ( ! ev )
-			{
-			success = false;
-			break;
+			return {};
+
+		rval->emplace_back(std::move(ev));
 		}

-		v->push_back(ev.release());
-		}
-
-	if ( ! success )
-		{
-		for ( const auto& val : *v )
-			Unref(val);
-
-		delete v;
-		return nullptr;
-		}
-
-	else
-		return v;
+	return rval;
 	}

 bool expr_greater(const Expr* e1, const Expr* e2)
--- a/src/Expr.h
+++ b/src/Expr.h
@ -9,10 +9,13 @@
 #include "EventHandler.h"
 #include "TraverseTypes.h"
 #include "Val.h"
+#include "ZeekArgs.h"

 #include <memory>
 #include <string>
+#include <vector>
 #include <utility>
+#include <optional>

 using std::string;

@ -737,16 +740,14 @@ protected:

 class ScheduleTimer : public Timer {
 public:
-	ScheduleTimer(EventHandlerPtr event, val_list* args, double t,
-			TimerMgr* tmgr);
+	ScheduleTimer(EventHandlerPtr event, zeek::Args args, double t);
 	~ScheduleTimer() override;

 	void Dispatch(double t, int is_expire) override;

 protected:
 	EventHandlerPtr event;
-	val_list args;
-	TimerMgr* tmgr;
+	zeek::Args args;
 };

 class ScheduleExpr : public Expr {
@ -936,9 +937,9 @@ extern int check_and_promote_exprs(ListExpr* elements, TypeList* types);
 extern int check_and_promote_args(ListExpr* args, RecordType* types);
 extern int check_and_promote_exprs_to_type(ListExpr* elements, BroType* type);

-// Returns a ListExpr simplified down to a list a values, or a nil
-// pointer if they couldn't all be reduced.
-val_list* eval_list(Frame* f, const ListExpr* l);
+// Returns a ListExpr simplified down to a list a values, or nil
+// if they couldn't all be reduced.
+std::optional<std::vector<IntrusivePtr<Val>>> eval_list(Frame* f, const ListExpr* l);

 // Returns true if e1 is "greater" than e2 - here "greater" is just
 // a heuristic, used with commutative operators to put them into
--- a/src/File.cc
+++ b/src/File.cc
@ -325,7 +325,7 @@ void BroFile::RaiseOpenEvent()
 		return;

 	Ref(this);
-	Event* event = new ::Event(::file_opened, {new Val(this)});
+	Event* event = new ::Event(::file_opened, {make_intrusive<Val>(this)});
 	mgr.Dispatch(event, true);
 	}

--- a/src/Frame.cc
+++ b/src/Frame.cc
@ -14,7 +14,7 @@

 vector<Frame*> g_frame_stack;

-Frame::Frame(int arg_size, const BroFunc* func, const val_list* fn_args)
+Frame::Frame(int arg_size, const BroFunc* func, const zeek::Args* fn_args)
 	{
 	size = arg_size;
 	frame = new Val*[size];
--- a/src/Frame.h
+++ b/src/Frame.h
@ -5,6 +5,7 @@
 #include "BroList.h" // for typedef val_list
 #include "Obj.h"
 #include "IntrusivePtr.h"
+#include "ZeekArgs.h"

 #include <unordered_map>
 #include <string>
@ -28,7 +29,7 @@ public:
 	 * @param func the function that is creating this frame
 	 * @param fn_args the arguments being passed to that function.
 	 */
-	Frame(int size, const BroFunc* func, const val_list *fn_args);
+	Frame(int size, const BroFunc* func, const zeek::Args* fn_args);

 	/**
 	 * Deletes the frame. Unrefs its trigger, the values that it
@ -100,7 +101,7 @@ public:
 	 * @return the arguments passed to the function that this frame
 	 * is associated with.
 	 */
-	const val_list* GetFuncArgs() const	{ return func_args; }
+	const zeek::Args* GetFuncArgs() const	{ return func_args; }

 	/**
 	 * Change the function that the frame is associated with.
@ -283,7 +284,7 @@ private:
 	/** The function this frame is associated with. */
 	const BroFunc* function;
 	/** The arguments to the function that this Frame is associated with. */
-	const val_list* func_args;
+	const zeek::Args* func_args;

 	/** The next statement to be evaluted in the context of this frame. */
 	Stmt* next_stmt;
--- a/src/Func.cc
+++ b/src/Func.cc
@ -79,9 +79,7 @@ std::string render_call_stack()
 		auto name = ci.func->Name();
 		std::string arg_desc;

-		if ( ci.args )
-			{
-			for ( const auto& arg : *ci.args )
+		for ( const auto& arg : ci.args )
 			{
 			ODesc d;
 			d.SetShort();
@ -92,7 +90,6 @@ std::string render_call_stack()

 			arg_desc += d.Description();
 			}
-			}

 		rval += fmt("#%d %s(%s)", lvl, name, arg_desc.data());

@ -143,23 +140,24 @@ IntrusivePtr<Func> Func::DoClone()
 	return {NewRef{}, this};
 	}

-void Func::DescribeDebug(ODesc* d, const val_list* args) const
+void Func::DescribeDebug(ODesc* d, const zeek::Args* args) const
 	{
 	d->Add(Name());

-	RecordType* func_args = FType()->Args();
-
 	if ( args )
 		{
 		d->Add("(");
+		RecordType* func_args = FType()->Args();
+		auto num_fields = static_cast<size_t>(func_args->NumFields());

-		for ( int i = 0; i < args->length(); ++i )
+		for ( auto i = 0u; i < args->size(); ++i )
 			{
 			// Handle varargs case (more args than formals).
-			if ( i >= func_args->NumFields() )
+			if ( i >= num_fields )
 				{
 				d->Add("vararg");
-				d->Add(i - func_args->NumFields());
+				int va_num = i - num_fields;
+				d->Add(va_num);
 				}
 			else
 				d->Add(func_args->FieldName(i));
@ -167,7 +165,7 @@ void Func::DescribeDebug(ODesc* d, const val_list* args) const
 			d->Add(" = '");
 			(*args)[i]->Describe(d);

-			if ( i < args->length() - 1 )
+			if ( i < args->size() - 1 )
 				d->Add("', ");
 			else
 				d->Add("'");
@ -217,7 +215,7 @@ void Func::CopyStateInto(Func* other) const
 	other->unique_id = unique_id;
 	}

-std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_result, val_list* args, function_flavor flavor) const
+std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_result, function_flavor flavor) const
 	{
 	// Helper function factoring out this code from BroFunc:Call() for
 	// better readability.
@ -265,9 +263,6 @@ std::pair<bool, Val*> Func::HandlePluginResult(std::pair<bool, Val*> plugin_resu
 		}
 	}

-	for ( const auto& arg : *args )
-		Unref(arg);
-
 	return plugin_result;
 	}

@ -300,7 +295,12 @@ int BroFunc::IsPure() const
 		[](const Body& b) { return b.stmts->IsPure(); });
 	}

-IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
+IntrusivePtr<Val> Func::Call(val_list* args, Frame* parent) const
+	{
+	return Call(zeek::val_list_to_args(*args), parent);
+	}
+
+IntrusivePtr<Val> BroFunc::Call(const zeek::Args& args, Frame* parent) const
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", Name());
@ -312,7 +312,7 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const

 	std::pair<bool, Val*> plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), empty_hook_result);

-	plugin_result = HandlePluginResult(plugin_result, args, Flavor());
+	plugin_result = HandlePluginResult(plugin_result,  Flavor());

 	if( plugin_result.first )
 		return {AdoptRef{}, plugin_result.second};
@ -321,13 +321,10 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 		{
 		// Can only happen for events and hooks.
 		assert(Flavor() == FUNC_FLAVOR_EVENT || Flavor() == FUNC_FLAVOR_HOOK);
-		for ( const auto& arg : *args )
-			Unref(arg);
-
 		return Flavor() == FUNC_FLAVOR_HOOK ? IntrusivePtr{AdoptRef{}, val_mgr->GetTrue()} : nullptr;
 		}

-	auto f = make_intrusive<Frame>(frame_size, this, args);
+	auto f = make_intrusive<Frame>(frame_size, this, &args);

 	if ( closure )
 		f->CaptureClosure(closure, outer_ids);
@ -346,7 +343,7 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 	if ( g_trace_state.DoTrace() )
 		{
 		ODesc d;
-		DescribeDebug(&d, args);
+		DescribeDebug(&d, &args);

 		g_trace_state.LogTrace("%s called: %s\n",
 			FType()->FlavorString().c_str(), d.Description());
@ -362,19 +359,16 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const
 				body.stmts->GetLocationInfo());

 		// Fill in the rest of the frame with the function's arguments.
-		loop_over_list(*args, j)
+		for ( auto j = 0u; j < args.size(); ++j )
 			{
-			Val* arg = (*args)[j];
+			Val* arg = args[j].get();

 			if ( f->NthElement(j) != arg )
-				{
 				// Either not yet set, or somebody reassigned the frame slot.
-				Ref(arg);
-				f->SetElement(j, arg);
-				}
+				f->SetElement(j, arg->Ref());
 			}

-		f->Reset(args->length());
+		f->Reset(args.size());

 		try
 			{
@ -421,11 +415,6 @@ IntrusivePtr<Val> BroFunc::Call(val_list* args, Frame* parent) const

 	call_stack.pop_back();

-	// We have an extra Ref for each argument (so that they don't get
-	// deleted between bodies), release that.
-	for ( const auto& arg : *args )
-		Unref(arg);
-
 	if ( Flavor() == FUNC_FLAVOR_HOOK )
 		{
 		if ( ! result )
@ -612,7 +601,7 @@ int BuiltinFunc::IsPure() const
 	return is_pure;
 	}

-IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const
+IntrusivePtr<Val> BuiltinFunc::Call(const zeek::Args& args, Frame* parent) const
 	{
 #ifdef PROFILE_BRO_FUNCTIONS
 	DEBUG_MSG("Function: %s\n", Name());
@ -624,7 +613,7 @@ IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const

 	std::pair<bool, Val*> plugin_result = PLUGIN_HOOK_WITH_RESULT(HOOK_CALL_FUNCTION, HookCallFunction(this, parent, args), empty_hook_result);

-	plugin_result = HandlePluginResult(plugin_result, args, FUNC_FLAVOR_FUNCTION);
+	plugin_result = HandlePluginResult(plugin_result, FUNC_FLAVOR_FUNCTION);

 	if ( plugin_result.first )
 		return {AdoptRef{}, plugin_result.second};
@ -632,20 +621,16 @@ IntrusivePtr<Val> BuiltinFunc::Call(val_list* args, Frame* parent) const
 	if ( g_trace_state.DoTrace() )
 		{
 		ODesc d;
-		DescribeDebug(&d, args);
+		DescribeDebug(&d, &args);

 		g_trace_state.LogTrace("\tBuiltin Function called: %s\n", d.Description());
 		}

 	const CallExpr* call_expr = parent ? parent->GetCall() : nullptr;
 	call_stack.emplace_back(CallInfo{call_expr, this, args});
-	IntrusivePtr<Val> result{AdoptRef{}, func(parent, args)};
+	IntrusivePtr<Val> result{AdoptRef{}, func(parent, &args)};
 	call_stack.pop_back();

-	for ( const auto& arg : *args )
-		Unref(arg);
-
-	// Don't Unref() args, that's the caller's responsibility.
 	if ( result && g_trace_state.DoTrace() )
 		{
 		ODesc d;
@ -663,6 +648,16 @@ void BuiltinFunc::Describe(ODesc* d) const
 	d->AddCount(is_pure);
 	}

+void builtin_error(const char* msg)
+	{
+	builtin_error(msg, IntrusivePtr<Val>{});
+	}
+
+void builtin_error(const char* msg, IntrusivePtr<Val> arg)
+	{
+	builtin_error(msg, arg.get());
+	}
+
 void builtin_error(const char* msg, BroObj* arg)
 	{
 	auto emit = [=](const CallExpr* ce)
--- a/src/Func.h
+++ b/src/Func.h
@ -7,11 +7,14 @@
 #include "IntrusivePtr.h"
 #include "Type.h" /* for function_flavor */
 #include "TraverseTypes.h"
+#include "ZeekArgs.h"

 #include <utility>
 #include <memory>
 #include <string>
 #include <vector>
+#include <tuple>
+#include <type_traits>

 #include <broker/data.hh>
 #include <broker/expected.hh>
@ -30,7 +33,6 @@ class Scope;

 class Func : public BroObj {
 public:
-
 	enum Kind { BRO_FUNC, BUILTIN_FUNC };

 	explicit Func(Kind arg_kind);
@ -50,7 +52,27 @@ public:
 	const vector<Body>& GetBodies() const	{ return bodies; }
 	bool HasBodies() const	{ return bodies.size(); }

-	virtual IntrusivePtr<Val> Call(val_list* args, Frame* parent = 0) const = 0;
+	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
+	virtual IntrusivePtr<Val> Call(val_list* args, Frame* parent = nullptr) const;
+
+	/**
+	 * Calls a Zeek function.
+	 * @param args  the list of arguments to the function call.
+	 * @param parent  the frame from which the function is being called.
+	 * @return  the return value of the function call.
+	 */
+	virtual IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent = nullptr) const = 0;
+
+	/**
+	 * A version of Call() taking a variable number of individual arguments.
+	 */
+	template <class... Args>
+	std::enable_if_t<
+	  std::is_convertible_v<std::tuple_element_t<0, std::tuple<Args...>>,
+	                        IntrusivePtr<Val>>,
+	  IntrusivePtr<Val>>
+	Call(Args&&... args) const
+		{ return Call(zeek::Args{std::forward<Args>(args)...}); }

 	// Add a new event handler to an existing function (event).
 	virtual void AddBody(IntrusivePtr<Stmt> new_body, id_list* new_inits,
@ -67,7 +89,7 @@ public:
 	void SetName(const char* arg_name)	{ name = arg_name; }

 	void Describe(ODesc* d) const override = 0;
-	virtual void DescribeDebug(ODesc* d, const val_list* args) const;
+	virtual void DescribeDebug(ODesc* d, const zeek::Args* args) const;

 	virtual IntrusivePtr<Func> DoClone();

@ -84,7 +106,7 @@ protected:
 	void CopyStateInto(Func* other) const;

 	// Helper function for handling result of plugin hook.
-	std::pair<bool, Val*> HandlePluginResult(std::pair<bool, Val*> plugin_result, val_list* args, function_flavor flavor) const;
+	std::pair<bool, Val*> HandlePluginResult(std::pair<bool, Val*> plugin_result, function_flavor flavor) const;

 	vector<Body> bodies;
 	IntrusivePtr<Scope> scope;
@ -102,7 +124,7 @@ public:
 	~BroFunc() override;

 	int IsPure() const override;
-	IntrusivePtr<Val> Call(val_list* args, Frame* parent) const override;
+	IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent) const override;

 	/**
 	 * Adds adds a closure to the function. Closures are cloned and
@ -169,7 +191,7 @@ private:
 	bool weak_closure_ref = false;
 };

-typedef Val* (*built_in_func)(Frame* frame, val_list* args);
+using built_in_func = Val* (*)(Frame* frame, const zeek::Args* args);

 class BuiltinFunc : public Func {
 public:
@ -177,7 +199,7 @@ public:
 	~BuiltinFunc() override;

 	int IsPure() const override;
-	IntrusivePtr<Val> Call(val_list* args, Frame* parent) const override;
+	IntrusivePtr<Val> Call(const zeek::Args& args, Frame* parent) const override;
 	built_in_func TheFunc() const	{ return func; }

 	void Describe(ODesc* d) const override;
@ -190,7 +212,9 @@ protected:
 };


-extern void builtin_error(const char* msg, BroObj* arg = 0);
+extern void builtin_error(const char* msg);
+extern void builtin_error(const char* msg, IntrusivePtr<Val>);
+extern void builtin_error(const char* msg, BroObj* arg);
 extern void init_builtin_funcs();
 extern void init_builtin_funcs_subdirs();

@ -199,7 +223,7 @@ extern bool check_built_in_call(BuiltinFunc* f, CallExpr* call);
 struct CallInfo {
 	const CallExpr* call;
 	const Func* func;
-	const val_list* args;
+	const zeek::Args& args;
 };

 // Struct that collects all the specifics defining a Func. Used for BroFuncs
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@ -221,26 +221,7 @@ MD5Val::~MD5Val()
 		EVP_MD_CTX_free(ctx);
 	}

-IntrusivePtr<Val> MD5Val::DoClone(CloneState* state)
-	{
-	auto out = make_intrusive<MD5Val>();
-
-	if ( IsValid() )
-		{
-		if ( ! out->Init() )
-			return nullptr;
-
-		EVP_MD_CTX_copy_ex(out->ctx, ctx);
-		}
-
-	return state->NewClone(this, std::move(out));
-	}
-
-void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
-	{
-	EVP_MD_CTX* h = hash_init(Hash_MD5);
-
-	for ( const auto& v : vlist )
+void HashVal::digest_one(EVP_MD_CTX* h, const Val* v)
 	{
 	if ( v->Type()->Tag() == TYPE_STRING )
 		{
@ -255,18 +236,24 @@ void MD5Val::digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH])
 		}
 	}

-	hash_final(h, result);
+void HashVal::digest_one(EVP_MD_CTX* h, const IntrusivePtr<Val>& v)
+	{
+	digest_one(h, v.get());
 	}

-void MD5Val::hmac(val_list& vlist,
-                  u_char key[MD5_DIGEST_LENGTH],
-                  u_char result[MD5_DIGEST_LENGTH])
+IntrusivePtr<Val> MD5Val::DoClone(CloneState* state)
 	{
-	digest(vlist, result);
-	for ( int i = 0; i < MD5_DIGEST_LENGTH; ++i )
-		result[i] ^= key[i];
+	auto out = make_intrusive<MD5Val>();

-	internal_md5(result, MD5_DIGEST_LENGTH, result);
+	if ( IsValid() )
+		{
+		if ( ! out->Init() )
+			return nullptr;
+
+		EVP_MD_CTX_copy_ex(out->ctx, ctx);
+		}
+
+	return state->NewClone(this, std::move(out));
 	}

 bool MD5Val::DoInit()
@ -389,28 +376,6 @@ IntrusivePtr<Val> SHA1Val::DoClone(CloneState* state)
 	return state->NewClone(this, std::move(out));
 	}

-void SHA1Val::digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH])
-	{
-	EVP_MD_CTX* h = hash_init(Hash_SHA1);
-
-	for ( const auto& v : vlist )
-		{
-		if ( v->Type()->Tag() == TYPE_STRING )
-			{
-			const BroString* str = v->AsString();
-			hash_update(h, str->Bytes(), str->Len());
-			}
-		else
-			{
-			ODesc d(DESC_BINARY);
-			v->Describe(&d);
-			hash_update(h, (const u_char *) d.Bytes(), d.Len());
-			}
-		}
-
-	hash_final(h, result);
-	}
-
 bool SHA1Val::DoInit()
 	{
 	assert(! IsValid());
@ -535,28 +500,6 @@ IntrusivePtr<Val> SHA256Val::DoClone(CloneState* state)
 	return state->NewClone(this, std::move(out));
 	}

-void SHA256Val::digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH])
-	{
-	EVP_MD_CTX* h = hash_init(Hash_SHA256);
-
-	for ( const auto& v : vlist )
-		{
-		if ( v->Type()->Tag() == TYPE_STRING )
-			{
-			const BroString* str = v->AsString();
-			hash_update(h, str->Bytes(), str->Len());
-			}
-		else
-			{
-			ODesc d(DESC_BINARY);
-			v->Describe(&d);
-			hash_update(h, (const u_char *) d.Bytes(), d.Len());
-			}
-		}
-
-	hash_final(h, result);
-	}
-
 bool SHA256Val::DoInit()
 	{
 	assert( ! IsValid() );
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@ -162,12 +162,26 @@ namespace probabilistic {

 class HashVal : public OpaqueVal {
 public:
+	template <class T>
+	static void digest_all(HashAlgorithm alg, const T& vlist, u_char* result)
+		{
+		auto h = hash_init(alg);
+
+		for ( const auto& v : vlist )
+			digest_one(h, v);
+
+		hash_final(h, result);
+		}
+
 	bool IsValid() const;
 	bool Init();
 	bool Feed(const void* data, size_t size);
 	IntrusivePtr<StringVal> Get();

 protected:
+	static void digest_one(EVP_MD_CTX* h, const Val* v);
+	static void digest_one(EVP_MD_CTX* h, const IntrusivePtr<Val>& v);
+
 	HashVal()	{ valid = false; }
 	explicit HashVal(OpaqueType* t);

@ -182,11 +196,22 @@ private:

 class MD5Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[MD5_DIGEST_LENGTH]);
+	template <class T>
+	static void digest(const T& vlist, u_char result[MD5_DIGEST_LENGTH])
+		{ digest_all(Hash_MD5, vlist, result); }

-	static void hmac(val_list& vlist,
+	template <class T>
+	static void hmac(const T& vlist,
 	                 u_char key[MD5_DIGEST_LENGTH],
-			 u_char result[MD5_DIGEST_LENGTH]);
+	                 u_char result[MD5_DIGEST_LENGTH])
+		{
+		digest(vlist, result);
+
+		for ( int i = 0; i < MD5_DIGEST_LENGTH; ++i )
+			result[i] ^= key[i];
+
+		internal_md5(result, MD5_DIGEST_LENGTH, result);
+		}

 	MD5Val();
 	~MD5Val();
@ -207,7 +232,9 @@ private:

 class SHA1Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[SHA_DIGEST_LENGTH]);
+	template <class T>
+	static void digest(const T& vlist, u_char result[SHA_DIGEST_LENGTH])
+		{ digest_all(Hash_SHA1, vlist, result); }

 	SHA1Val();
 	~SHA1Val();
@ -228,7 +255,9 @@ private:

 class SHA256Val : public HashVal {
 public:
-	static void digest(val_list& vlist, u_char result[SHA256_DIGEST_LENGTH]);
+	template <class T>
+	static void digest(const T& vlist, u_char result[SHA256_DIGEST_LENGTH])
+		{ digest_all(Hash_SHA256, vlist, result); }

 	SHA256Val();
 	~SHA256Val();
--- a/src/Reporter.cc
+++ b/src/Reporter.cc
@ -80,7 +80,6 @@ void Reporter::InitOptions()
 		auto index = wl_val->RecoverIndex(k);
 		string key = index->Index(0)->AsString()->CheckString();
 		weird_sampling_whitelist.emplace(move(key));
-		Unref(index);
 		delete k;
 		}
 	}
@ -481,26 +480,28 @@ void Reporter::DoLog(const char* prefix, EventHandlerPtr event, FILE* out,
 		auto vl_size = 1 + (bool)time + (bool)location + (bool)conn +
 		               (addl ? addl->length() : 0);

-		val_list vl(vl_size);
+		zeek::Args vl;
+		vl.reserve(vl_size);

 		if ( time )
-			vl.push_back(new Val(network_time ? network_time : current_time(), TYPE_TIME));
+			vl.emplace_back(make_intrusive<Val>(network_time ? network_time : current_time(), TYPE_TIME));

-		vl.push_back(new StringVal(buffer));
+		vl.emplace_back(make_intrusive<StringVal>(buffer));

 		if ( location )
-			vl.push_back(new StringVal(loc_str.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(loc_str.c_str()));

 		if ( conn )
-			vl.push_back(conn->BuildConnVal());
+			vl.emplace_back(AdoptRef{}, conn->BuildConnVal());

 		if ( addl )
-			std::copy(addl->begin(), addl->end(), std::back_inserter(vl));
+			for ( auto v : *addl )
+				vl.emplace_back(AdoptRef{}, v);

 		if ( conn )
-			conn->ConnectionEventFast(event, 0, std::move(vl));
+			conn->EnqueueEvent(event, nullptr, std::move(vl));
 		else
-			mgr.QueueEventFast(event, std::move(vl));
+			mgr.Enqueue(event, std::move(vl));
 		}
 	else
 		{
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@ -21,13 +21,11 @@ void RuleActionEvent::DoAction(const Rule* parent, RuleEndpointState* state,
 				const u_char* data, int len)
 	{
 	if ( signature_match )
-		{
-		mgr.QueueEventFast(signature_match, {
-			rule_matcher->BuildRuleStateValue(parent, state),
-			new StringVal(msg),
-			data ? new StringVal(len, (const char*)data) : val_mgr->GetEmptyString(),
-		});
-		}
+		mgr.Enqueue(signature_match,
+			IntrusivePtr{AdoptRef{}, rule_matcher->BuildRuleStateValue(parent, state)},
+			make_intrusive<StringVal>(msg),
+			data ? make_intrusive<StringVal>(len, (const char*)data) : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()}
+		);
 	}

 void RuleActionEvent::PrintDebug()
--- a/src/RuleCondition.cc
+++ b/src/RuleCondition.cc
@ -167,19 +167,20 @@ bool RuleConditionEval::DoMatch(Rule* rule, RuleEndpointState* state,
 		return id->ID_Val()->AsBool();

 	// Call function with a signature_state value as argument.
-	val_list args(2);
-	args.push_back(rule_matcher->BuildRuleStateValue(rule, state));
+	zeek::Args args;
+	args.reserve(2);
+	args.emplace_back(AdoptRef{}, rule_matcher->BuildRuleStateValue(rule, state));

 	if ( data )
-		args.push_back(new StringVal(len, (const char*) data));
+		args.emplace_back(make_intrusive<StringVal>(len, (const char*) data));
 	else
-		args.push_back(val_mgr->GetEmptyString());
+		args.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());

 	bool result = false;

 	try
 		{
-		auto val = id->ID_Val()->AsFunc()->Call(&args);
+		auto val = id->ID_Val()->AsFunc()->Call(args);
 		result = val && val->AsBool();
 		}

--- a/src/Sessions.cc
+++ b/src/Sessions.cc
@ -123,7 +123,7 @@ void NetSessions::NextPacket(double t, const Packet* pkt)
 	SegmentProfiler prof(segment_logger, "dispatching-packet");

 	if ( raw_packet )
-		mgr.QueueEventFast(raw_packet, {pkt->BuildPktHdrVal()});
+		mgr.Enqueue(raw_packet, IntrusivePtr{AdoptRef{}, pkt->BuildPktHdrVal()});

 	if ( pkt_profiler )
 		pkt_profiler->ProfilePkt(t, pkt->cap_len);
@ -310,7 +310,7 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 		{
 		dump_this_packet = 1;
 		if ( esp_packet )
-			mgr.QueueEventFast(esp_packet, {ip_hdr->BuildPktHdrVal()});
+			mgr.Enqueue(esp_packet, IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});

 		// Can't do more since upper-layer payloads are going to be encrypted.
 		return;
@ -330,7 +330,8 @@ void NetSessions::DoNextPacket(double t, const Packet* pkt, const IP_Hdr* ip_hdr
 			}

 		if ( mobile_ipv6_message )
-			mgr.QueueEvent(mobile_ipv6_message, {ip_hdr->BuildPktHdrVal()});
+			mgr.Enqueue(mobile_ipv6_message,
+			            IntrusivePtr{AdoptRef{}, ip_hdr->BuildPktHdrVal()});

 		if ( ip_hdr->NextProto() != IPPROTO_NONE )
 			Weird("mobility_piggyback", pkt, encapsulation);
--- a/src/Stats.cc
+++ b/src/Stats.cc
@ -314,8 +314,8 @@ void ProfileLogger::Log()
 		{
 		Ref(file);
 		mgr.Dispatch(new Event(profiling_update, {
-			new Val(file),
-			val_mgr->GetBool(expensive),
+			make_intrusive<Val>(file),
+			{AdoptRef{}, val_mgr->GetBool(expensive)},
 		}));
 		}
 	}
@ -372,11 +372,11 @@ void SampleLogger::SegmentProfile(const char* /* name */,
 					double dtime, int dmem)
 	{
 	if ( load_sample )
-		mgr.QueueEventFast(load_sample, {
-			load_samples->Ref(),
-			new IntervalVal(dtime, Seconds),
-			val_mgr->GetInt(dmem)
-		});
+		mgr.Enqueue(load_sample,
+			IntrusivePtr{NewRef{}, load_samples},
+			make_intrusive<IntervalVal>(dtime, Seconds),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetInt(dmem)}
+		);
 	}

 void SegmentProfiler::Init()
--- a/src/Stmt.cc
+++ b/src/Stmt.cc
@ -151,14 +151,11 @@ IntrusivePtr<Val> ExprListStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	last_access = network_time;
 	flow = FLOW_NEXT;

-	val_list* vals = eval_list(f, l.get());
+	auto vals = eval_list(f, l.get());
+
 	if ( vals )
-		{
-		auto result = DoExec(vals, flow);
-		delete_vals(vals);
-		return result;
-		}
-	else
+		return DoExec(std::move(*vals), flow);
+
 	return nullptr;
 	}

@ -169,11 +166,6 @@ void ExprListStmt::Describe(ODesc* d) const
 	DescribeDone(d);
 	}

-void ExprListStmt::PrintVals(ODesc* d, val_list* vals, int offset) const
-	{
-	describe_vals(vals, d, offset);
-	}
-
 TraversalCode ExprListStmt::Traverse(TraversalCallback* cb) const
 	{
 	TraversalCode tc = cb->PreStmt(this);
@ -206,13 +198,13 @@ static IntrusivePtr<EnumVal> lookup_enum_val(const char* module_name, const char
 	return et->GetVal(index);
 	}

-static void print_log(val_list* vals)
+static void print_log(const std::vector<IntrusivePtr<Val>>& vals)
 	{
 	auto plval = lookup_enum_val("Log", "PRINTLOG");
 	auto record = make_intrusive<RecordVal>(internal_type("Log::PrintLogInfo")->AsRecordType());
 	auto vec = make_intrusive<VectorVal>(internal_type("string_vec")->AsVectorType());

-	for ( const auto& val : *vals )
+	for ( const auto& val : vals )
 		{
 		ODesc d(DESC_READABLE);
 		val->Describe(&d);
@ -224,7 +216,8 @@ static void print_log(val_list* vals)
 	log_mgr->Write(plval.get(), record.get());
 	}

-IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */) const
+IntrusivePtr<Val> PrintStmt::DoExec(std::vector<IntrusivePtr<Val>> vals,
+                                    stmt_flow_type& /* flow */) const
 	{
 	RegisterAccess();

@ -234,9 +227,9 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 	BroFile* f = print_stdout;
 	int offset = 0;

-	if ( vals->length() > 0 && (*vals)[0]->Type()->Tag() == TYPE_FILE )
+	if ( vals.size() > 0 && (vals)[0]->Type()->Tag() == TYPE_FILE )
 		{
-		f = (*vals)[0]->AsFile();
+		f = (vals)[0]->AsFile();
 		if ( ! f->IsOpen() )
 			return nullptr;

@ -277,7 +270,7 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 		d.SetFlush(0);
 		d.SetStyle(style);

-		PrintVals(&d, vals, offset);
+		describe_vals(vals, &d, offset);
 		f->Write(d.Description(), d.Len());
 		}
 	else
@ -286,7 +279,7 @@ IntrusivePtr<Val> PrintStmt::DoExec(val_list* vals, stmt_flow_type& /* flow */)
 		d.SetFlush(0);
 		d.SetStyle(style);

-		PrintVals(&d, vals, offset);
+		describe_vals(vals, &d, offset);
 		f->Write("\n", 1);
 		}

@ -966,13 +959,11 @@ EventStmt::EventStmt(IntrusivePtr<EventExpr> arg_e)
 IntrusivePtr<Val> EventStmt::Exec(Frame* f, stmt_flow_type& flow) const
 	{
 	RegisterAccess();
-	val_list* args = eval_list(f, event_expr->Args());
+	auto args = eval_list(f, event_expr->Args());
+	auto h = event_expr->Handler();

-	if ( args )
-		{
-		mgr.QueueEvent(event_expr->Handler(), std::move(*args));
-		delete args;
-		}
+	if ( args && h )
+		mgr.Enqueue(h, std::move(*args));

 	flow = FLOW_NEXT;
 	return nullptr;
@ -1198,7 +1189,7 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const
 		IterCookie* c = loop_vals->InitForIteration();
 		while ( (current_tev = loop_vals->NextEntry(k, c)) )
 			{
-			ListVal* ind_lv = tv->RecoverIndex(k);
+			auto ind_lv = tv->RecoverIndex(k);
 			delete k;

 			if ( value_var )
@ -1206,10 +1197,18 @@ IntrusivePtr<Val> ForStmt::DoExec(Frame* f, Val* v, stmt_flow_type& flow) const

 			for ( int i = 0; i < ind_lv->Length(); i++ )
 				f->SetElement((*loop_vars)[i], ind_lv->Index(i)->Ref());
-			Unref(ind_lv);

 			flow = FLOW_NEXT;
+
+			try
+				{
 				ret = body->Exec(f, flow);
+				}
+			catch ( InterpreterException& )
+				{
+				loop_vals->StopIteration(c);
+				throw;
+				}

 			if ( flow == FLOW_BREAK || flow == FLOW_RETURN )
 				{
--- a/src/Stmt.h
+++ b/src/Stmt.h
@ -95,10 +95,10 @@ protected:
 	~ExprListStmt() override;

 	IntrusivePtr<Val> Exec(Frame* f, stmt_flow_type& flow) const override;
-	virtual IntrusivePtr<Val> DoExec(val_list* vals, stmt_flow_type& flow) const = 0;
+	virtual IntrusivePtr<Val> DoExec(std::vector<IntrusivePtr<Val>> vals,
+	                                 stmt_flow_type& flow) const = 0;

 	void Describe(ODesc* d) const override;
-	void PrintVals(ODesc* d, val_list* vals, int offset) const;

 	IntrusivePtr<ListExpr> l;
 };
@ -109,7 +109,8 @@ public:
 	explicit PrintStmt(L&& l) : ExprListStmt(STMT_PRINT, std::forward<L>(l)) { }

 protected:
-	IntrusivePtr<Val> DoExec(val_list* vals, stmt_flow_type& flow) const override;
+	IntrusivePtr<Val> DoExec(std::vector<IntrusivePtr<Val>> vals,
+	                         stmt_flow_type& flow) const override;
 };

 class ExprStmt : public Stmt {
--- a/src/Trigger.cc
+++ b/src/Trigger.cc
@ -321,9 +321,14 @@ bool Trigger::Eval()
 		delete [] pname;
 #endif

-		trigger->Cache(frame->GetCall(), v.get());
+		auto queued = trigger->Cache(frame->GetCall(), v.get());
 		trigger->Release();
 		frame->ClearTrigger();
+
+		if ( ! queued && trigger->TimeoutValue() < 0 )
+			// Usually the parent-trigger would get unref'd either by
+			// its Eval() or its eventual Timeout(), but has neither
+			Unref(trigger);
 		}

 	Unref(f);
@ -368,9 +373,14 @@ void Trigger::Timeout()
 			DBG_LOG(DBG_NOTIFIERS, "%s: trigger has parent %s, caching timeout result", Name(), pname);
 			delete [] pname;
 #endif
-			trigger->Cache(frame->GetCall(), v.get());
+			auto queued = trigger->Cache(frame->GetCall(), v.get());
 			trigger->Release();
 			frame->ClearTrigger();
+
+			if ( ! queued && trigger->TimeoutValue() < 0 )
+				// Usually the parent-trigger would get unref'd either by
+				// its Eval() or its eventual Timeout(), but has neither
+				Unref(trigger);
 			}
 		}

@ -429,10 +439,10 @@ void Trigger::Attach(Trigger *trigger)
 	Hold();
 	}

-void Trigger::Cache(const CallExpr* expr, Val* v)
+bool Trigger::Cache(const CallExpr* expr, Val* v)
 	{
 	if ( disabled || ! v )
-		return;
+		return false;

 	ValCache::iterator i = cache.find(expr);

@ -448,6 +458,7 @@ void Trigger::Cache(const CallExpr* expr, Val* v)
 	Ref(v);

 	trigger_mgr->Queue(this);
+	return true;
 	}


--- a/src/Trigger.h
+++ b/src/Trigger.h
@ -59,8 +59,10 @@ public:
 	// to the given trigger.  Note, automatically calls Hold().
 	void Attach(Trigger* trigger);

-	// Cache for return values of delayed function calls.
-	void Cache(const CallExpr* expr, Val* val);
+	// Cache for return values of delayed function calls.  Returns whether
+	// the trigger is queued for later evaluation -- it may not be queued
+	// if the Val is null or it's disabled.
+	bool Cache(const CallExpr* expr, Val* val);
 	Val* Lookup(const CallExpr*);

 	// Disable this trigger completely. Needed because Unref'ing the trigger
--- a/src/Val.cc
+++ b/src/Val.cc
@ -532,12 +532,7 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*
 				{
 				auto lv = tval->RecoverIndex(k);
 				delete k;
-
-				Val* entry_key;
-				if ( lv->Length() == 1 )
-					entry_key = lv->Index(0)->Ref();
-				else
-					entry_key = lv->Ref();
+				Val* entry_key = lv->Length() == 1 ? lv->Index(0) : lv.get();

 				if ( tval->Type()->IsSet() )
 					BuildJSON(writer, entry_key, only_loggable, re);
@ -556,9 +551,6 @@ static void BuildJSON(threading::formatter::JSON::NullDoubleWriter& writer, Val*

 					BuildJSON(writer, entry->Value(), only_loggable, re, key_str);
 					}
-
-				Unref(entry_key);
-				Unref(lv);
 				}

 			if ( tval->Type()->IsSet() )
@ -1537,9 +1529,8 @@ int TableVal::Assign(Val* index, HashKey* k, IntrusivePtr<Val> new_val)
 		{
 		if ( ! index )
 			{
-			Val* v = RecoverIndex(&k_copy);
-			subnets->Insert(v, new_entry_val);
-			Unref(v);
+			auto v = RecoverIndex(&k_copy);
+			subnets->Insert(v.get(), new_entry_val);
 			}
 		else
 			subnets->Insert(index, new_entry_val);
@ -1553,10 +1544,10 @@ int TableVal::Assign(Val* index, HashKey* k, IntrusivePtr<Val> new_val)

 	if ( change_func )
 		{
-		Val* change_index = index ? index->Ref() : RecoverIndex(&k_copy);
+		auto change_index = index ? IntrusivePtr<Val>{NewRef{}, index}
+		                          : RecoverIndex(&k_copy);
 		Val* v = old_entry_val ? old_entry_val->Value() : new_val.get();
-		CallChangeFunc(change_index, v, old_entry_val ? ELEMENT_CHANGED : ELEMENT_NEW);
-		Unref(change_index);
+		CallChangeFunc(change_index.get(), v, old_entry_val ? ELEMENT_CHANGED : ELEMENT_NEW);
 		}

 	delete old_entry_val;
@ -1844,25 +1835,24 @@ IntrusivePtr<Val> TableVal::Default(Val* index)
 		}

 	const Func* f = def_val->AsFunc();
-	val_list vl;
+	zeek::Args vl;

 	if ( index->Type()->Tag() == TYPE_LIST )
 		{
 		const val_list* vl0 = index->AsListVal()->Vals();
-		vl = val_list(vl0->length());
+		vl.reserve(vl0->length());
+
 		for ( const auto& v : *vl0 )
-			vl.push_back(v->Ref());
+			vl.emplace_back(NewRef{}, v);
 		}
 	else
-		{
-		vl = val_list{index->Ref()};
-		}
+		vl.emplace_back(NewRef{}, index);

 	IntrusivePtr<Val> result;

 	try
 		{
-		result = f->Call(&vl);
+		result = f->Call(vl);
 		}

 	catch ( InterpreterException& e )
@ -1991,9 +1981,9 @@ bool TableVal::UpdateTimestamp(Val* index)
 	return true;
 	}

-ListVal* TableVal::RecoverIndex(const HashKey* k) const
+IntrusivePtr<ListVal> TableVal::RecoverIndex(const HashKey* k) const
 	{
-	return table_hash->RecoverVals(k).release();
+	return table_hash->RecoverVals(k);
 	}

 void TableVal::CallChangeFunc(const Val* index, Val* old_value, OnChangeType tpe)
@ -2020,34 +2010,35 @@ void TableVal::CallChangeFunc(const Val* index, Val* old_value, OnChangeType tpe
 			}

 		const Func* f = thefunc->AsFunc();
-		val_list vl { Ref() };
-		IntrusivePtr<EnumVal> type;
+		const auto& index_list = *index->AsListVal()->Vals();
+
+		zeek::Args vl;
+		vl.reserve(2 + index_list.length() + table_type->IsTable());
+		vl.emplace_back(NewRef{}, this);

 		switch ( tpe )
 			{
 			case ELEMENT_NEW:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_NEW);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_NEW));
 				break;
 			case ELEMENT_CHANGED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_CHANGED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_CHANGED));
 				break;
 			case ELEMENT_REMOVED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_REMOVED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_REMOVED));
 				break;
 			case ELEMENT_EXPIRED:
-				type = BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_EXPIRED);
+				vl.emplace_back(BifType::Enum::TableChange->GetVal(BifEnum::TableChange::TABLE_ELEMENT_EXPIRED));
 			}

-		vl.append(type.release());
-
 		for ( const auto& v : *index->AsListVal()->Vals() )
-			vl.append(v->Ref());
+			vl.emplace_back(NewRef{}, v);

-		if ( ! table_type->IsSet() )
-			vl.append(old_value->Ref());
+		if ( table_type->IsTable() )
+			vl.emplace_back(NewRef{}, old_value);

 		in_change_func = true;
-		f->Call(&vl);
+		f->Call(vl);
 		}
 	catch ( InterpreterException& e )
 		{
@ -2344,11 +2335,12 @@ void TableVal::DoExpire(double t)

 		else if ( v->ExpireAccessTime() + timeout < t )
 			{
-			Val* idx = nullptr;
+			IntrusivePtr<ListVal> idx = nullptr;
+
 			if ( expire_func )
 				{
 				idx = RecoverIndex(k);
-				double secs = CallExpireFunc(idx->Ref());
+				double secs = CallExpireFunc(idx);

 				// It's possible that the user-provided
 				// function modified or deleted the table
@ -2359,7 +2351,6 @@ void TableVal::DoExpire(double t)
 				if ( ! v )
 					{ // user-provided function deleted it
 					v = v_saved;
-					Unref(idx);
 					delete k;
 					continue;
 					}
@ -2369,7 +2360,6 @@ void TableVal::DoExpire(double t)
 					// User doesn't want us to expire
 					// this now.
 					v->SetExpireAccess(network_time - timeout + secs);
-					Unref(idx);
 					delete k;
 					continue;
 					}
@ -2380,7 +2370,7 @@ void TableVal::DoExpire(double t)
 				{
 				if ( ! idx )
 					idx = RecoverIndex(k);
-				if ( ! subnets->Remove(idx) )
+				if ( ! subnets->Remove(idx.get()) )
 					reporter->InternalWarning("index not in prefix table");
 				}

@ -2389,9 +2379,9 @@ void TableVal::DoExpire(double t)
 				{
 				if ( ! idx )
 					idx = RecoverIndex(k);
-				CallChangeFunc(idx, v->Value(), ELEMENT_EXPIRED);
+				CallChangeFunc(idx.get(), v->Value(), ELEMENT_EXPIRED);
 				}
-			Unref(idx);
+
 			delete v;
 			modified = true;
 			}
@ -2439,13 +2429,10 @@ double TableVal::GetExpireTime()
 	return -1;
 	}

-double TableVal::CallExpireFunc(Val* idx)
+double TableVal::CallExpireFunc(IntrusivePtr<ListVal> idx)
 	{
 	if ( ! expire_func )
-		{
-		Unref(idx);
 		return 0;
-		}

 	double secs = 0;

@ -2454,54 +2441,46 @@ double TableVal::CallExpireFunc(Val* idx)
 		auto vf = expire_func->Eval(nullptr);

 		if ( ! vf )
-			{
 			// Will have been reported already.
-			Unref(idx);
 			return 0;
-			}

 		if ( vf->Type()->Tag() != TYPE_FUNC )
 			{
 			vf->Error("not a function");
-			Unref(idx);
 			return 0;
 			}

 		const Func* f = vf->AsFunc();
-		val_list vl { Ref() };
+		zeek::Args vl;

 		const auto func_args = f->FType()->ArgTypes()->Types();

 		// backwards compatibility with idx: any idiom
 		bool any_idiom = func_args->length() == 2 && func_args->back()->Tag() == TYPE_ANY;

-		if ( idx->Type()->Tag() == TYPE_LIST )
-			{
 		if ( ! any_idiom )
 			{
-				for ( const auto& v : *idx->AsListVal()->Vals() )
-					vl.append(v->Ref());
+			const auto& index_list = *idx->AsListVal()->Vals();
+			vl.reserve(1 + index_list.length());
+			vl.emplace_back(NewRef{}, this);

-				Unref(idx);
+			for ( const auto& v : index_list )
+				vl.emplace_back(NewRef{}, v);
 			}
 		else
 			{
+			vl.reserve(2);
+			vl.emplace_back(NewRef{}, this);
+
 			ListVal* idx_list = idx->AsListVal();
 			// Flatten if only one element
 			if ( idx_list->Length() == 1 )
-					{
-					Val* old = idx;
-					idx = idx_list->Index(0)->Ref();
-					Unref(old);
-					}
-
-				vl.append(idx);
-				}
-			}
+				vl.emplace_back(NewRef{}, idx_list->Index(0));
 			else
-			vl.append(idx);
+				vl.emplace_back(std::move(idx));
+			}

-		auto result = f->Call(&vl);
+		auto result = f->Call(vl);

 		if ( result )
 			secs = result->AsInterval();
@ -2531,9 +2510,8 @@ IntrusivePtr<Val> TableVal::DoClone(CloneState* state)

 		if ( subnets )
 			{
-			Val* idx = RecoverIndex(key);
-			tv->subnets->Insert(idx, nval);
-			Unref(idx);
+			auto idx = RecoverIndex(key);
+			tv->subnets->Insert(idx.get(), nval);
 			}

 		delete key;
@ -2622,7 +2600,7 @@ TableVal::ParseTimeTableState TableVal::DumpTableState()

 	while ( (val = tbl->NextEntry(key, cookie)) )
 		{
-		rval.emplace_back(IntrusivePtr<Val>{AdoptRef{}, RecoverIndex(key)},
+		rval.emplace_back(RecoverIndex(key),
 		                  IntrusivePtr<Val>{NewRef{}, val->Value()});

 		delete key;
@ -3321,6 +3299,24 @@ void describe_vals(const val_list* vals, ODesc* d, int offset)
 		}
 	}

+void describe_vals(const std::vector<IntrusivePtr<Val>>& vals,
+                   ODesc* d, size_t offset)
+	{
+	if ( ! d->IsReadable() )
+		{
+		d->Add(static_cast<uint64_t>(vals.size()));
+		d->SP();
+		}
+
+	for ( auto i = offset; i < vals.size(); ++i )
+		{
+		if ( i > offset && d->IsReadable() && d->Style() != RAW_STYLE )
+			d->Add(", ");
+
+		vals[i]->Describe(d);
+		}
+	}
+
 void delete_vals(val_list* vals)
 	{
 	if ( vals )
--- a/src/Val.h
+++ b/src/Val.h
@ -766,7 +766,7 @@ public:
 	bool UpdateTimestamp(Val* index);

 	// Returns the index corresponding to the given HashKey.
-	ListVal* RecoverIndex(const HashKey* k) const;
+	IntrusivePtr<ListVal> RecoverIndex(const HashKey* k) const;

 	// Returns the element if it was in the table, false otherwise.
 	IntrusivePtr<Val> Delete(const Val* index);
@ -851,8 +851,7 @@ protected:
 	double GetExpireTime();

 	// Calls &expire_func and returns its return interval;
-	// takes ownership of the reference.
-	double CallExpireFunc(Val *idx);
+	double CallExpireFunc(IntrusivePtr<ListVal> idx);

 	// Enum for the different kinds of changes an &on_change handler can see
 	enum OnChangeType { ELEMENT_NEW, ELEMENT_CHANGED, ELEMENT_REMOVED, ELEMENT_EXPIRED };
@ -1043,6 +1042,8 @@ extern int same_val(const Val* v1, const Val* v2);
 extern int same_atomic_val(const Val* v1, const Val* v2);
 extern bool is_atomic_val(const Val* v);
 extern void describe_vals(const val_list* vals, ODesc* d, int offset=0);
+extern void describe_vals(const std::vector<IntrusivePtr<Val>>& vals,
+                          ODesc* d, size_t offset = 0);
 extern void delete_vals(val_list* vals);

 // True if the given Val* has a vector type.
--- a/src/ZeekArgs.cc
+++ b/src/ZeekArgs.cc
@ -0,0 +1,15 @@
+#include "ZeekArgs.h"
+#include "IntrusivePtr.h"
+#include "Val.h"
+
+zeek::Args zeek::val_list_to_args(const val_list& vl)
+	{
+	zeek::Args rval;
+	rval.reserve(vl.length());
+
+	for ( auto& v : vl )
+		rval.emplace_back(AdoptRef{}, v);
+
+	return rval;
+	}
+
--- a/src/ZeekArgs.h
+++ b/src/ZeekArgs.h
@ -0,0 +1,26 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "BroList.h"
+
+#include <vector>
+
+class Val;
+template <class T> class IntrusivePtr;
+
+namespace zeek {
+
+using Args = std::vector<IntrusivePtr<Val>>;
+
+/**
+ * Converts a legacy-style argument list for use in modern Zeek function
+ * calling or event queueing APIs.
+ * @param vl  the argument list to convert, the returned value takes ownership
+ * of a reference to each element in the list
+ * @return  the converted argument list
+ *
+ */
+Args val_list_to_args(const val_list& vl);
+
+} // namespace zeek
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@ -688,13 +688,12 @@ void Analyzer::ProtocolConfirmation(Tag arg_tag)
 		return;

 	EnumVal* tval = arg_tag ? arg_tag.AsEnumVal() : tag.AsEnumVal();
-	Ref(tval);

-	mgr.QueueEventFast(protocol_confirmation, {
-		BuildConnVal(),
-		tval,
-		val_mgr->GetCount(id),
-	});
+	mgr.Enqueue(protocol_confirmation,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{NewRef{}, tval},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)}
+	);
 	}

 void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
@ -716,14 +715,13 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 		r = new StringVal(reason);

 	EnumVal* tval = tag.AsEnumVal();
-	Ref(tval);

-	mgr.QueueEventFast(protocol_violation, {
-		BuildConnVal(),
-		tval,
-		val_mgr->GetCount(id),
-		r,
-	});
+	mgr.Enqueue(protocol_violation,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{NewRef{}, tval},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(id)},
+		IntrusivePtr{AdoptRef{}, r}
+	);
 	}

 void Analyzer::AddTimer(analyzer_timer_func timer, double t,
@ -805,17 +803,29 @@ void Analyzer::Event(EventHandlerPtr f, Val* v1, Val* v2)

 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list* vl)
 	{
-	conn->ConnectionEvent(f, this, vl);
+	auto args = zeek::val_list_to_args(*vl);
+
+	if ( f )
+		conn->EnqueueEvent(f, this, std::move(args));
 	}

 void Analyzer::ConnectionEvent(EventHandlerPtr f, val_list vl)
 	{
-	conn->ConnectionEvent(f, this, std::move(vl));
+	auto args = zeek::val_list_to_args(vl);
+
+	if ( f )
+		conn->EnqueueEvent(f, this, std::move(args));
 	}

 void Analyzer::ConnectionEventFast(EventHandlerPtr f, val_list vl)
 	{
-	conn->ConnectionEventFast(f, this, std::move(vl));
+	auto args = zeek::val_list_to_args(vl);
+	conn->EnqueueEvent(f, this, std::move(args));
+	}
+
+void Analyzer::EnqueueConnEvent(EventHandlerPtr f, zeek::Args args)
+	{
+	conn->EnqueueEvent(f, this, std::move(args));
 	}

 void Analyzer::Weird(const char* name, const char* addl)
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@ -7,9 +7,12 @@
 #include "../Obj.h"
 #include "../EventHandler.h"
 #include "../Timer.h"
+#include "../IntrusivePtr.h"

 #include <list>
 #include <vector>
+#include <tuple>
+#include <type_traits>

 #include <sys/types.h> // for u_char

@ -567,20 +570,39 @@ public:
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list* vl);

 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEvent().
 	 */
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEvent(EventHandlerPtr f, val_list vl);

 	/**
 	 * Convenience function that forwards directly to
 	 * Connection::ConnectionEventFast().
 	 */
+	[[deprecated("Remove in v4.1.  Use EnqueueConnEvent() instead.")]]
 	void ConnectionEventFast(EventHandlerPtr f, val_list vl);

+	/**
+	 * Convenience function that forwards directly to
+	 * Connection::EnqueueEvent().
+	 */
+	void EnqueueConnEvent(EventHandlerPtr f, zeek::Args args);
+
+	/**
+	 * A version of EnqueueConnEvent() taking a variable number of arguments.
+	 */
+	template <class... Args>
+	std::enable_if_t<
+	  std::is_convertible_v<
+	    std::tuple_element_t<0, std::tuple<Args...>>, IntrusivePtr<Val>>>
+	EnqueueConnEvent(EventHandlerPtr h, Args&&... args)
+		{ return EnqueueConnEvent(h, zeek::Args{std::forward<Args>(args)...}); }
+
 	/**
 	 * Convenience function that forwards directly to the corresponding
 	 * Connection::Weird().
--- a/src/analyzer/protocol/arp/ARP.cc
+++ b/src/analyzer/protocol/arp/ARP.cc
@ -191,13 +191,13 @@ void ARP_Analyzer::BadARP(const struct arp_pkthdr* hdr, const char* msg)
 	if ( ! bad_arp )
 		return;

-	mgr.QueueEventFast(bad_arp, {
-		ConstructAddrVal(ar_spa(hdr)),
-		EthAddrToStr((const u_char*) ar_sha(hdr)),
-		ConstructAddrVal(ar_tpa(hdr)),
-		EthAddrToStr((const u_char*) ar_tha(hdr)),
-		new StringVal(msg),
-	});
+	mgr.Enqueue(bad_arp,
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(ar_spa(hdr))},
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) ar_sha(hdr))},
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(ar_tpa(hdr))},
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) ar_tha(hdr))},
+		make_intrusive<StringVal>(msg)
+	);
 	}

 void ARP_Analyzer::Corrupted(const char* msg)
@ -213,14 +213,14 @@ void ARP_Analyzer::RREvent(EventHandlerPtr e,
 	if ( ! e )
 		return;

-	mgr.QueueEventFast(e, {
-		EthAddrToStr(src),
-		EthAddrToStr(dst),
-		ConstructAddrVal(spa),
-		EthAddrToStr((const u_char*) sha),
-		ConstructAddrVal(tpa),
-		EthAddrToStr((const u_char*) tha),
-	});
+	mgr.Enqueue(e,
+		IntrusivePtr{AdoptRef{}, EthAddrToStr(src)},
+		IntrusivePtr{AdoptRef{}, EthAddrToStr(dst)},
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(spa)},
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) sha)},
+		IntrusivePtr{AdoptRef{}, ConstructAddrVal(tpa)},
+		IntrusivePtr{AdoptRef{}, EthAddrToStr((const u_char*) tha)}
+	);
 	}

 AddrVal* ARP_Analyzer::ConstructAddrVal(const void* addr)
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@ -119,11 +119,9 @@ void BitTorrent_Analyzer::EndpointEOF(bool is_orig)
 void BitTorrent_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bittorrent_peer_weird )
-		{
-		ConnectionEventFast(bittorrent_peer_weird, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(msg),
-		});
-		}
+		EnqueueConnEvent(bittorrent_peer_weird,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(msg)
+		);
 	}
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@ -246,13 +246,11 @@ void BitTorrentTracker_Analyzer::InitBencParser(void)
 void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 	{
 	if ( bt_tracker_weird )
-		{
-		ConnectionEventFast(bt_tracker_weird, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(msg),
-		});
-		}
+		EnqueueConnEvent(bt_tracker_weird,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(msg)
+		);
 	}

 bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
@ -349,11 +347,11 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
 	ProtocolConfirmation();

 	if ( bt_tracker_request )
-		ConnectionEventFast(bt_tracker_request, {
-			BuildConnVal(),
-			req_val_uri,
-			req_val_headers,
-		});
+		EnqueueConnEvent(bt_tracker_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, req_val_uri},
+			IntrusivePtr{AdoptRef{}, req_val_headers}
+		);

 	req_val_uri = 0;
 	req_val_headers = 0;
@ -403,11 +401,11 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			if ( res_status != 200 )
 				{
 				if ( bt_tracker_response_not_ok )
-					ConnectionEventFast(bt_tracker_response_not_ok, {
-						BuildConnVal(),
-						val_mgr->GetCount(res_status),
-						res_val_headers,
-					});
+					EnqueueConnEvent(bt_tracker_response_not_ok,
+						IntrusivePtr{AdoptRef{}, BuildConnVal()},
+						IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+						IntrusivePtr{AdoptRef{}, res_val_headers}
+					);
 				res_val_headers = 0;
 				res_buf_pos = res_buf + res_buf_len;
 				res_state = BTT_RES_DONE;
@ -790,13 +788,13 @@ void BitTorrentTracker_Analyzer::EmitResponse(void)
 	ProtocolConfirmation();

 	if ( bt_tracker_response )
-		ConnectionEventFast(bt_tracker_response, {
-			BuildConnVal(),
-			val_mgr->GetCount(res_status),
-			res_val_headers,
-			res_val_peers,
-			res_val_benc,
-		});
+		EnqueueConnEvent(bt_tracker_response,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(res_status)},
+			IntrusivePtr{AdoptRef{}, res_val_headers},
+			IntrusivePtr{AdoptRef{}, res_val_peers},
+			IntrusivePtr{AdoptRef{}, res_val_benc}
+		);

 	res_val_headers = 0;
 	res_val_peers = 0;
--- a/src/analyzer/protocol/conn-size/ConnSize.cc
+++ b/src/analyzer/protocol/conn-size/ConnSize.cc
@ -50,11 +50,11 @@ void ConnSize_Analyzer::ThresholdEvent(EventHandlerPtr f, uint64_t threshold, bo
 	if ( ! f )
 		return;

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		val_mgr->GetCount(threshold),
-		val_mgr->GetBool(is_orig),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(threshold)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+	);
 	}

 void ConnSize_Analyzer::CheckThresholds(bool is_orig)
@ -92,11 +92,11 @@ void ConnSize_Analyzer::CheckThresholds(bool is_orig)
 		{
 		if ( duration_thresh > ( network_time - start_time ) && conn_duration_threshold_crossed )
 			{
-			ConnectionEventFast(conn_duration_threshold_crossed, {
-					BuildConnVal(),
-					new Val(duration_thresh, TYPE_INTERVAL),
-					val_mgr->GetBool(is_orig),
-			});
+			EnqueueConnEvent(conn_duration_threshold_crossed,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					make_intrusive<Val>(duration_thresh, TYPE_INTERVAL),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+			);
 			duration_thresh = 0;
 			}
 		}
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -48,14 +48,12 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	first_message = false;

 	if ( dns_message )
-		{
-		analyzer->ConnectionEventFast(dns_message, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_query),
-			msg.BuildHdrVal(),
-			val_mgr->GetCount(len),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_message,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
+			IntrusivePtr{AdoptRef{}, msg.BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);

 	// There is a great deal of non-DNS traffic that runs on port 53.
 	// This should weed out most of it.
@ -136,10 +134,10 @@ int DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 int DNS_Interpreter::EndMessage(DNS_MsgInfo* msg)
 	{
 	if ( dns_end )
-		analyzer->ConnectionEventFast(dns_end, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-		});
+		analyzer->EnqueueConnEvent(dns_end,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()}
+		);

 	return 1;
 	}
@ -341,13 +339,11 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 		default:

 			if ( dns_unknown_reply && ! msg->skip_event )
-				{
-				analyzer->ConnectionEventFast(dns_unknown_reply, {
-					analyzer->BuildConnVal(),
-					msg->BuildHdrVal(),
-					msg->BuildAnswerVal(),
-				});
-				}
+				analyzer->EnqueueConnEvent(dns_unknown_reply,
+					IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+					IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()}
+				);

 			analyzer->Weird("DNS_RR_unknown_type", fmt("%d", msg->atype));
 			data += rdlength;
@ -556,14 +552,12 @@ int DNS_Interpreter::ParseRR_Name(DNS_MsgInfo* msg,
 	}

 	if ( reply_event && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(reply_event, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-		});
-		}
+		analyzer->EnqueueConnEvent(reply_event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1))
+		);

 	return 1;
 	}
@ -602,7 +596,7 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,

 	if ( dns_SOA_reply && ! msg->skip_event )
 		{
-		RecordVal* r = new RecordVal(dns_soa);
+		auto r = make_intrusive<RecordVal>(dns_soa);
 		r->Assign(0, make_intrusive<StringVal>(new BroString(mname, mname_end - mname, 1)));
 		r->Assign(1, make_intrusive<StringVal>(new BroString(rname, rname_end - rname, 1)));
 		r->Assign(2, val_mgr->GetCount(serial));
@ -611,12 +605,12 @@ int DNS_Interpreter::ParseRR_SOA(DNS_MsgInfo* msg,
 		r->Assign(5, make_intrusive<IntervalVal>(double(expire), Seconds));
 		r->Assign(6, make_intrusive<IntervalVal>(double(minimum), Seconds));

-		analyzer->ConnectionEventFast(dns_SOA_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			r
-		});
+		analyzer->EnqueueConnEvent(dns_SOA_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(r)
+		);
 		}

 	return 1;
@ -641,15 +635,13 @@ int DNS_Interpreter::ParseRR_MX(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");

 	if ( dns_MX_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_MX_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			val_mgr->GetCount(preference),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_MX_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(preference)}
+		);

 	return 1;
 	}
@ -684,17 +676,15 @@ int DNS_Interpreter::ParseRR_SRV(DNS_MsgInfo* msg,
 		analyzer->Weird("DNS_RR_length_mismatch");

 	if ( dns_SRV_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_SRV_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			val_mgr->GetCount(priority),
-			val_mgr->GetCount(weight),
-			val_mgr->GetCount(port),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_SRV_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(priority)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(weight)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
+		);

 	return 1;
 	}
@ -707,13 +697,11 @@ int DNS_Interpreter::ParseRR_EDNS(DNS_MsgInfo* msg,
 	// out to the policy side of the house if rdlength > 0.

 	if ( dns_EDNS_addl && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_EDNS_addl, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildEDNS_Val(),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_EDNS_addl,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildEDNS_Val()}
+		);

 	// Currently EDNS supports the movement of type:data pairs
 	// in the RR_DATA section.  Here's where we should put together
@ -786,11 +774,11 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 		tsig.orig_id = orig_id;
 		tsig.rr_error = rr_error;

-		analyzer->ConnectionEventFast(dns_TSIG_addl, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildTSIG_Val(&tsig),
-		});
+		analyzer->EnqueueConnEvent(dns_TSIG_addl,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildTSIG_Val(&tsig)}
+		);
 		}

 	return 1;
@ -887,12 +875,12 @@ int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
 		rrsig.signer_name = new BroString(name, name_end - name, 1);
 		rrsig.signature = sign;

-		analyzer->ConnectionEventFast(dns_RRSIG, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildRRSIG_Val(&rrsig),
-		});
+		analyzer->EnqueueConnEvent(dns_RRSIG,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildRRSIG_Val(&rrsig)}
+		);
 		}

 	return 1;
@ -982,12 +970,12 @@ int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
 		dnskey.dprotocol = dprotocol;
 		dnskey.public_key = key;

-		analyzer->ConnectionEventFast(dns_DNSKEY, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildDNSKEY_Val(&dnskey),
-		});
+		analyzer->EnqueueConnEvent(dns_DNSKEY,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildDNSKEY_Val(&dnskey)}
+		);
 		}

 	return 1;
@ -1014,7 +1002,7 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,

 	int typebitmaps_len = rdlength - (data - data_start);

-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);

 	while ( typebitmaps_len > 0 && len > 0 )
 		{
@ -1034,15 +1022,13 @@ int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
 		}

 	if ( dns_NSEC )
-		analyzer->ConnectionEventFast(dns_NSEC, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new StringVal(new BroString(name, name_end - name, 1)),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_NSEC,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<StringVal>(new BroString(name, name_end - name, 1)),
+			std::move(char_strings)
+		);

 	return 1;
 	}
@ -1122,12 +1108,12 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 		nsec3.nsec_hash = hash_val;
 		nsec3.bitmaps = char_strings;

-		analyzer->ConnectionEventFast(dns_NSEC3, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildNSEC3_Val(&nsec3),
-		});
+		analyzer->EnqueueConnEvent(dns_NSEC3,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildNSEC3_Val(&nsec3)}
+		);
 		}
 	else
 		Unref(char_strings);
@ -1182,12 +1168,12 @@ int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
 		ds.digest_type = ds_dtype;
 		ds.digest_val = ds_digest;

-		analyzer->ConnectionEventFast(dns_DS, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			msg->BuildDS_Val(&ds),
-		});
+		analyzer->EnqueueConnEvent(dns_DS,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildDS_Val(&ds)}
+		);
 		}

 	return 1;
@ -1205,14 +1191,12 @@ int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 	uint32_t addr = ExtractLong(data, len);

 	if ( dns_A_reply && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(dns_A_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new AddrVal(htonl(addr)),
-		});
-		}
+		analyzer->EnqueueConnEvent(dns_A_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<AddrVal>(htonl(addr))
+		);

 	return 1;
 	}
@ -1241,15 +1225,14 @@ int DNS_Interpreter::ParseRR_AAAA(DNS_MsgInfo* msg,
 		event = dns_AAAA_reply;
 	else
 		event = dns_A6_reply;
+
 	if ( event && ! msg->skip_event )
-		{
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			new AddrVal(addr),
-		});
-		}
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			make_intrusive<AddrVal>(addr)
+		);

 	return 1;
 	}
@ -1311,21 +1294,19 @@ int DNS_Interpreter::ParseRR_TXT(DNS_MsgInfo* msg,
 		return 1;
 		}

-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;

 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);

 	if ( dns_TXT_reply )
-		analyzer->ConnectionEventFast(dns_TXT_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_TXT_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(char_strings)
+		);

 	return rdlength == 0;
 	}
@ -1341,21 +1322,19 @@ int DNS_Interpreter::ParseRR_SPF(DNS_MsgInfo* msg,
 		return 1;
 		}

-	VectorVal* char_strings = new VectorVal(string_vec);
+	auto char_strings = make_intrusive<VectorVal>(string_vec);
 	StringVal* char_string;

 	while ( (char_string = extract_char_string(analyzer, data, len, rdlength)) )
 		char_strings->Assign(char_strings->Size(), char_string);

 	if ( dns_SPF_reply )
-		analyzer->ConnectionEventFast(dns_SPF_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			char_strings,
-		});
-	else
-		Unref(char_strings);
+		analyzer->EnqueueConnEvent(dns_SPF_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			std::move(char_strings)
+		);

 	return rdlength == 0;
 	}
@ -1391,14 +1370,14 @@ int DNS_Interpreter::ParseRR_CAA(DNS_MsgInfo* msg,
 	rdlength -= value->Len();

 	if ( dns_CAA_reply )
-		analyzer->ConnectionEventFast(dns_CAA_reply, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			msg->BuildAnswerVal(),
-			val_mgr->GetCount(flags),
-			new StringVal(tag),
-			new StringVal(value),
-		});
+		analyzer->EnqueueConnEvent(dns_CAA_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+			IntrusivePtr{AdoptRef{}, msg->BuildAnswerVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags)},
+			make_intrusive<StringVal>(tag),
+			make_intrusive<StringVal>(value)
+		);
 	else
 		{
 		delete tag;
@ -1419,13 +1398,13 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,

 	assert(event);

-	analyzer->ConnectionEventFast(event, {
-		analyzer->BuildConnVal(),
-		msg->BuildHdrVal(),
-		new StringVal(question_name),
-		val_mgr->GetCount(qtype),
-		val_mgr->GetCount(qclass),
-	});
+	analyzer->EnqueueConnEvent(event,
+		IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, msg->BuildHdrVal()},
+		make_intrusive<StringVal>(question_name),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qtype)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(qclass)}
+	);
 	}


--- a/src/analyzer/protocol/file/File.cc
+++ b/src/analyzer/protocol/file/File.cc
@ -79,10 +79,10 @@ void File_Analyzer::Identify()
 	                               : *(matches.begin()->second.begin());

 	if ( file_transferred )
-		ConnectionEventFast(file_transferred, {
-			BuildConnVal(),
-			new StringVal(buffer_len, buffer),
-			new StringVal("<unknown>"),
-			new StringVal(match),
-		});
+		EnqueueConnEvent(file_transferred,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(buffer_len, buffer),
+			make_intrusive<StringVal>("<unknown>"),
+			make_intrusive<StringVal>(match)
+		);
 	}
--- a/src/analyzer/protocol/finger/Finger.cc
+++ b/src/analyzer/protocol/finger/Finger.cc
@ -67,14 +67,12 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 			host = at + 1;

 		if ( finger_request )
-			{
-			ConnectionEventFast(finger_request, {
-				BuildConnVal(),
-				val_mgr->GetBool(long_cnt),
-				new StringVal(at - line, line),
-				new StringVal(end_of_line - host, host),
-			});
-			}
+			EnqueueConnEvent(finger_request,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(long_cnt)},
+				make_intrusive<StringVal>(at - line, line),
+				make_intrusive<StringVal>(end_of_line - host, host)
+			);

 		Conn()->Match(Rule::FINGER, (const u_char *) line,
 			  end_of_line - line, true, true, 1, true);
@ -87,9 +85,9 @@ void Finger_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig
 		if ( ! finger_reply )
 			return;

-		ConnectionEventFast(finger_reply, {
-			BuildConnVal(),
-			new StringVal(end_of_line - line, line),
-		});
+		EnqueueConnEvent(finger_reply,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(end_of_line - line, line)
+		);
 		}
 	}
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@ -75,7 +75,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		// Could emit "ftp empty request/reply" weird, but maybe not worth it.
 		return;

-	val_list vl;
+	zeek::Args vl;

 	EventHandlerPtr f;
 	if ( orig )
@ -96,10 +96,10 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		else
 			cmd_str = (new StringVal(cmd_len, cmd))->ToUpper();

-		vl = val_list{
-			BuildConnVal(),
-			cmd_str,
-			new StringVal(end_of_line - line, line),
+		vl = {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, cmd_str},
+			make_intrusive<StringVal>(end_of_line - line, line),
 		};

 		f = ftp_request;
@ -175,17 +175,17 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				}
 			}

-		vl = val_list{
-			BuildConnVal(),
-			val_mgr->GetCount(reply_code),
-			new StringVal(end_of_line - line, line),
-			val_mgr->GetBool(cont_resp),
+		vl = {
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+			make_intrusive<StringVal>(end_of_line - line, line),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(cont_resp)}
 		};

 		f = ftp_reply;
 		}

-	ConnectionEvent(f, std::move(vl));
+	EnqueueConnEvent(f, std::move(vl));

 	ForwardStream(length, data, orig);
 	}
--- a/src/analyzer/protocol/gnutella/Gnutella.cc
+++ b/src/analyzer/protocol/gnutella/Gnutella.cc
@ -59,9 +59,9 @@ void Gnutella_Analyzer::Done()
 	if ( ! sent_establish && (gnutella_establish || gnutella_not_establish) )
 		{
 		if ( Established() && gnutella_establish )
-			ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		else if ( ! Established () && gnutella_not_establish )
-			ConnectionEventFast(gnutella_not_establish, {BuildConnVal()});
+			EnqueueConnEvent(gnutella_not_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 		}

 	if ( gnutella_partial_binary_msg )
@ -71,14 +71,12 @@ void Gnutella_Analyzer::Done()
 		for ( int i = 0; i < 2; ++i, p = resp_msg_state )
 			{
 			if ( ! p->msg_sent && p->msg_pos )
-				{
-				ConnectionEventFast(gnutella_partial_binary_msg, {
-					BuildConnVal(),
-					new StringVal(p->msg),
-					val_mgr->GetBool((i == 0)),
-					val_mgr->GetCount(p->msg_pos),
-				});
-				}
+				EnqueueConnEvent(gnutella_partial_binary_msg,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					make_intrusive<StringVal>(p->msg),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((i == 0))},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_pos)}
+				);

 			else if ( ! p->msg_sent && p->payload_left )
 				SendEvents(p, (i == 0));
@ -120,9 +118,7 @@ int Gnutella_Analyzer::IsHTTP(string header)
 		return 0;

 	if ( gnutella_http_notify )
-		{
-		ConnectionEventFast(gnutella_http_notify, {BuildConnVal()});
-		}
+		EnqueueConnEvent(gnutella_http_notify, IntrusivePtr{AdoptRef{}, BuildConnVal()});

 	analyzer::Analyzer* a = analyzer_mgr->InstantiateAnalyzer("HTTP", Conn());

@ -180,13 +176,11 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 		else
 			{
 			if ( gnutella_text_msg )
-				{
-				ConnectionEventFast(gnutella_text_msg, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(ms->headers.data()),
-				});
-				}
+				EnqueueConnEvent(gnutella_text_msg,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(ms->headers.data())
+				);

 			ms->headers = "";
 			state |= new_state;
@ -195,7 +189,7 @@ void Gnutella_Analyzer::DeliverLines(int len, const u_char* data, bool orig)
 				{
 				sent_establish = 1;

-				ConnectionEventFast(gnutella_establish, {BuildConnVal()});
+				EnqueueConnEvent(gnutella_establish, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 				}
 			}
 		}
@ -220,20 +214,18 @@ void Gnutella_Analyzer::SendEvents(GnutellaMsgState* p, bool is_orig)
 		return;

 	if ( gnutella_binary_msg )
-		{
-		ConnectionEventFast(gnutella_binary_msg, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			val_mgr->GetCount(p->msg_type),
-			val_mgr->GetCount(p->msg_ttl),
-			val_mgr->GetCount(p->msg_hops),
-			val_mgr->GetCount(p->msg_len),
-			new StringVal(p->payload),
-			val_mgr->GetCount(p->payload_len),
-			val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD))),
-			val_mgr->GetBool((p->payload_left == 0)),
-		});
-		}
+		EnqueueConnEvent(gnutella_binary_msg,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_type)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_ttl)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_hops)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->msg_len)},
+			make_intrusive<StringVal>(p->payload),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(p->payload_len)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_len < min(p->msg_len, (unsigned int)GNUTELLA_MAX_PAYLOAD)))},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool((p->payload_left == 0))}
+		);
 	}


--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@ -649,13 +649,11 @@ void HTTP_Message::Done(const int interrupted, const char* detail)
 		}

 	if ( http_message_done )
-		{
-		GetAnalyzer()->ConnectionEventFast(http_message_done, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			BuildMessageStat(interrupted, detail),
-		});
-		}
+		GetAnalyzer()->EnqueueConnEvent(http_message_done,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, BuildMessageStat(interrupted, detail)}
+		);

 	MyHTTP_Analyzer()->HTTP_MessageDone(is_orig, this);
 	}
@ -682,12 +680,10 @@ void HTTP_Message::BeginEntity(mime::MIME_Entity* entity)
 	current_entity = (HTTP_Entity*) entity;

 	if ( http_begin_entity )
-		{
-		analyzer->ConnectionEventFast(http_begin_entity, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_begin_entity,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+		);
 	}

 void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
@ -699,12 +695,10 @@ void HTTP_Message::EndEntity(mime::MIME_Entity* entity)
 	header_length += ((HTTP_Entity*) entity)->HeaderLength();

 	if ( http_end_entity )
-		{
-		analyzer->ConnectionEventFast(http_end_entity, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_end_entity,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+		);

 	current_entity = (HTTP_Entity*) entity->Parent();

@ -740,27 +734,23 @@ void HTTP_Message::SubmitHeader(mime::MIME_Header* h)
 void HTTP_Message::SubmitAllHeaders(mime::MIME_HeaderList& hlist)
 	{
 	if ( http_all_headers )
-		{
-		analyzer->ConnectionEventFast(http_all_headers, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			BuildHeaderTable(hlist),
-		});
-		}
+		analyzer->EnqueueConnEvent(http_all_headers,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
+		);

 	if ( http_content_type )
 		{
 		StringVal* ty = current_entity->ContentType();
 		StringVal* subty = current_entity->ContentSubType();
-		ty->Ref();
-		subty->Ref();

-		analyzer->ConnectionEventFast(http_content_type, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			ty,
-			subty,
-		});
+		analyzer->EnqueueConnEvent(http_content_type,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{NewRef{}, ty},
+			IntrusivePtr{NewRef{}, subty}
+		);
 		}
 	}

@ -1182,14 +1172,14 @@ void HTTP_Analyzer::GenStats()
 	{
 	if ( http_stats )
 		{
-		RecordVal* r = new RecordVal(http_stats_rec);
+		auto r = make_intrusive<RecordVal>(http_stats_rec);
 		r->Assign(0, val_mgr->GetCount(num_requests));
 		r->Assign(1, val_mgr->GetCount(num_replies));
 		r->Assign(2, make_intrusive<Val>(request_version.ToDouble(), TYPE_DOUBLE));
 		r->Assign(3, make_intrusive<Val>(reply_version.ToDouble(), TYPE_DOUBLE));

 		// DEBUG_MSG("%.6f http_stats\n", network_time);
-		ConnectionEventFast(http_stats, {BuildConnVal(), r});
+		EnqueueConnEvent(http_stats, IntrusivePtr{AdoptRef{}, BuildConnVal()}, std::move(r));
 		}
 	}

@ -1387,16 +1377,14 @@ void HTTP_Analyzer::HTTP_Event(const char* category, const char* detail)
 void HTTP_Analyzer::HTTP_Event(const char* category, StringVal* detail)
 	{
 	if ( http_event )
-		{
 		// DEBUG_MSG("%.6f http_event\n", network_time);
-		ConnectionEventFast(http_event, {
-			BuildConnVal(),
-			new StringVal(category),
-			detail,
-		});
-		}
+		EnqueueConnEvent(http_event,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(category),
+			IntrusivePtr{AdoptRef{}, detail}
+		);
 	else
-		delete detail;
+		Unref(detail);
 	}

 StringVal* HTTP_Analyzer::TruncateURI(StringVal* uri)
@ -1428,33 +1416,27 @@ void HTTP_Analyzer::HTTP_Request()
 		connect_request = true;

 	if ( http_request )
-		{
-		Ref(request_method);
-
 		// DEBUG_MSG("%.6f http_request\n", network_time);
-		ConnectionEventFast(http_request, {
-			BuildConnVal(),
-			request_method,
-			TruncateURI(request_URI->AsStringVal()),
-			TruncateURI(unescaped_URI->AsStringVal()),
-			new StringVal(fmt("%.1f", request_version.ToDouble())),
-		});
-		}
+		EnqueueConnEvent(http_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{NewRef{}, request_method},
+			IntrusivePtr{AdoptRef{}, TruncateURI(request_URI->AsStringVal())},
+			IntrusivePtr{AdoptRef{}, TruncateURI(unescaped_URI->AsStringVal())},
+			make_intrusive<StringVal>(fmt("%.1f", request_version.ToDouble()))
+		);
 	}

 void HTTP_Analyzer::HTTP_Reply()
 	{
 	if ( http_reply )
-		{
-		ConnectionEventFast(http_reply, {
-			BuildConnVal(),
-			new StringVal(fmt("%.1f", reply_version.ToDouble())),
-			val_mgr->GetCount(reply_code),
+		EnqueueConnEvent(http_reply,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(fmt("%.1f", reply_version.ToDouble())),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
 			reply_reason_phrase ?
-				reply_reason_phrase->Ref() :
-				new StringVal("<empty>"),
-		});
-		}
+				IntrusivePtr{NewRef{}, reply_reason_phrase} :
+				make_intrusive<StringVal>("<empty>")
+		);
 	else
 		{
 		Unref(reply_reason_phrase);
@ -1524,12 +1506,10 @@ void HTTP_Analyzer::ReplyMade(const int interrupted, const char* msg)
 		RemoveSupportAnalyzer(content_line_resp);

 		if ( http_connection_upgrade )
-			{
-			ConnectionEventFast(http_connection_upgrade, {
-				BuildConnVal(),
-				new StringVal(upgrade_protocol),
-			});
-			}
+			EnqueueConnEvent(http_connection_upgrade,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(upgrade_protocol)
+			);
 		}

 	reply_code = 0;
@ -1690,26 +1670,24 @@ void HTTP_Analyzer::HTTP_Header(int is_orig, mime::MIME_Header* h)
 		if ( DEBUG_http )
 			DEBUG_MSG("%.6f http_header\n", network_time);

-		ConnectionEventFast(http_header, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			mime::new_string_val(h->get_name())->ToUpper(),
-			mime::new_string_val(h->get_value()),
-		});
+		EnqueueConnEvent(http_header,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_name())->ToUpper()},
+			IntrusivePtr{AdoptRef{}, mime::new_string_val(h->get_value())}
+		);
 		}
 	}

 void HTTP_Analyzer::HTTP_EntityData(int is_orig, BroString* entity_data)
 	{
 	if ( http_entity_data )
-		{
-		ConnectionEventFast(http_entity_data, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			val_mgr->GetCount(entity_data->Len()),
-			new StringVal(entity_data),
-		});
-		}
+		EnqueueConnEvent(http_entity_data,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(entity_data->Len())},
+			make_intrusive<StringVal>(entity_data)
+		);
 	else
 		delete entity_data;
 	}
--- a/src/analyzer/protocol/icmp/ICMP.cc
+++ b/src/analyzer/protocol/icmp/ICMP.cc
@ -202,22 +202,20 @@ void ICMP_Analyzer::ICMP_Sent(const struct icmp* icmpp, int len, int caplen,
                              const IP_Hdr* ip_hdr)
    {
 	if ( icmp_sent )
-		{
-		ConnectionEventFast(icmp_sent, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
-		});
-		}
+		EnqueueConnEvent(icmp_sent,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)}
+		);

 	if ( icmp_sent_payload )
 		{
 		BroString* payload = new BroString(data, min(len, caplen), 0);

-		ConnectionEventFast(icmp_sent_payload, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, icmpv6, ip_hdr),
-			new StringVal(payload),
-		});
+		EnqueueConnEvent(icmp_sent_payload,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, icmpv6, ip_hdr)},
+			make_intrusive<StringVal>(payload)
+		);
 		}
 	}

@ -516,13 +514,13 @@ void ICMP_Analyzer::Echo(double t, const struct icmp* icmpp, int len,

 	BroString* payload = new BroString(data, caplen, 0);

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr),
-		val_mgr->GetCount(iid),
-		val_mgr->GetCount(iseq),
-		new StringVal(payload),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, ip_hdr->NextProto() != IPPROTO_ICMP, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iid)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(iseq)},
+		make_intrusive<StringVal>(payload)
+	);
 	}


@ -544,21 +542,21 @@ void ICMP_Analyzer::RouterAdvert(double t, const struct icmp* icmpp, int len,

 	int opt_offset = sizeof(reachable) + sizeof(retrans);

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		val_mgr->GetCount(icmpp->icmp_num_addrs), // Cur Hop Limit
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x80), // Managed
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x40), // Other
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x20), // Home Agent
-		val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3), // Pref
-		val_mgr->GetBool(icmpp->icmp_wpa & 0x04), // Proxy
-		val_mgr->GetCount(icmpp->icmp_wpa & 0x02), // Reserved
-		new IntervalVal((double)ntohs(icmpp->icmp_lifetime), Seconds),
-		new IntervalVal((double)ntohl(reachable), Milliseconds),
-		new IntervalVal((double)ntohl(retrans), Milliseconds),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_num_addrs)}, // Cur Hop Limit
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x80)}, // Managed
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x40)}, // Other
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x20)}, // Home Agent
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount((icmpp->icmp_wpa & 0x18)>>3)}, // Pref
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_wpa & 0x04)}, // Proxy
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_wpa & 0x02)}, // Reserved
+		make_intrusive<IntervalVal>((double)ntohs(icmpp->icmp_lifetime), Seconds),
+		make_intrusive<IntervalVal>((double)ntohl(reachable), Milliseconds),
+		make_intrusive<IntervalVal>((double)ntohl(retrans), Milliseconds),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}


@ -577,15 +575,15 @@ void ICMP_Analyzer::NeighborAdvert(double t, const struct icmp* icmpp, int len,

 	int opt_offset = sizeof(in6_addr);

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80), // Router
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40), // Solicited
-		val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20), // Override
-		new AddrVal(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x80)}, // Router
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x40)}, // Solicited
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(icmpp->icmp_num_addrs & 0x20)}, // Override
+		make_intrusive<AddrVal>(tgtaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}


@ -604,12 +602,12 @@ void ICMP_Analyzer::NeighborSolicit(double t, const struct icmp* icmpp, int len,

 	int opt_offset = sizeof(in6_addr);

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		new AddrVal(tgtaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		make_intrusive<AddrVal>(tgtaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}


@ -631,13 +629,13 @@ void ICMP_Analyzer::Redirect(double t, const struct icmp* icmpp, int len,

 	int opt_offset = 2 * sizeof(in6_addr);

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		new AddrVal(tgtaddr),
-		new AddrVal(dstaddr),
-		BuildNDOptionsVal(caplen - opt_offset, data + opt_offset),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		make_intrusive<AddrVal>(tgtaddr),
+		make_intrusive<AddrVal>(dstaddr),
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen - opt_offset, data + opt_offset)}
+	);
 	}


@ -649,11 +647,11 @@ void ICMP_Analyzer::RouterSolicit(double t, const struct icmp* icmpp, int len,
 	if ( ! f )
 		return;

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		BuildICMPVal(icmpp, len, 1, ip_hdr),
-		BuildNDOptionsVal(caplen, data),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+		IntrusivePtr{AdoptRef{}, BuildNDOptionsVal(caplen, data)}
+	);
 	}


@ -674,14 +672,12 @@ void ICMP_Analyzer::Context4(double t, const struct icmp* icmpp,
 		}

 	if ( f )
-		{
-		ConnectionEventFast(f, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, 0, ip_hdr),
-			val_mgr->GetCount(icmpp->icmp_code),
-			ExtractICMP4Context(caplen, data),
-		});
-		}
+		EnqueueConnEvent(f,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 0, ip_hdr)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			IntrusivePtr{AdoptRef{}, ExtractICMP4Context(caplen, data)}
+		);
 	}


@ -714,14 +710,12 @@ void ICMP_Analyzer::Context6(double t, const struct icmp* icmpp,
 		}

 	if ( f )
-		{
-		ConnectionEventFast(f, {
-			BuildConnVal(),
-			BuildICMPVal(icmpp, len, 1, ip_hdr),
-			val_mgr->GetCount(icmpp->icmp_code),
-			ExtractICMP6Context(caplen, data),
-		});
-		}
+		EnqueueConnEvent(f,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildICMPVal(icmpp, len, 1, ip_hdr)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(icmpp->icmp_code)},
+			IntrusivePtr{AdoptRef{}, ExtractICMP6Context(caplen, data)}
+		);
 	}

 VectorVal* ICMP_Analyzer::BuildNDOptionsVal(int caplen, const u_char* data)
--- a/src/analyzer/protocol/ident/Ident.cc
+++ b/src/analyzer/protocol/ident/Ident.cc
@ -84,11 +84,11 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 			Weird("ident_request_addendum", s.CheckString());
 			}

-		ConnectionEventFast(ident_request, {
-			BuildConnVal(),
-			val_mgr->GetPort(local_port, TRANSPORT_TCP),
-			val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-		});
+		EnqueueConnEvent(ident_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)}
+		);

 		did_deliver = true;
 		}
@ -145,12 +145,12 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)
 		if ( is_error )
 			{
 			if ( ident_error )
-				ConnectionEventFast(ident_error, {
-					BuildConnVal(),
-					val_mgr->GetPort(local_port, TRANSPORT_TCP),
-					val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-					new StringVal(end_of_line - line, line),
-				});
+				EnqueueConnEvent(ident_error,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+					make_intrusive<StringVal>(end_of_line - line, line)
+				);
 			}

 		else
@ -178,13 +178,13 @@ void Ident_Analyzer::DeliverStream(int length, const u_char* data, bool is_orig)

 			line = skip_whitespace(colon + 1, end_of_line);

-			ConnectionEventFast(ident_reply, {
-				BuildConnVal(),
-				val_mgr->GetPort(local_port, TRANSPORT_TCP),
-				val_mgr->GetPort(remote_port, TRANSPORT_TCP),
-				new StringVal(end_of_line - line, line),
-				new StringVal(sys_type_s),
-			});
+			EnqueueConnEvent(ident_reply,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(local_port, TRANSPORT_TCP)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetPort(remote_port, TRANSPORT_TCP)},
+				make_intrusive<StringVal>(end_of_line - line, line),
+				make_intrusive<StringVal>(sys_type_s)
+			);
 			}
 		}
 	}
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@ -233,13 +233,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}

-			ConnectionEventFast(irc_network_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(users),
-				val_mgr->GetInt(services),
-				val_mgr->GetInt(servers),
-			});
+			EnqueueConnEvent(irc_network_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+			);
 			}
 			break;

@ -270,24 +270,23 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);

-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});

 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
 				if ( parts[i][0] == '@' )
 					parts[i] = parts[i].substr(1);
-				Val* idx = new StringVal(parts[i].c_str());
-				set->Assign(idx, 0);
-				Unref(idx);
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
+				set->Assign(idx.get(), 0);
 				}

-			ConnectionEventFast(irc_names_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(type.c_str()),
-				new StringVal(channel.c_str()),
-				set,
-			});
+			EnqueueConnEvent(irc_names_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(type.c_str()),
+				make_intrusive<StringVal>(channel.c_str()),
+				std::move(set)
+			);
 			}
 			break;

@ -315,13 +314,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				// else ###
 				}

-			ConnectionEventFast(irc_server_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(users),
-				val_mgr->GetInt(services),
-				val_mgr->GetInt(servers),
-			});
+			EnqueueConnEvent(irc_server_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(users)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(services)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(servers)}
+			);
 			}
 			break;

@ -337,11 +336,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( parts[i] == ":channels" )
 					channels = atoi(parts[i - 1].c_str());

-			ConnectionEventFast(irc_channel_info, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				val_mgr->GetInt(channels),
-			});
+			EnqueueConnEvent(irc_channel_info,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(channels)}
+			);
 			}
 			break;

@ -369,12 +368,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				break;
 				}

-			ConnectionEventFast(irc_global_users, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(eop - prefix, prefix),
-				new StringVal(++msg),
-			});
+			EnqueueConnEvent(irc_global_users,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(eop - prefix, prefix),
+				make_intrusive<StringVal>(++msg)
+			);
 			break;
 			}

@ -394,12 +393,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}

-			val_list vl(6);
-			vl.push_back(BuildConnVal());
-			vl.push_back(val_mgr->GetBool(orig));
-			vl.push_back(new StringVal(parts[0].c_str()));
-			vl.push_back(new StringVal(parts[1].c_str()));
-			vl.push_back(new StringVal(parts[2].c_str()));
+			zeek::Args vl;
+			vl.reserve(6);
+			vl.emplace_back(AdoptRef{}, BuildConnVal());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));

 			parts.erase(parts.begin(), parts.begin() + 4);

@ -410,9 +410,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( real_name[0] == ':' )
 				real_name = real_name.substr(1);

-			vl.push_back(new StringVal(real_name.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(real_name.c_str()));

-			ConnectionEventFast(irc_whois_user_line, std::move(vl));
+			EnqueueConnEvent(irc_whois_user_line, std::move(vl));
 			}
 			break;

@ -433,11 +433,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				return;
 				}

-			ConnectionEventFast(irc_whois_operator_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-			});
+			EnqueueConnEvent(irc_whois_operator_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str())
+			);
 			}
 			break;

@ -463,21 +463,20 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts.size() > 0 && parts[0][0] == ':' )
 				parts[0] = parts[0].substr(1);

-			TableVal* set = new TableVal({NewRef{}, string_set});
+			auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});

 			for ( unsigned int i = 0; i < parts.size(); ++i )
 				{
-				Val* idx = new StringVal(parts[i].c_str());
-				set->Assign(idx, 0);
-				Unref(idx);
+				auto idx = make_intrusive<StringVal>(parts[i].c_str());
+				set->Assign(idx.get(), 0);
 				}

-			ConnectionEventFast(irc_whois_channel_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(nick.c_str()),
-				set,
-			});
+			EnqueueConnEvent(irc_whois_channel_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(nick.c_str()),
+				std::move(set)
+			);
 			}
 			break;

@ -503,12 +502,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				if ( *t == ':' )
 					++t;

-				ConnectionEventFast(irc_channel_topic, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(parts[1].c_str()),
-					new StringVal(t),
-				});
+				EnqueueConnEvent(irc_channel_topic,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(parts[1].c_str()),
+					make_intrusive<StringVal>(t)
+				);
 				}
 			else
 				{
@ -537,19 +536,19 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[7][0] == ':' )
 				parts[7] = parts[7].substr(1);

-			ConnectionEventFast(irc_who_line, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-				new StringVal(parts[2].c_str()),
-				new StringVal(parts[3].c_str()),
-				new StringVal(parts[4].c_str()),
-				new StringVal(parts[5].c_str()),
-				new StringVal(parts[6].c_str()),
-				val_mgr->GetInt(atoi(parts[7].c_str())),
-				new StringVal(parts[8].c_str()),
-			});
+			EnqueueConnEvent(irc_who_line,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str()),
+				make_intrusive<StringVal>(parts[2].c_str()),
+				make_intrusive<StringVal>(parts[3].c_str()),
+				make_intrusive<StringVal>(parts[4].c_str()),
+				make_intrusive<StringVal>(parts[5].c_str()),
+				make_intrusive<StringVal>(parts[6].c_str()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetInt(atoi(parts[7].c_str()))},
+				make_intrusive<StringVal>(parts[8].c_str())
+			);
 			}
 			break;

@ -559,25 +558,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		case 433:
 		case 436:
 			if ( irc_invalid_nick )
-				{
-				ConnectionEventFast(irc_invalid_nick, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-				});
-				}
+				EnqueueConnEvent(irc_invalid_nick,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)}
+				);
 			break;

 		// Operator responses.
 		case 381:  // User is operator
 		case 491:  // user is not operator
 			if ( irc_oper_response )
-				{
-				ConnectionEventFast(irc_oper_response, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					val_mgr->GetBool(code == 381),
-				});
-				}
+				EnqueueConnEvent(irc_oper_response,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(code == 381)}
+				);
 			break;

 		case 670:
@ -588,13 +583,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// All other server replies.
 		default:
 			if ( irc_reply )
-				ConnectionEventFast(irc_reply, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					val_mgr->GetCount(code),
-					new StringVal(params.c_str()),
-				});
+				EnqueueConnEvent(irc_reply,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(code)},
+					make_intrusive<StringVal>(params.c_str())
+				);
 			break;
 		}
 		return;
@ -659,31 +654,31 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)


 			if ( irc_dcc_message )
-				ConnectionEventFast(irc_dcc_message, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					new StringVal(target.c_str()),
-					new StringVal(parts[1].c_str()),
-					new StringVal(parts[2].c_str()),
-					new AddrVal(htonl(raw_ip)),
-					val_mgr->GetCount(atoi(parts[4].c_str())),
-					parts.size() >= 6 ?
+				EnqueueConnEvent(irc_dcc_message,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
+					make_intrusive<StringVal>(parts[1].c_str()),
+					make_intrusive<StringVal>(parts[2].c_str()),
+					make_intrusive<AddrVal>(htonl(raw_ip)),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(atoi(parts[4].c_str()))},
+					IntrusivePtr{AdoptRef{}, parts.size() >= 6 ?
 						val_mgr->GetCount(atoi(parts[5].c_str())) :
-						val_mgr->GetCount(0),
-				});
+						val_mgr->GetCount(0)}
+				);
 			}

 		else
 			{
 			if ( irc_privmsg_message )
-				ConnectionEventFast(irc_privmsg_message, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(prefix.c_str()),
-					new StringVal(target.c_str()),
-					new StringVal(message.c_str()),
-				});
+				EnqueueConnEvent(irc_privmsg_message,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(prefix.c_str()),
+					make_intrusive<StringVal>(target.c_str()),
+					make_intrusive<StringVal>(message.c_str())
+				);
 			}
 		}

@ -702,13 +697,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);

-		ConnectionEventFast(irc_notice_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(target.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_notice_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}

 	else if ( irc_squery_message && command == "SQUERY" )
@ -726,34 +721,35 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( message[0] == ':' )
 			message = message.substr(1);

-		ConnectionEventFast(irc_squery_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(target.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_squery_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(target.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}

 	else if ( irc_user_message && command == "USER" )
 		{
 		// extract username and real name
 		vector<string> parts = SplitWords(params, ' ');
-		val_list vl(6);
-		vl.push_back(BuildConnVal());
-		vl.push_back(val_mgr->GetBool(orig));
+		zeek::Args vl;
+		vl.reserve(6);
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));

 		if ( parts.size() > 0 )
-			vl.push_back(new StringVal(parts[0].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());

 		if ( parts.size() > 1 )
-			vl.push_back(new StringVal(parts[1].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());

 		if ( parts.size() > 2 )
-			vl.push_back(new StringVal(parts[2].c_str()));
-		else vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(make_intrusive<StringVal>(parts[2].c_str()));
+		else vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());

 		string realname;
 		for ( unsigned int i = 3; i < parts.size(); i++ )
@ -764,9 +760,9 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			}

 		const char* name = realname.c_str();
-		vl.push_back(new StringVal(*name == ':' ? name + 1 : name));
+		vl.emplace_back(make_intrusive<StringVal>(*name == ':' ? name + 1 : name));

-		ConnectionEventFast(irc_user_message, std::move(vl));
+		EnqueueConnEvent(irc_user_message, std::move(vl));
 		}

 	else if ( irc_oper_message && command == "OPER" )
@ -774,14 +770,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		// extract username and password
 		vector<string> parts = SplitWords(params, ' ');
 		if ( parts.size() == 2 )
-			{
-			ConnectionEventFast(irc_oper_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-			});
-			}
+			EnqueueConnEvent(irc_oper_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
+			);

 		else
 			Weird("irc_invalid_oper_message_format");
@ -797,12 +791,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			return;
 			}

-		val_list vl(6);
-		vl.push_back(BuildConnVal());
-		vl.push_back(val_mgr->GetBool(orig));
-		vl.push_back(new StringVal(prefix.c_str()));
-		vl.push_back(new StringVal(parts[0].c_str()));
-		vl.push_back(new StringVal(parts[1].c_str()));
+		zeek::Args vl;
+		vl.reserve(6);
+		vl.emplace_back(AdoptRef{}, BuildConnVal());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetBool(orig));
+		vl.emplace_back(make_intrusive<StringVal>(prefix.c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(parts[0].c_str()));
+		vl.emplace_back(make_intrusive<StringVal>(parts[1].c_str()));
+
 		if ( parts.size() > 2 )
 			{
 			string comment = parts[2];
@ -812,12 +808,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( comment[0] == ':' )
 				comment = comment.substr(1);

-			vl.push_back(new StringVal(comment.c_str()));
+			vl.emplace_back(make_intrusive<StringVal>(comment.c_str()));
 			}
 		else
-			vl.push_back(val_mgr->GetEmptyString());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());

-		ConnectionEventFast(irc_kick_message, std::move(vl));
+		EnqueueConnEvent(irc_kick_message, std::move(vl));
 		}

 	else if ( irc_join_message && command == "JOIN" )
@ -841,7 +837,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}

-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});

 		vector<string> channels = SplitWords(parts[0], ',');
 		vector<string> passwords;
@ -865,11 +861,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			Unref(info);
 			}

-		ConnectionEventFast(irc_join_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			list,
-		});
+		EnqueueConnEvent(irc_join_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			std::move(list)
+		);
 		}

 	else if ( irc_join_message && command == "NJOIN" )
@ -886,13 +882,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			parts[1] = parts[1].substr(1);

 		vector<string> users = SplitWords(parts[1], ',');
-		TableVal* list = new TableVal({NewRef{}, irc_join_list});
+		auto list = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, irc_join_list});

 		string empty_string = "";

 		for ( unsigned int i = 0; i < users.size(); ++i )
 			{
-			RecordVal* info = new RecordVal(irc_join_info);
+			auto info = make_intrusive<RecordVal>(irc_join_info);
 			string nick = users[i];
 			string mode = "none";

@ -922,15 +918,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			info->Assign(2, make_intrusive<StringVal>(empty_string.c_str()));
 			// User mode:
 			info->Assign(3, make_intrusive<StringVal>(mode.c_str()));
-			list->Assign(info, 0);
-			Unref(info);
+			list->Assign(info.get(), 0);
 			}

-		ConnectionEventFast(irc_join_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			list,
-		});
+		EnqueueConnEvent(irc_join_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			std::move(list)
+		);
 		}

 	else if ( irc_part_message && command == "PART" )
@ -957,22 +952,21 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			nick = nick.substr(0, pos);

 		vector<string> channelList = SplitWords(channels, ',');
-		TableVal* set = new TableVal({NewRef{}, string_set});
+		auto set = make_intrusive<TableVal>(IntrusivePtr{NewRef{}, string_set});

 		for ( unsigned int i = 0; i < channelList.size(); ++i )
 			{
-			Val* idx = new StringVal(channelList[i].c_str());
-			set->Assign(idx, 0);
-			Unref(idx);
+			auto idx = make_intrusive<StringVal>(channelList[i].c_str());
+			set->Assign(idx.get(), 0);
 			}

-		ConnectionEventFast(irc_part_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(nick.c_str()),
-			set,
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_part_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(nick.c_str()),
+			std::move(set),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}

 	else if ( irc_quit_message && command == "QUIT" )
@ -989,12 +983,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				nickname = prefix.substr(0, pos);
 			}

-		ConnectionEventFast(irc_quit_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(nickname.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_quit_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(nickname.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}

 	else if ( irc_nick_message && command == "NICK" )
@ -1003,12 +997,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( nick[0] == ':' )
 			nick = nick.substr(1);

-		ConnectionEventFast(irc_nick_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(nick.c_str())
-		});
+		EnqueueConnEvent(irc_nick_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(nick.c_str())
+		);
 		}

 	else if ( irc_who_message && command == "WHO" )
@ -1028,14 +1022,14 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( parts.size() > 0 && parts[0].size() > 0 && parts[0][0] == ':' )
 			parts[0] = parts[0].substr(1);

-		ConnectionEventFast(irc_who_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
+		EnqueueConnEvent(irc_who_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
 			parts.size() > 0 ?
-				new StringVal(parts[0].c_str()) :
-				val_mgr->GetEmptyString(),
-			val_mgr->GetBool(oper),
-		});
+				make_intrusive<StringVal>(parts[0].c_str()) :
+				IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(oper)}
+		);
 		}

 	else if ( irc_whois_message && command == "WHOIS" )
@ -1058,12 +1052,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			users = parts[0];

-		ConnectionEventFast(irc_whois_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(server.c_str()),
-			new StringVal(users.c_str()),
-		});
+		EnqueueConnEvent(irc_whois_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(server.c_str()),
+			make_intrusive<StringVal>(users.c_str())
+		);
 		}

 	else if ( irc_error_message && command == "ERROR" )
@ -1071,12 +1065,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( params[0] == ':' )
 			params = params.substr(1);

-		ConnectionEventFast(irc_error_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(params.c_str()),
-		});
+		EnqueueConnEvent(irc_error_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(params.c_str())
+		);
 		}

 	else if ( irc_invite_message && command == "INVITE" )
@ -1087,13 +1081,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 			if ( parts[1].size() > 0 && parts[1][0] == ':' )
 				parts[1] = parts[1].substr(1);

-			ConnectionEventFast(irc_invite_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(parts[0].c_str()),
-				new StringVal(parts[1].c_str()),
-			});
+			EnqueueConnEvent(irc_invite_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(parts[0].c_str()),
+				make_intrusive<StringVal>(parts[1].c_str())
+			);
 			}
 		else
 			Weird("irc_invalid_invite_message_format");
@ -1102,14 +1096,12 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	else if ( irc_mode_message && command == "MODE" )
 		{
 		if ( params.size() > 0 )
-			{
-			ConnectionEventFast(irc_mode_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(params.c_str()),
-			});
-			}
+			EnqueueConnEvent(irc_mode_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);

 		else
 			Weird("irc_invalid_mode_message_format");
@ -1117,11 +1109,11 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)

 	else if ( irc_password_message && command == "PASS" )
 		{
-		ConnectionEventFast(irc_password_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(params.c_str()),
-		});
+		EnqueueConnEvent(irc_password_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(params.c_str())
+		);
 		}

 	else if ( irc_squit_message && command == "SQUIT" )
@ -1139,13 +1131,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 				message = message.substr(1);
 			}

-		ConnectionEventFast(irc_squit_message, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig),
-			new StringVal(prefix.c_str()),
-			new StringVal(server.c_str()),
-			new StringVal(message.c_str()),
-		});
+		EnqueueConnEvent(irc_squit_message,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+			make_intrusive<StringVal>(prefix.c_str()),
+			make_intrusive<StringVal>(server.c_str()),
+			make_intrusive<StringVal>(message.c_str())
+		);
 		}


@ -1153,13 +1145,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_request )
 			{
-			ConnectionEventFast(irc_request, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(command.c_str()),
-				new StringVal(params.c_str()),
-			});
+			EnqueueConnEvent(irc_request,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);
 			}
 		}

@ -1167,13 +1159,13 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		{
 		if ( irc_message )
 			{
-			ConnectionEventFast(irc_message, {
-				BuildConnVal(),
-				val_mgr->GetBool(orig),
-				new StringVal(prefix.c_str()),
-				new StringVal(command.c_str()),
-				new StringVal(params.c_str()),
-			});
+			EnqueueConnEvent(irc_message,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+				make_intrusive<StringVal>(prefix.c_str()),
+				make_intrusive<StringVal>(command.c_str()),
+				make_intrusive<StringVal>(params.c_str())
+			);
 			}
 		}

@ -1203,7 +1195,7 @@ void IRC_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);

 	if ( irc_starttls )
-		ConnectionEventFast(irc_starttls, {BuildConnVal()});
+		EnqueueConnEvent(irc_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}

 vector<string> IRC_Analyzer::SplitWords(const string& input, char split)
--- a/src/analyzer/protocol/login/Login.cc
+++ b/src/analyzer/protocol/login/Login.cc
@ -290,9 +290,7 @@ void Login_Analyzer::AuthenticationDialog(bool orig, char* line)
 	else if ( IsSkipAuthentication(line) )
 		{
 		if ( authentication_skipped )
-			{
-			ConnectionEventFast(authentication_skipped, {BuildConnVal()});
-			}
+			EnqueueConnEvent(authentication_skipped, IntrusivePtr{AdoptRef{}, BuildConnVal()});

 		state = LOGIN_STATE_SKIP;
 		SetSkip(1);
@ -333,28 +331,22 @@ void Login_Analyzer::SetEnv(bool orig, char* name, char* val)
 			}

 		else if ( login_terminal && streq(name, "TERM") )
-			{
-			ConnectionEventFast(login_terminal, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_terminal,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);

 		else if ( login_display && streq(name, "DISPLAY") )
-			{
-			ConnectionEventFast(login_display, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_display,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);

 		else if ( login_prompt && streq(name, "TTYPROMPT") )
-			{
-			ConnectionEventFast(login_prompt, {
-				BuildConnVal(),
-				new StringVal(val),
-			});
-			}
+			EnqueueConnEvent(login_prompt,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				make_intrusive<StringVal>(val)
+			);
 		}

 	delete [] name;
@ -427,13 +419,14 @@ void Login_Analyzer::LoginEvent(EventHandlerPtr f, const char* line,
 	Val* password = HaveTypeahead() ?
 				PopUserTextVal() : new StringVal("<none>");

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		username->Ref(),
-		client_name ? client_name->Ref() : val_mgr->GetEmptyString(),
-		password,
-		new StringVal(line),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{NewRef{}, username},
+		client_name ? IntrusivePtr{NewRef{}, client_name}
+		            : IntrusivePtr{AdoptRef{}, val_mgr->GetEmptyString()},
+		IntrusivePtr{AdoptRef{}, password},
+		make_intrusive<StringVal>(line)
+	);
 	}

 const char* Login_Analyzer::GetUsername(const char* line) const
@ -449,10 +442,10 @@ void Login_Analyzer::LineEvent(EventHandlerPtr f, const char* line)
 	if ( ! f )
 		return;

-	ConnectionEventFast(f, {
-		BuildConnVal(),
-		new StringVal(line),
-	});
+	EnqueueConnEvent(f,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		make_intrusive<StringVal>(line)
+	);
 	}


@ -461,13 +454,11 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 	state = LOGIN_STATE_CONFUSED;	// to suppress further messages

 	if ( login_confused )
-		{
-		ConnectionEventFast(login_confused, {
-			BuildConnVal(),
-			new StringVal(msg),
-			new StringVal(line),
-		});
-		}
+		EnqueueConnEvent(login_confused,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(msg),
+			make_intrusive<StringVal>(line)
+		);

 	if ( login_confused_text )
 		{
@ -487,12 +478,10 @@ void Login_Analyzer::Confused(const char* msg, const char* line)
 void Login_Analyzer::ConfusionText(const char* line)
 	{
 	if ( login_confused_text )
-		{
-		ConnectionEventFast(login_confused_text, {
-			BuildConnVal(),
-			new StringVal(line),
-		});
-		}
+		EnqueueConnEvent(login_confused_text,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(line)
+		);
 	}

 int Login_Analyzer::IsPloy(const char* line)
--- a/src/analyzer/protocol/login/NVT.cc
+++ b/src/analyzer/protocol/login/NVT.cc
@ -462,12 +462,10 @@ const char* NVT_Analyzer::PeerAuthName() const
 void NVT_Analyzer::SetTerminal(const u_char* terminal, int len)
 	{
 	if ( login_terminal )
-		{
-		ConnectionEventFast(login_terminal, {
-			BuildConnVal(),
-			new StringVal(new BroString(terminal, len, 0)),
-		});
-		}
+		EnqueueConnEvent(login_terminal,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(new BroString(terminal, len, 0))
+		);
 	}

 void NVT_Analyzer::SetEncrypting(int mode)
--- a/src/analyzer/protocol/login/RSH.cc
+++ b/src/analyzer/protocol/login/RSH.cc
@ -168,27 +168,37 @@ void Rsh_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			return;
 		}

-	val_list vl(4 + orig);
+	zeek::Args vl;
+	vl.reserve(4 + orig);
 	const char* line = (const char*) data;
 	line = skip_whitespace(line);
-	vl.push_back(BuildConnVal());
-	vl.push_back(client_name ? client_name->Ref() : new StringVal("<none>"));
-	vl.push_back(username ? username->Ref() : new StringVal("<none>"));
-	vl.push_back(new StringVal(line));
+	vl.emplace_back(AdoptRef{}, BuildConnVal());
+
+	if ( client_name )
+		vl.emplace_back(NewRef{}, client_name);
+	else
+		vl.emplace_back(make_intrusive<StringVal>("<none>"));
+
+	if ( username )
+		vl.emplace_back(NewRef{}, username);
+	else
+		vl.emplace_back(make_intrusive<StringVal>("<none>"));
+
+	vl.emplace_back(make_intrusive<StringVal>(line));

 	if ( orig )
 		{
 		if ( contents_orig->RshSaveState() == RSH_SERVER_USER_NAME )
 			// First input
-			vl.push_back(val_mgr->GetTrue());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetTrue());
 		else
-			vl.push_back(val_mgr->GetFalse());
+			vl.emplace_back(AdoptRef{}, val_mgr->GetFalse());

-		ConnectionEventFast(rsh_request, std::move(vl));
+		EnqueueConnEvent(rsh_request, std::move(vl));
 		}

 	else
-		ConnectionEventFast(rsh_reply, std::move(vl));
+		EnqueueConnEvent(rsh_reply, std::move(vl));
 	}

 void Rsh_Analyzer::ClientUserName(const char* s)
--- a/src/analyzer/protocol/login/Rlogin.cc
+++ b/src/analyzer/protocol/login/Rlogin.cc
@ -244,10 +244,8 @@ void Rlogin_Analyzer::ServerUserName(const char* s)
 void Rlogin_Analyzer::TerminalType(const char* s)
 	{
 	if ( login_terminal )
-		{
-		ConnectionEventFast(login_terminal, {
-			BuildConnVal(),
-			new StringVal(s),
-		});
-		}
+		EnqueueConnEvent(login_terminal,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			make_intrusive<StringVal>(s)
+		);
 	}
--- a/src/analyzer/protocol/mime/MIME.cc
+++ b/src/analyzer/protocol/mime/MIME.cc
@ -1365,11 +1365,11 @@ void MIME_Mail::Done()
 		hash_final(md5_hash, digest);
 		md5_hash = nullptr;

-		analyzer->ConnectionEventFast(mime_content_hash, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(content_hash_length),
-			new StringVal(new BroString(1, digest, 16)),
-		});
+		analyzer->EnqueueConnEvent(mime_content_hash,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(content_hash_length)},
+			make_intrusive<StringVal>(new BroString(1, digest, 16))
+		);
 		}

 	MIME_Message::Done();
@ -1393,7 +1393,7 @@ void MIME_Mail::BeginEntity(MIME_Entity* /* entity */)
 	cur_entity_id.clear();

 	if ( mime_begin_entity )
-		analyzer->ConnectionEventFast(mime_begin_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_begin_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});

 	buffer_start = data_start = 0;
 	ASSERT(entity_content.size() == 0);
@ -1405,11 +1405,11 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		{
 		BroString* s = concatenate(entity_content);

-		analyzer->ConnectionEventFast(mime_entity_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(s->Len()),
-			new StringVal(s),
-		});
+		analyzer->EnqueueConnEvent(mime_entity_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			make_intrusive<StringVal>(s)
+		);

 		if ( ! mime_all_data )
 			delete_strings(entity_content);
@ -1418,7 +1418,7 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 		}

 	if ( mime_end_entity )
-		analyzer->ConnectionEventFast(mime_end_entity, {analyzer->BuildConnVal()});
+		analyzer->EnqueueConnEvent(mime_end_entity, IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});

 	file_mgr->EndOfFile(analyzer->GetAnalyzerTag(), analyzer->Conn());
 	cur_entity_id.clear();
@ -1427,23 +1427,19 @@ void MIME_Mail::EndEntity(MIME_Entity* /* entity */)
 void MIME_Mail::SubmitHeader(MIME_Header* h)
 	{
 	if ( mime_one_header )
-		{
-		analyzer->ConnectionEventFast(mime_one_header, {
-			analyzer->BuildConnVal(),
-			BuildHeaderVal(h),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_one_header,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildHeaderVal(h)}
+		);
 	}

 void MIME_Mail::SubmitAllHeaders(MIME_HeaderList& hlist)
 	{
 	if ( mime_all_headers )
-		{
-		analyzer->ConnectionEventFast(mime_all_headers, {
-			analyzer->BuildConnVal(),
-			BuildHeaderTable(hlist),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_all_headers,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, BuildHeaderTable(hlist)}
+		);
 	}

 void MIME_Mail::SubmitData(int len, const char* buf)
@ -1476,11 +1472,11 @@ void MIME_Mail::SubmitData(int len, const char* buf)
 		const char* data = (char*) data_buffer->Bytes() + data_start;
 		int data_len = (buf + len) - data;

-		analyzer->ConnectionEventFast(mime_segment_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(data_len),
-			new StringVal(data_len, data),
-		});
+		analyzer->EnqueueConnEvent(mime_segment_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_len)},
+			make_intrusive<StringVal>(data_len, data)
+		);
 		}

 	cur_entity_id = file_mgr->DataIn(reinterpret_cast<const u_char*>(buf), len,
@ -1523,11 +1519,11 @@ void MIME_Mail::SubmitAllData()
 		BroString* s = concatenate(all_content);
 		delete_strings(all_content);

-		analyzer->ConnectionEventFast(mime_all_data, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(s->Len()),
-			new StringVal(s),
-		});
+		analyzer->EnqueueConnEvent(mime_all_data,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(s->Len())},
+			make_intrusive<StringVal>(s)
+		);
 		}
 	}

@ -1551,11 +1547,9 @@ void MIME_Mail::SubmitEvent(int event_type, const char* detail)
 	}

 	if ( mime_event )
-		{
-		analyzer->ConnectionEventFast(mime_event, {
-			analyzer->BuildConnVal(),
-			new StringVal(category),
-			new StringVal(detail),
-		});
-		}
+		analyzer->EnqueueConnEvent(mime_event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(category),
+			make_intrusive<StringVal>(detail)
+		);
 	}
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@ -62,26 +62,21 @@ void NCP_Session::DeliverFrame(const binpac::NCP::ncp_frame* frame)
 	if ( f )
 		{
 		if ( frame->is_orig() )
-			{
-			analyzer->ConnectionEventFast(f, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(frame->frame_type()),
-				val_mgr->GetCount(frame->body_length()),
-				val_mgr->GetCount(req_func),
-			});
-			}
+			analyzer->EnqueueConnEvent(f,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)}
+			);
 		else
-			{
-			analyzer->ConnectionEventFast(f, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(frame->frame_type()),
-				val_mgr->GetCount(frame->body_length()),
-				val_mgr->GetCount(req_frame_type),
-				val_mgr->GetCount(req_func),
-				val_mgr->GetCount(frame->reply()->completion_code()),
-			});
-			}
-
+			analyzer->EnqueueConnEvent(f,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->frame_type())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->body_length())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_frame_type)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(req_func)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(frame->reply()->completion_code())}
+			);
 		}
 	}

--- a/src/analyzer/protocol/netbios/NetbiosSSN.cc
+++ b/src/analyzer/protocol/netbios/NetbiosSSN.cc
@ -59,14 +59,12 @@ int NetbiosSSN_Interpreter::ParseMessage(unsigned int type, unsigned int flags,
 				const u_char* data, int len, int is_query)
 	{
 	if ( netbios_session_message )
-		{
-		analyzer->ConnectionEventFast(netbios_session_message, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_query),
-			val_mgr->GetCount(type),
-			val_mgr->GetCount(len),
-		});
-		}
+		analyzer->EnqueueConnEvent(netbios_session_message,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_query)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(type)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);

 	switch ( type ) {
 	case NETBIOS_SSN_MSG:
@ -331,18 +329,16 @@ void NetbiosSSN_Interpreter::Event(EventHandlerPtr event, const u_char* data,
 		return;

 	if ( is_orig >= 0 )
-		{
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			new StringVal(new BroString(data, len, 0)),
-		});
-		}
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			make_intrusive<StringVal>(new BroString(data, len, 0))
+		);
 	else
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			new StringVal(new BroString(data, len, 0)),
-		});
+		analyzer->EnqueueConnEvent(event,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(new BroString(data, len, 0))
+		);
 	}


--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@ -157,12 +157,11 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 			{
 			// Queue late match event
 			EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
-			Ref(tval);

-			mgr.QueueEventFast(protocol_late_match, {
-			    BuildConnVal(),
-			    tval,
-			});
+			mgr.Enqueue(protocol_late_match,
+			    IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			    IntrusivePtr{NewRef{}, tval}
+			);
 			}

 		pkt_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
@ -306,12 +305,11 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const Rule* rule)
 			{
 			// Queue late match event
 			EnumVal *tval = tag ? tag.AsEnumVal() : GetAnalyzerTag().AsEnumVal();
-			Ref(tval);

-			mgr.QueueEventFast(protocol_late_match, {
-			    BuildConnVal(),
-			    tval
-			});
+			mgr.Enqueue(protocol_late_match,
+			    IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			    IntrusivePtr{NewRef{}, tval}
+			);
 			}

 		stream_buffer.state = dpd_late_match_stop ? SKIPPING : MATCHING_ONLY;
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@ -830,7 +830,7 @@ void POP3_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);

 	if ( pop3_starttls )
-		ConnectionEventFast(pop3_starttls, {BuildConnVal()});
+		EnqueueConnEvent(pop3_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}

 void POP3_Analyzer::AuthSuccessfull()
@ -920,14 +920,16 @@ void POP3_Analyzer::POP3Event(EventHandlerPtr event, bool is_orig,
 	if ( ! event )
 		return;

-	val_list vl(2 + (bool)arg1 + (bool)arg2);
+	zeek::Args vl;
+	vl.reserve(2 + (bool)arg1 + (bool)arg2);
+
+	vl.emplace_back(AdoptRef{}, BuildConnVal());
+	vl.emplace_back(AdoptRef{}, val_mgr->GetBool(is_orig));

-	vl.push_back(BuildConnVal());
-	vl.push_back(val_mgr->GetBool(is_orig));
 	if ( arg1 )
-		vl.push_back(new StringVal(arg1));
+		vl.emplace_back(make_intrusive<StringVal>(arg1));
 	if ( arg2 )
-		vl.push_back(new StringVal(arg2));
+		vl.emplace_back(make_intrusive<StringVal>(arg2));

-	ConnectionEventFast(event, std::move(vl));
+	EnqueueConnEvent(event, std::move(vl));
 	}
--- a/src/analyzer/protocol/rpc/MOUNT.cc
+++ b/src/analyzer/protocol/rpc/MOUNT.cc
@ -96,7 +96,7 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 		{
 		auto vl = event_common_vl(c, rpc_status, mount_status,
 					   start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(mount_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(mount_reply_status, std::move(vl));
 		}

 	if ( ! rpc_success )
@ -169,19 +169,19 @@ int MOUNT_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status
 					start_time, last_time, reply_len, (bool)request + (bool)reply);

 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);

 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);

-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
 	return 1;
 	}

-val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c, 
+zeek::Args MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 		      BifEnum::rpc_status rpc_status,
 				      BifEnum::MOUNT3::status_t mount_status,
 				      double rep_start_time,
@ -189,16 +189,17 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	{
 	// Returns a new val_list that already has a conn_val, and mount3_info.
 	// These are the first parameters for each mount_* event ...
-	val_list vl(2 + extra_elements);
-	vl.push_back(analyzer->BuildConnVal());
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	zeek::Args vl;
+	vl.reserve(2 + extra_elements);
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());
+	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());

 	for (size_t i = 0; i < c->AuxGIDs().size(); ++i)
 		{
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));
 		}

-	RecordVal* info = new RecordVal(BifType::Record::MOUNT3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::MOUNT3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::MOUNT3::status_t->GetVal(mount_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -211,9 +212,9 @@ val_list MOUNT_Interp::event_common_vl(RPC_CallInfo *c,
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));

-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}

--- a/src/analyzer/protocol/rpc/MOUNT.h
+++ b/src/analyzer/protocol/rpc/MOUNT.h
@ -16,10 +16,10 @@ protected:
 				const u_char*& buf, int& n, double start_time,
 				double last_time, int reply_len) override;

-	// Returns a new val_list that already has a conn_val, rpc_status and
+	// Returns a new arg list that already has a conn_val, rpc_status and
 	// mount_status. These are the first parameters for each mount_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::MOUNT3::status_t mount_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
--- a/src/analyzer/protocol/rpc/NFS.cc
+++ b/src/analyzer/protocol/rpc/NFS.cc
@ -150,7 +150,7 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 		{
 		auto vl = event_common_vl(c, rpc_status, nfs_status,
 					       start_time, last_time, reply_len, 0);
-		analyzer->ConnectionEventFast(nfs_reply_status, std::move(vl));
+		analyzer->EnqueueConnEvent(nfs_reply_status, std::move(vl));
 		}

 	if ( ! rpc_success )
@ -281,12 +281,12 @@ int NFS_Interp::RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
 					start_time, last_time, reply_len, (bool)request + (bool)reply);

 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);

 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);

-		analyzer->ConnectionEventFast(event, std::move(vl));
+		analyzer->EnqueueConnEvent(event, std::move(vl));
 		}
 	else
 		Unref(reply);
@ -318,21 +318,22 @@ StringVal* NFS_Interp::nfs3_file_data(const u_char*& buf, int& n, uint64_t offse
 	return 0;
 	}

-val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+zeek::Args NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				      BifEnum::NFS3::status_t nfs_status,
 				      double rep_start_time,
 				      double rep_last_time, int reply_len, int extra_elements)
 	{
 	// Returns a new val_list that already has a conn_val, and nfs3_info.
 	// These are the first parameters for each nfs_* event ...
-	val_list vl(2 + extra_elements);
-	vl.push_back(analyzer->BuildConnVal());
-	VectorVal* auxgids = new VectorVal(internal_type("index_vec")->AsVectorType());
+	zeek::Args vl;
+	vl.reserve(2 + extra_elements);
+	vl.emplace_back(IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()});
+	auto auxgids = make_intrusive<VectorVal>(internal_type("index_vec")->AsVectorType());

 	for ( size_t i = 0; i < c->AuxGIDs().size(); ++i )
 		auxgids->Assign(i, val_mgr->GetCount(c->AuxGIDs()[i]));

-	RecordVal *info = new RecordVal(BifType::Record::NFS3::info_t);
+	auto info = make_intrusive<RecordVal>(BifType::Record::NFS3::info_t);
 	info->Assign(0, BifType::Enum::rpc_status->GetVal(rpc_status));
 	info->Assign(1, BifType::Enum::NFS3::status_t->GetVal(nfs_status));
 	info->Assign(2, make_intrusive<Val>(c->StartTime(), TYPE_TIME));
@ -345,9 +346,9 @@ val_list NFS_Interp::event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_st
 	info->Assign(9, val_mgr->GetCount(c->Gid()));
 	info->Assign(10, val_mgr->GetCount(c->Stamp()));
 	info->Assign(11, make_intrusive<StringVal>(c->MachineName()));
-	info->Assign(12, auxgids);
+	info->Assign(12, std::move(auxgids));

-	vl.push_back(info);
+	vl.emplace_back(std::move(info));
 	return vl;
 	}

--- a/src/analyzer/protocol/rpc/NFS.h
+++ b/src/analyzer/protocol/rpc/NFS.h
@ -20,7 +20,7 @@ protected:
 	// Returns a new val_list that already has a conn_val, rpc_status and
 	// nfs_status. These are the first parameters for each nfs_* event
 	// ...
-	val_list event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
+	zeek::Args event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
 				BifEnum::NFS3::status_t nfs_status,
 				double rep_start_time, double rep_last_time,
 				int reply_len, int extra_elements);
--- a/src/analyzer/protocol/rpc/Portmap.cc
+++ b/src/analyzer/protocol/rpc/Portmap.cc
@ -261,10 +261,10 @@ uint32_t PortmapperInterp::CheckPort(uint32_t port)
 		{
 		if ( pm_bad_port )
 			{
-			analyzer->ConnectionEventFast(pm_bad_port, {
-				analyzer->BuildConnVal(),
-				val_mgr->GetCount(port),
-			});
+			analyzer->EnqueueConnEvent(pm_bad_port,
+				IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(port)}
+			);
 			}

 		port = 0;
@ -282,25 +282,26 @@ void PortmapperInterp::Event(EventHandlerPtr f, Val* request, BifEnum::rpc_statu
 		return;
 		}

-	val_list vl;
+	zeek::Args vl;

-	vl.push_back(analyzer->BuildConnVal());
+	vl.emplace_back(AdoptRef{}, analyzer->BuildConnVal());

 	if ( status == BifEnum::RPC_SUCCESS )
 		{
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		if ( reply )
-			vl.push_back(reply);
+			vl.emplace_back(AdoptRef{}, reply);
 		}
 	else
 		{
-		vl.push_back(BifType::Enum::rpc_status->GetVal(status).release());
+		vl.emplace_back(BifType::Enum::rpc_status->GetVal(status));
+
 		if ( request )
-			vl.push_back(request);
+			vl.emplace_back(AdoptRef{}, request);
 		}

-	analyzer->ConnectionEventFast(f, std::move(vl));
+	analyzer->EnqueueConnEvent(f, std::move(vl));
 	}

 Portmapper_Analyzer::Portmapper_Analyzer(Connection* conn)
--- a/src/analyzer/protocol/rpc/RPC.cc
+++ b/src/analyzer/protocol/rpc/RPC.cc
@ -338,46 +338,40 @@ void RPC_Interpreter::Timeout()
 void RPC_Interpreter::Event_RPC_Dialogue(RPC_CallInfo* c, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_dialogue )
-		{
-		analyzer->ConnectionEventFast(rpc_dialogue, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(c->Program()),
-			val_mgr->GetCount(c->Version()),
-			val_mgr->GetCount(c->Proc()),
-			BifType::Enum::rpc_status->GetVal(status).release(),
-			new Val(c->StartTime(), TYPE_TIME),
-			val_mgr->GetCount(c->CallLen()),
-			val_mgr->GetCount(reply_len),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_dialogue,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
+			BifType::Enum::rpc_status->GetVal(status),
+			make_intrusive<Val>(c->StartTime(), TYPE_TIME),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
+		);
 	}

 void RPC_Interpreter::Event_RPC_Call(RPC_CallInfo* c)
 	{
 	if ( rpc_call )
-		{
-		analyzer->ConnectionEventFast(rpc_call, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(c->XID()),
-			val_mgr->GetCount(c->Program()),
-			val_mgr->GetCount(c->Version()),
-			val_mgr->GetCount(c->Proc()),
-			val_mgr->GetCount(c->CallLen()),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_call,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->XID())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Program())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Version())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->Proc())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(c->CallLen())}
+		);
 	}

 void RPC_Interpreter::Event_RPC_Reply(uint32_t xid, BifEnum::rpc_status status, int reply_len)
 	{
 	if ( rpc_reply )
-		{
-		analyzer->ConnectionEventFast(rpc_reply, {
-			analyzer->BuildConnVal(),
-			val_mgr->GetCount(xid),
-			BifType::Enum::rpc_status->GetVal(status).release(),
-			val_mgr->GetCount(reply_len),
-		});
-		}
+		analyzer->EnqueueConnEvent(rpc_reply,
+			IntrusivePtr{AdoptRef{}, analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(xid)},
+			BifType::Enum::rpc_status->GetVal(status),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_len)}
+		);
 	}

 void RPC_Interpreter::Weird(const char* msg, const char* addl)
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@ -219,11 +219,11 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)

 			if ( smtp_data && ! skip_data )
 				{
-				ConnectionEventFast(smtp_data, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					new StringVal(data_len, line),
-				});
+				EnqueueConnEvent(smtp_data,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					make_intrusive<StringVal>(data_len, line)
+				);
 				}
 			}

@ -349,14 +349,14 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 						break;
 				}

-				ConnectionEventFast(smtp_reply, {
-					BuildConnVal(),
-					val_mgr->GetBool(orig),
-					val_mgr->GetCount(reply_code),
-					new StringVal(cmd),
-					new StringVal(end_of_line - line, line),
-					val_mgr->GetBool((pending_reply > 0)),
-				});
+				EnqueueConnEvent(smtp_reply,
+					IntrusivePtr{AdoptRef{}, BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(reply_code)},
+					make_intrusive<StringVal>(cmd),
+					make_intrusive<StringVal>(end_of_line - line, line),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool((pending_reply > 0))}
+				);
 				}
 			}

@ -410,7 +410,7 @@ void SMTP_Analyzer::StartTLS()
 		AddChildAnalyzer(ssl);

 	if ( smtp_starttls )
-		ConnectionEventFast(smtp_starttls, {BuildConnVal()});
+		EnqueueConnEvent(smtp_starttls, IntrusivePtr{AdoptRef{}, BuildConnVal()});
 	}


@ -854,12 +854,17 @@ void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd,
 	ProtocolConfirmation();

 	if ( smtp_request )
-		ConnectionEventFast(smtp_request, {
-			BuildConnVal(),
-			val_mgr->GetBool(orig_is_sender),
-			(new StringVal(cmd_len, cmd))->ToUpper(),
-			new StringVal(arg_len, arg),
-		});
+		{
+		auto cmd_arg = make_intrusive<StringVal>(cmd_len, cmd);
+		cmd_arg->ToUpper();
+
+		EnqueueConnEvent(smtp_request,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(orig_is_sender)},
+			std::move(cmd_arg),
+			make_intrusive<StringVal>(arg_len, arg)
+		);
+		}
 	}

 void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
@ -874,12 +879,12 @@ void SMTP_Analyzer::Unexpected(const int is_sender, const char* msg,
 		if ( ! orig_is_sender )
 			is_orig = ! is_orig;

-		ConnectionEventFast(smtp_unexpected, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			new StringVal(msg),
-			new StringVal(detail_len, detail),
-		});
+		EnqueueConnEvent(smtp_unexpected,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			make_intrusive<StringVal>(msg),
+			make_intrusive<StringVal>(detail_len, detail)
+		);
 		}
 	}

--- a/src/analyzer/protocol/stepping-stone/SteppingStone.cc
+++ b/src/analyzer/protocol/stepping-stone/SteppingStone.cc
@ -135,10 +135,10 @@ void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
 		return;

 	if ( id2 >= 0 )
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1), val_mgr->GetInt(id2)});
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)},
+		                                 IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id2)});
 	else
-		endp->TCP()->ConnectionEventFast(f, {val_mgr->GetInt(id1)});
-
+		endp->TCP()->EnqueueConnEvent(f, IntrusivePtr{AdoptRef{}, val_mgr->GetInt(id1)});
 	}

 void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
@ -146,11 +146,11 @@ void SteppingStoneEndpoint::CreateEndpEvent(int is_orig)
 	if ( ! stp_create_endp )
 		return;

-	endp->TCP()->ConnectionEventFast(stp_create_endp, {
-		endp->TCP()->BuildConnVal(),
-		val_mgr->GetInt(stp_id),
-		val_mgr->GetBool(is_orig),
-	});
+	endp->TCP()->EnqueueConnEvent(stp_create_endp,
+		IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetInt(stp_id)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+	);
 	}

 SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@ -785,17 +785,17 @@ void TCP_Analyzer::GeneratePacketEvent(
 					const u_char* data, int len, int caplen,
 					int is_orig, TCP_Flags flags)
 	{
-	ConnectionEventFast(tcp_packet, {
-		BuildConnVal(),
-		val_mgr->GetBool(is_orig),
-		new StringVal(flags.AsString()),
-		val_mgr->GetCount(rel_seq),
-		val_mgr->GetCount(flags.ACK() ? rel_ack : 0),
-		val_mgr->GetCount(len),
+	EnqueueConnEvent(tcp_packet,
+		IntrusivePtr{AdoptRef{}, BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+		make_intrusive<StringVal>(flags.AsString()),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(rel_seq)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(flags.ACK() ? rel_ack : 0)},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
 		// We need the min() here because Ethernet padding can lead to
 		// caplen > len.
-		new StringVal(min(caplen, len), (const char*) data),
-	});
+		make_intrusive<StringVal>(min(caplen, len), (const char*) data)
+	);
 	}

 int TCP_Analyzer::DeliverData(double t, const u_char* data, int len, int caplen,
@ -1101,12 +1101,10 @@ void TCP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 		            base_seq, ack_seq);

 		if ( connection_SYN_packet )
-			{
-			ConnectionEventFast(connection_SYN_packet, {
-				BuildConnVal(),
-				SYN_vals->Ref(),
-			});
-			}
+			EnqueueConnEvent(connection_SYN_packet,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{NewRef{}, SYN_vals}
+			);

 		Unref(SYN_vals);
 		}
@ -1347,17 +1345,17 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			{
 			auto kind = o[0];
 			auto length = kind < 2 ? 1 : o[1];
-			ConnectionEventFast(tcp_option, {
-				BuildConnVal(),
-				val_mgr->GetBool(is_orig),
-				val_mgr->GetCount(kind),
-				val_mgr->GetCount(length),
-				});
+			EnqueueConnEvent(tcp_option,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(kind)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(length)}
+				);
 			}

 	if ( tcp_options )
 		{
-		auto option_list = new VectorVal(BifType::Vector::TCP::OptionList);
+		auto option_list = make_intrusive<VectorVal>(BifType::Vector::TCP::OptionList);

 		auto add_option_data = [](RecordVal* rv, const u_char* odata, int olen)
 			{
@ -1460,11 +1458,11 @@ int TCP_Analyzer::ParseTCPOptions(const struct tcphdr* tcp, bool is_orig)
 			}
 			}

-		ConnectionEventFast(tcp_options, {
-			BuildConnVal(),
-			val_mgr->GetBool(is_orig),
-			option_list,
-			});
+		EnqueueConnEvent(tcp_options,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+			std::move(option_list)
+			);
 		}

 	if ( options < opt_end )
@ -1782,12 +1780,10 @@ int TCP_Analyzer::DataPending(TCP_Endpoint* closing_endp)
 void TCP_Analyzer::EndpointEOF(TCP_Reassembler* endp)
 	{
 	if ( connection_EOF )
-		{
-		ConnectionEventFast(connection_EOF, {
-			BuildConnVal(),
-			val_mgr->GetBool(endp->IsOrig()),
-		});
-		}
+		EnqueueConnEvent(connection_EOF,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())}
+		);

 	const analyzer_list& children(GetChildren());
 	LOOP_OVER_CONST_CHILDREN(i)
@ -2064,16 +2060,14 @@ int TCPStats_Endpoint::DataSent(double /* t */, uint64_t seq, int len, int caple
 		 	network_time, seq, len, max_top_seq, data_in_flight);

 		if ( tcp_rexmit )
-			{
-			endp->TCP()->ConnectionEventFast(tcp_rexmit, {
-				endp->TCP()->BuildConnVal(),
-				val_mgr->GetBool(endp->IsOrig()),
-				val_mgr->GetCount(seq),
-				val_mgr->GetCount(len),
-				val_mgr->GetCount(data_in_flight),
-				val_mgr->GetCount(endp->peer->window),
-			});
-			}
+			endp->TCP()->EnqueueConnEvent(tcp_rexmit,
+				IntrusivePtr{AdoptRef{}, endp->TCP()->BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(endp->IsOrig())},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(data_in_flight)},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(endp->peer->window)}
+			);
 		}
 	else
 		max_top_seq = top_seq;
@ -2121,11 +2115,11 @@ void TCPStats_Analyzer::Done()
 	TCP_ApplicationAnalyzer::Done();

 	if ( conn_stats )
-		ConnectionEventFast(conn_stats, {
-			BuildConnVal(),
-			orig_stats->BuildStats(),
-			resp_stats->BuildStats(),
-		});
+		EnqueueConnEvent(conn_stats,
+			IntrusivePtr{AdoptRef{}, BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, orig_stats->BuildStats()},
+			IntrusivePtr{AdoptRef{}, resp_stats->BuildStats()}
+		);
 	}

 void TCPStats_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq, const IP_Hdr* ip, int caplen)
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@ -237,13 +237,11 @@ int TCP_Endpoint::DataSent(double t, uint64_t seq, int len, int caplen,
 			reporter->Error("TCP contents write failed: %s", buf);

 			if ( contents_file_write_failure )
-				{
-				tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-					Conn()->BuildConnVal(),
-					val_mgr->GetBool(IsOrig()),
-					new StringVal(buf),
-				});
-				}
+				tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+					IntrusivePtr{AdoptRef{}, Conn()->BuildConnVal()},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+					make_intrusive<StringVal>(buf)
+				);
 			}
 		}

--- a/src/analyzer/protocol/tcp/TCP_Reassembler.cc
+++ b/src/analyzer/protocol/tcp/TCP_Reassembler.cc
@ -151,14 +151,12 @@ void TCP_Reassembler::Gap(uint64_t seq, uint64_t len)
 		endp->Gap(seq, len);

 	if ( report_gap(endp, endp->peer) )
-		{
-		dst_analyzer->ConnectionEventFast(content_gap, {
-			dst_analyzer->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			val_mgr->GetCount(seq),
-			val_mgr->GetCount(len),
-		});
-		}
+		dst_analyzer->EnqueueConnEvent(content_gap,
+			IntrusivePtr{AdoptRef{}, dst_analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
+		);

 	if ( type == Direct )
 		dst_analyzer->NextUndelivered(seq, len, IsOrig());
@ -363,13 +361,11 @@ void TCP_Reassembler::RecordBlock(const DataBlock& b, BroFile* f)
 	reporter->Error("TCP_Reassembler contents write failed");

 	if ( contents_file_write_failure )
-		{
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-			Endpoint()->Conn()->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			new StringVal("TCP reassembler content write failure"),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			make_intrusive<StringVal>("TCP reassembler content write failure")
+		);
 	}

 void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile* f)
@ -380,13 +376,11 @@ void TCP_Reassembler::RecordGap(uint64_t start_seq, uint64_t upper_seq, BroFile*
 	reporter->Error("TCP_Reassembler contents gap write failed");

 	if ( contents_file_write_failure )
-		{
-		tcp_analyzer->ConnectionEventFast(contents_file_write_failure, {
-			Endpoint()->Conn()->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			new StringVal("TCP reassembler gap write failure"),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(contents_file_write_failure,
+			IntrusivePtr{AdoptRef{}, Endpoint()->Conn()->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			make_intrusive<StringVal>("TCP reassembler gap write failure")
+		);
 	}

 void TCP_Reassembler::BlockInserted(DataBlockMap::const_iterator it)
@ -462,12 +456,12 @@ void TCP_Reassembler::Overlap(const u_char* b1, const u_char* b2, uint64_t n)
 		BroString* b1_s = new BroString((const u_char*) b1, n, 0);
 		BroString* b2_s = new BroString((const u_char*) b2, n, 0);

-		tcp_analyzer->ConnectionEventFast(rexmit_inconsistency, {
-			tcp_analyzer->BuildConnVal(),
-			new StringVal(b1_s),
-			new StringVal(b2_s),
-			new StringVal(flags.AsString()),
-		});
+		tcp_analyzer->EnqueueConnEvent(rexmit_inconsistency,
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
+			make_intrusive<StringVal>(b1_s),
+			make_intrusive<StringVal>(b2_s),
+			make_intrusive<StringVal>(flags.AsString())
+		);
 		}
 	}

@ -618,14 +612,12 @@ void TCP_Reassembler::DeliverBlock(uint64_t seq, int len, const u_char* data)
 		}

 	if ( deliver_tcp_contents )
-		{
-		tcp_analyzer->ConnectionEventFast(tcp_contents, {
-			tcp_analyzer->BuildConnVal(),
-			val_mgr->GetBool(IsOrig()),
-			val_mgr->GetCount(seq),
-			new StringVal(len, (const char*) data),
-		});
-		}
+		tcp_analyzer->EnqueueConnEvent(tcp_contents,
+			IntrusivePtr{AdoptRef{}, tcp_analyzer->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(IsOrig())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(seq)},
+			make_intrusive<StringVal>(len, (const char*) data)
+		);

 	// Q. Can we say this because it is already checked in DataSent()?
 	// ASSERT(!Conn()->Skipping() && !SkipDeliveries());
--- a/src/analyzer/protocol/udp/UDP.cc
+++ b/src/analyzer/protocol/udp/UDP.cc
@ -153,13 +153,11 @@ void UDP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig,
 			}

 		if ( do_udp_contents )
-			{
-			ConnectionEventFast(udp_contents, {
-				BuildConnVal(),
-				val_mgr->GetBool(is_orig),
-				new StringVal(len, (const char*) data),
-			});
-			}
+			EnqueueConnEvent(udp_contents,
+				IntrusivePtr{AdoptRef{}, BuildConnVal()},
+				IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
+				make_intrusive<StringVal>(len, (const char*) data)
+			);

 		Unref(port_val);
 		}
--- a/src/broker/Data.cc
+++ b/src/broker/Data.cc
@ -898,29 +898,14 @@ broker::expected<broker::data> bro_broker::val_to_data(const Val* v)
 		else
 			rval = broker::table();

-		struct iter_guard {
-			iter_guard(HashKey* arg_k, ListVal* arg_lv)
-			    : k(arg_k), lv(arg_lv)
-				{}
-
-			~iter_guard()
-				{
-				delete k;
-				Unref(lv);
-				}
-
-			HashKey* k;
-			ListVal* lv;
-		};
-
-		HashKey* k;
+		HashKey* hk;
 		TableEntryVal* entry;
 		auto c = table->InitForIteration();

-		while ( (entry = table->NextEntry(k, c)) )
+		while ( (entry = table->NextEntry(hk, c)) )
 			{
-			auto vl = table_val->RecoverIndex(k);
-			iter_guard ig(k, vl);
+			auto vl = table_val->RecoverIndex(hk);
+			delete hk;

 			broker::vector composite_key;
 			composite_key.reserve(vl->Length());
--- a/src/broker/Manager.cc
+++ b/src/broker/Manager.cc
@ -545,12 +545,8 @@ bool Manager::PublishLogWrite(EnumVal* stream, EnumVal* writer, string path, int
 	std::string serial_data(data, len);
 	free(data);

-	val_list vl{
-		stream->Ref(),
-		new StringVal(path),
-	};
-
-	auto v = log_topic_func->Call(&vl);
+	auto v = log_topic_func->Call(IntrusivePtr{NewRef{}, stream},
+	                              make_intrusive<StringVal>(path));

 	if ( ! v )
 		{
@ -988,7 +984,8 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		return;
 		}

-	val_list vl(args.size());
+	zeek::Args vl;
+	vl.reserve(args.size());

 	for ( auto i = 0u; i < args.size(); ++i )
 		{
@ -997,7 +994,7 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 		auto val = data_to_val(std::move(args[i]), expected_type);

 		if ( val )
-			vl.push_back(val.release());
+			vl.emplace_back(std::move(val));
 		else
 			{
 			auto expected_name = type_name(expected_type->Tag());
@ -1018,13 +1015,8 @@ void Manager::ProcessEvent(const broker::topic& topic, broker::zeek::Event ev)
 			}
 		}

-	if ( static_cast<size_t>(vl.length()) == args.size() )
-		mgr.QueueEventFast(handler, std::move(vl), SOURCE_BROKER);
-	else
-		{
-		for ( const auto& v : vl )
-			Unref(v);
-		}
+	if ( vl.size() == args.size() )
+		mgr.Enqueue(handler, std::move(vl), SOURCE_BROKER);
 	}

 bool bro_broker::Manager::ProcessLogCreate(broker::zeek::LogCreate lc)
@ -1247,7 +1239,7 @@ void Manager::ProcessStatus(broker::status stat)
 		return;

 	auto ei = internal_type("Broker::EndpointInfo")->AsRecordType();
-	auto endpoint_info = new RecordVal(ei);
+	auto endpoint_info = make_intrusive<RecordVal>(ei);

 	if ( ctx )
 		{
@ -1272,9 +1264,9 @@ void Manager::ProcessStatus(broker::status stat)
 		}

 	auto str = stat.message();
-	auto msg = new StringVal(str ? *str : "");
+	auto msg = make_intrusive<StringVal>(str ? *str : "");

-	mgr.QueueEventFast(event, {endpoint_info, msg});
+	mgr.Enqueue(event, std::move(endpoint_info), std::move(msg));
 	}

 void Manager::ProcessError(broker::error err)
@ -1351,10 +1343,10 @@ void Manager::ProcessError(broker::error err)
 		msg = fmt("[%s] %s", caf::to_string(err.category()).c_str(), caf::to_string(err.context()).c_str());
 		}

-	mgr.QueueEventFast(Broker::error, {
-		BifType::Enum::Broker::ErrorCode->GetVal(ec).release(),
-		new StringVal(msg),
-	});
+	mgr.Enqueue(Broker::error,
+		BifType::Enum::Broker::ErrorCode->GetVal(ec),
+		make_intrusive<StringVal>(msg)
+	);
 	}

 void Manager::ProcessStoreResponse(StoreHandleVal* s, broker::store::response response)
--- a/src/broker/messaging.bif
+++ b/src/broker/messaging.bif
@ -40,7 +40,6 @@ std::set<std::string> val_to_topic_set(Val* val)
 			{
 			auto index = val->AsTableVal()->RecoverIndex(k);
 			rval.emplace(index->Index(0)->AsString()->CheckString());
-			Unref(index);
 			delete k;
 			}
 		}
@ -84,7 +83,13 @@ type Broker::Event: record;
 function Broker::make_event%(...%): Broker::Event
 	%{
 	bro_broker::Manager::ScriptScopeGuard ssg;
-	auto rval = broker_mgr->MakeEvent(@ARGS@, frame);
+	const auto& bif_args = @ARGS@;
+	val_list args(bif_args->size());
+
+	for ( auto i = 0u; i < bif_args->size(); ++i )
+		args.push_back((*bif_args)[i].get());
+
+	auto rval = broker_mgr->MakeEvent(&args, frame);
 	return rval;
 	%}

@ -99,11 +104,11 @@ function Broker::make_event%(...%): Broker::Event
 ## Returns: true if the message is sent.
 function Broker::publish%(topic: string, ...%): bool
 	%{
-	val_list* bif_args = @ARGS@;
-	val_list args(bif_args->length() - 1);
+	const auto& bif_args = @ARGS@;
+	val_list args(bif_args->size() - 1);

-	for ( auto i = 1; i < bif_args->length(); ++i )
-		args.push_back((*bif_args)[i]);
+	for ( auto i = 1u; i < bif_args->size(); ++i )
+		args.push_back((*bif_args)[i].get());

 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
@ -183,17 +188,17 @@ function Cluster::publish_rr%(pool: Pool, key: string, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::rr_topic")->ID_Val()->AsFunc();

-	val_list vl{pool->Ref(), key->Ref()};
-	auto topic = topic_func->Call(&vl);
+	zeek::Args vl{{NewRef{}, pool}, {NewRef{}, key}};
+	auto topic = topic_func->Call(vl);

 	if ( ! topic->AsString()->Len() )
 		return val_mgr->GetFalse();

-	val_list* bif_args = @ARGS@;
-	val_list args(bif_args->length() - 2);
+	const auto& bif_args = @ARGS@;
+	val_list args(bif_args->size() - 2);

-	for ( auto i = 2; i < bif_args->length(); ++i )
-		args.push_back((*bif_args)[i]);
+	for ( auto i = 2u; i < bif_args->size(); ++i )
+		args.push_back((*bif_args)[i].get());

 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
@ -220,17 +225,17 @@ function Cluster::publish_hrw%(pool: Pool, key: any, ...%): bool
 	if ( ! topic_func )
 		topic_func = global_scope()->Lookup("Cluster::hrw_topic")->ID_Val()->AsFunc();

-	val_list vl{pool->Ref(), key->Ref()};
-	auto topic = topic_func->Call(&vl);
+	zeek::Args vl{{NewRef{}, pool}, {NewRef{}, key}};
+	auto topic = topic_func->Call(vl);

 	if ( ! topic->AsString()->Len() )
 		return val_mgr->GetFalse();

-	val_list* bif_args = @ARGS@;
-	val_list args(bif_args->length() - 2);
+	const auto& bif_args = @ARGS@;
+	val_list args(bif_args->size() - 2);

-	for ( auto i = 2; i < bif_args->length(); ++i )
-		args.push_back((*bif_args)[i]);
+	for ( auto i = 2u; i < bif_args->size(); ++i )
+		args.push_back((*bif_args)[i].get());

 	auto rval = publish_event_args(args, topic->AsString(), frame);
 	return val_mgr->GetBool(rval);
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@ -155,9 +155,9 @@ void File::RaiseFileOverNewConnection(Connection* conn, bool is_orig)
 	if ( conn && FileEventAvailable(file_over_new_connection) )
 		{
 		FileEvent(file_over_new_connection, {
-			val->Ref(),
-			conn->BuildConnVal(),
-			val_mgr->GetBool(is_orig),
+			IntrusivePtr{NewRef{}, val},
+			IntrusivePtr{AdoptRef{}, conn->BuildConnVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)},
 		});
 		}
 	}
@ -299,11 +299,11 @@ bool File::SetMime(const string& mime_type)
 	if ( ! FileEventAvailable(file_sniff) )
 		return false;

-	RecordVal* meta = new RecordVal(fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(fa_metadata_type);
 	meta->Assign(meta_mime_type_idx, make_intrusive<StringVal>(mime_type));
 	meta->Assign(meta_inferred_idx, val_mgr->GetBool(0));

-	FileEvent(file_sniff, {val->Ref(), meta});
+	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
 	return true;
 	}

@ -332,7 +332,7 @@ void File::InferMetadata()
 	len = min(len, LookupFieldDefaultCount(bof_buffer_size_idx));
 	file_mgr->DetectMIME(data, len, &matches);

-	RecordVal* meta = new RecordVal(fa_metadata_type);
+	auto meta = make_intrusive<RecordVal>(fa_metadata_type);

 	if ( ! matches.empty() )
 		{
@ -342,8 +342,7 @@ void File::InferMetadata()
 		             file_analysis::GenMIMEMatchesVal(matches));
 		}

-	FileEvent(file_sniff, {val->Ref(), meta});
-	return;
+	FileEvent(file_sniff, {IntrusivePtr{NewRef{}, val}, std::move(meta)});
 	}

 bool File::BufferBOF(const u_char* data, uint64_t len)
@ -455,9 +454,9 @@ void File::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 			if ( FileEventAvailable(file_reassembly_overflow) )
 				{
 				FileEvent(file_reassembly_overflow, {
-					val->Ref(),
-					val_mgr->GetCount(current_offset),
-					val_mgr->GetCount(gap_bytes),
+					IntrusivePtr{NewRef{}, val},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(current_offset)},
+					IntrusivePtr{AdoptRef{}, val_mgr->GetCount(gap_bytes)}
 				});
 				}
 			}
@ -600,9 +599,9 @@ void File::Gap(uint64_t offset, uint64_t len)
 	if ( FileEventAvailable(file_gap) )
 		{
 		FileEvent(file_gap, {
-			val->Ref(),
-			val_mgr->GetCount(offset),
-			val_mgr->GetCount(len),
+			IntrusivePtr{NewRef{}, val},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(offset)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
 		});
 		}

@ -622,18 +621,23 @@ void File::FileEvent(EventHandlerPtr h)
 	if ( ! FileEventAvailable(h) )
 		return;

-	FileEvent(h, {val->Ref()});
+	FileEvent(h, zeek::Args{{NewRef{}, val}});
 	}

 void File::FileEvent(EventHandlerPtr h, val_list* vl)
 	{
-	FileEvent(h, std::move(*vl));
+	FileEvent(h, zeek::val_list_to_args(*vl));
 	delete vl;
 	}

 void File::FileEvent(EventHandlerPtr h, val_list vl)
 	{
-	mgr.QueueEventFast(h, std::move(vl));
+	FileEvent(h, zeek::val_list_to_args(vl));
+	}
+
+void File::FileEvent(EventHandlerPtr h, zeek::Args args)
+	{
+	mgr.Enqueue(h, std::move(args));

 	if ( h == file_new || h == file_over_new_connection ||
 	     h == file_sniff ||
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@ -10,6 +10,7 @@
 #include "AnalyzerSet.h"
 #include "BroString.h"
 #include "BroList.h" // for val_list
+#include "ZeekArgs.h"
 #include "WeirdState.h"

 using std::string;
@ -175,6 +176,7 @@ public:
 	 * @param h pointer to an event handler.
 	 * @param vl list of argument values to pass to event call.
 	 */
+	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
 	void FileEvent(EventHandlerPtr h, val_list* vl);

 	/**
@ -182,8 +184,16 @@ public:
 	 * @param h pointer to an event handler.
 	 * @param vl list of argument values to pass to event call.
 	 */
+	[[deprecated("Remove in v4.1. Use zeek::Args overload instead.")]]
 	void FileEvent(EventHandlerPtr h, val_list vl);

+	/**
+	 * Raises an event related to the file's life-cycle.
+	 * @param h pointer to an event handler.
+	 * @param args list of argument values to pass to event call.
+	 */
+	void FileEvent(EventHandlerPtr h, zeek::Args args);
+
 	/**
 	 * Sets the MIME type for a file to a specific value.
 	 *
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@ -432,13 +432,12 @@ string Manager::GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig)
 		analyzer_mgr->GetComponentName(tag).c_str());

 	EnumVal* tagval = tag.AsEnumVal();
-	Ref(tagval);

-	mgr.QueueEventFast(get_file_handle, {
-		tagval,
-		c->BuildConnVal(),
-		val_mgr->GetBool(is_orig),
-	});
+	mgr.Enqueue(get_file_handle,
+		IntrusivePtr{NewRef{}, tagval},
+		IntrusivePtr{AdoptRef{}, c->BuildConnVal()},
+		IntrusivePtr{AdoptRef{}, val_mgr->GetBool(is_orig)}
+	);
 	mgr.Drain(); // need file handle immediately so we don't have to buffer data
 	return current_file_id;
 	}
--- a/src/file_analysis/analyzer/data_event/DataEvent.cc
+++ b/src/file_analysis/analyzer/data_event/DataEvent.cc
@ -42,11 +42,11 @@ bool DataEvent::DeliverChunk(const u_char* data, uint64_t len, uint64_t offset)
 	{
 	if ( ! chunk_event ) return true;

-	mgr.QueueEventFast(chunk_event, {
-		GetFile()->GetVal()->Ref(),
-		new StringVal(new BroString(data, len, 0)),
-		val_mgr->GetCount(offset),
-	});
+	mgr.Enqueue(chunk_event,
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		make_intrusive<StringVal>(new BroString(data, len, 0)),
+		IntrusivePtr{AdoptRef{}, val_mgr->GetCount(offset)}
+	);

 	return true;
 	}
@ -55,10 +55,10 @@ bool DataEvent::DeliverStream(const u_char* data, uint64_t len)
 	{
 	if ( ! stream_event ) return true;

-	mgr.QueueEventFast(stream_event, {
-		GetFile()->GetVal()->Ref(),
-		new StringVal(new BroString(data, len, 0)),
-	});
+	mgr.Enqueue(stream_event,
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		make_intrusive<StringVal>(new BroString(data, len, 0))
+	);

 	return true;
 	}
--- a/src/file_analysis/analyzer/entropy/Entropy.cc
+++ b/src/file_analysis/analyzer/entropy/Entropy.cc
@ -60,15 +60,15 @@ void Entropy::Finalize()
 	montepi = scc = ent = mean = chisq = 0.0;
 	entropy->Get(&ent, &chisq, &mean, &montepi, &scc);

-	RecordVal* ent_result = new RecordVal(entropy_test_result);
+	auto ent_result = make_intrusive<RecordVal>(entropy_test_result);
 	ent_result->Assign(0, make_intrusive<Val>(ent,     TYPE_DOUBLE));
 	ent_result->Assign(1, make_intrusive<Val>(chisq,   TYPE_DOUBLE));
 	ent_result->Assign(2, make_intrusive<Val>(mean,    TYPE_DOUBLE));
 	ent_result->Assign(3, make_intrusive<Val>(montepi, TYPE_DOUBLE));
 	ent_result->Assign(4, make_intrusive<Val>(scc,     TYPE_DOUBLE));

-	mgr.QueueEventFast(file_entropy, {
-		GetFile()->GetVal()->Ref(),
-		ent_result,
-	});
+	mgr.Enqueue(file_entropy,
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		std::move(ent_result)
+	);
 	}
--- a/src/file_analysis/analyzer/extract/Extract.cc
+++ b/src/file_analysis/analyzer/extract/Extract.cc
@ -92,10 +92,10 @@ bool Extract::DeliverStream(const u_char* data, uint64_t len)
 		{
 		File* f = GetFile();
 		f->FileEvent(file_extraction_limit, {
-			f->GetVal()->Ref(),
-			Args()->Ref(),
-			val_mgr->GetCount(limit),
-			val_mgr->GetCount(len),
+			IntrusivePtr{NewRef{}, f->GetVal()},
+			IntrusivePtr{NewRef{}, Args()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(limit)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(len)}
 		});

 		// Limit may have been modified by a BIF, re-check it.
--- a/src/file_analysis/analyzer/hash/Hash.cc
+++ b/src/file_analysis/analyzer/hash/Hash.cc
@ -51,9 +51,9 @@ void Hash::Finalize()
 	if ( ! file_hash )
 		return;

-	mgr.QueueEventFast(file_hash, {
-		GetFile()->GetVal()->Ref(),
-		new StringVal(kind),
-		hash->Get().release(),
-	});
+	mgr.Enqueue(file_hash,
+		IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		make_intrusive<StringVal>(kind),
+		hash->Get()
+	);
 	}
--- a/src/file_analysis/analyzer/pe/pe-analyzer.pac
+++ b/src/file_analysis/analyzer/pe/pe-analyzer.pac
@ -42,7 +42,7 @@ refine flow File += {
 		%{
 		if ( pe_dos_header )
 			{
-			RecordVal* dh = new RecordVal(BifType::Record::PE::DOSHeader);
+			auto dh = make_intrusive<RecordVal>(BifType::Record::PE::DOSHeader);
 			dh->Assign(0, make_intrusive<StringVal>(${h.signature}.length(), (const char*) ${h.signature}.data()));
 			dh->Assign(1, val_mgr->GetCount(${h.UsedBytesInTheLastPage}));
 			dh->Assign(2, val_mgr->GetCount(${h.FileSizeInPages}));
@ -61,10 +61,9 @@ refine flow File += {
 			dh->Assign(15, val_mgr->GetCount(${h.OEMinfo}));
 			dh->Assign(16, val_mgr->GetCount(${h.AddressOfNewExeHeader}));

-			mgr.QueueEventFast(pe_dos_header, {
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			    dh
-			    });
+			mgr.Enqueue(pe_dos_header,
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    std::move(dh));
 			}
 		return true;
 		%}
@ -72,12 +71,10 @@ refine flow File += {
 	function proc_dos_code(code: bytestring): bool
 		%{
 		if ( pe_dos_code )
-			{
-			mgr.QueueEventFast(pe_dos_code, {
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			    new StringVal(code.length(), (const char*) code.data())
-			    });
-			}
+			mgr.Enqueue(pe_dos_code,
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    make_intrusive<StringVal>(code.length(), (const char*) code.data())
+			    );
 		return true;
 		%}

@ -95,7 +92,7 @@ refine flow File += {
 		%{
 		if ( pe_file_header )
 			{
-			RecordVal* fh = new RecordVal(BifType::Record::PE::FileHeader);
+			auto fh = make_intrusive<RecordVal>(BifType::Record::PE::FileHeader);
 			fh->Assign(0, val_mgr->GetCount(${h.Machine}));
 			fh->Assign(1, make_intrusive<Val>(static_cast<double>(${h.TimeDateStamp}), TYPE_TIME));
 			fh->Assign(2, val_mgr->GetCount(${h.PointerToSymbolTable}));
@ -103,10 +100,9 @@ refine flow File += {
 			fh->Assign(4, val_mgr->GetCount(${h.SizeOfOptionalHeader}));
 			fh->Assign(5, characteristics_to_bro(${h.Characteristics}, 16));

-			mgr.QueueEventFast(pe_file_header, {
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			    fh
-			    });
+			mgr.Enqueue(pe_file_header,
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    std::move(fh));
 			}

 		return true;
@ -124,7 +120,7 @@ refine flow File += {

 		if ( pe_optional_header )
 			{
-			RecordVal* oh = new RecordVal(BifType::Record::PE::OptionalHeader);
+			auto oh = make_intrusive<RecordVal>(BifType::Record::PE::OptionalHeader);

 			oh->Assign(0, val_mgr->GetCount(${h.magic}));
 			oh->Assign(1, val_mgr->GetCount(${h.major_linker_version}));
@ -155,10 +151,9 @@ refine flow File += {

 			oh->Assign(23, process_rvas(${h.rvas}));

-			mgr.QueueEventFast(pe_optional_header, {
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			    oh
-			    });
+			mgr.Enqueue(pe_optional_header,
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    std::move(oh));
 			}
 		return true;
 		%}
@ -167,7 +162,7 @@ refine flow File += {
 		%{
 		if ( pe_section_header )
 			{
-			RecordVal* section_header = new RecordVal(BifType::Record::PE::SectionHeader);
+			auto section_header = make_intrusive<RecordVal>(BifType::Record::PE::SectionHeader);

 			// Strip null characters from the end of the section name.
 			u_char* first_null = (u_char*) memchr(${h.name}.data(), 0, ${h.name}.length());
@ -188,10 +183,10 @@ refine flow File += {
 			section_header->Assign(8, val_mgr->GetCount(${h.non_used_num_of_line_nums}));
 			section_header->Assign(9, characteristics_to_bro(${h.characteristics}, 32));

-			mgr.QueueEventFast(pe_section_header, {
-			    connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-			    section_header
-			    });
+			mgr.Enqueue(pe_section_header,
+			    IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+			    std::move(section_header)
+			    );
 			}
 		return true;
 		%}
--- a/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
+++ b/src/file_analysis/analyzer/unified2/unified2-analyzer.pac
@ -66,7 +66,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_event )
 			{
-			RecordVal* ids_event = new RecordVal(BifType::Record::Unified2::IDSEvent);
+			auto ids_event = make_intrusive<RecordVal>(BifType::Record::Unified2::IDSEvent);
 			ids_event->Assign(0, val_mgr->GetCount(${ev.sensor_id}));
 			ids_event->Assign(1, val_mgr->GetCount(${ev.event_id}));
 			ids_event->Assign(2, make_intrusive<Val>(ts_to_double(${ev.ts}), TYPE_TIME));
@ -81,11 +81,9 @@ refine flow Flow += {
 			ids_event->Assign(11, to_port(${ev.dst_p}, ${ev.protocol}));
 			ids_event->Assign(17, val_mgr->GetCount(${ev.packet_action}));

-			mgr.QueueEventFast(::unified2_event, {
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-					ids_event,
-					},
-				SOURCE_LOCAL);
+			mgr.Enqueue(::unified2_event,
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					std::move(ids_event));
 			}
 		return true;
 		%}
@ -94,7 +92,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_event )
 			{
-			RecordVal* ids_event = new RecordVal(BifType::Record::Unified2::IDSEvent);
+			auto ids_event = make_intrusive<RecordVal>(BifType::Record::Unified2::IDSEvent);
 			ids_event->Assign(0, val_mgr->GetCount(${ev.sensor_id}));
 			ids_event->Assign(1, val_mgr->GetCount(${ev.event_id}));
 			ids_event->Assign(2, make_intrusive<Val>(ts_to_double(${ev.ts}), TYPE_TIME));
@ -113,11 +111,9 @@ refine flow Flow += {
 			ids_event->Assign(15, val_mgr->GetCount(${ev.mpls_label}));
 			ids_event->Assign(16, val_mgr->GetCount(${ev.vlan_id}));

-			mgr.QueueEventFast(::unified2_event, {
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-					ids_event,
-					},
-				SOURCE_LOCAL);
+			mgr.Enqueue(::unified2_event,
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					std::move(ids_event));
 			}

 		return true;
@ -127,7 +123,7 @@ refine flow Flow += {
 		%{
 		if ( ::unified2_packet )
 			{
-			RecordVal* packet = new RecordVal(BifType::Record::Unified2::Packet);
+			auto packet = make_intrusive<RecordVal>(BifType::Record::Unified2::Packet);
 			packet->Assign(0, val_mgr->GetCount(${pkt.sensor_id}));
 			packet->Assign(1, val_mgr->GetCount(${pkt.event_id}));
 			packet->Assign(2, val_mgr->GetCount(${pkt.event_second}));
@ -135,11 +131,9 @@ refine flow Flow += {
 			packet->Assign(4, val_mgr->GetCount(${pkt.link_type}));
 			packet->Assign(5, bytestring_to_val(${pkt.packet_data}));

-			mgr.QueueEventFast(::unified2_packet, {
-					connection()->bro_analyzer()->GetFile()->GetVal()->Ref(),
-					packet,
-					},
-				SOURCE_LOCAL);
+			mgr.Enqueue(::unified2_packet,
+					IntrusivePtr{NewRef{}, connection()->bro_analyzer()->GetFile()->GetVal()},
+					std::move(packet));
 			}

 		return true;
--- a/src/file_analysis/analyzer/x509/OCSP.cc
+++ b/src/file_analysis/analyzer/x509/OCSP.cc
@ -75,7 +75,7 @@ static bool OCSP_RESPID_bio(OCSP_BASICRESP* basic_resp, BIO* bio)
 	return true;
 	}

-bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
+static bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, zeek::Args* vl, BIO* bio)
 	{
 	ASN1_OBJECT*       hash_alg         = nullptr;
 	ASN1_OCTET_STRING* issuer_name_hash = nullptr;
@ -89,10 +89,10 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)
 	if ( ! res )
 		{
 		reporter->Weird("OpenSSL failed to get OCSP_CERTID info");
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
-		vl->push_back(val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
+		vl->emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		return false;
 		}

@ -101,22 +101,22 @@ bool ocsp_add_cert_id(const OCSP_CERTID* cert_id, val_list* vl, BIO* bio)

 	i2a_ASN1_OBJECT(bio, hash_alg);
 	int len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);

 	i2a_ASN1_STRING(bio, issuer_name_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);

 	i2a_ASN1_STRING(bio, issuer_key_hash, V_ASN1_OCTET_STRING);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);

 	i2a_ASN1_INTEGER(bio, serial_number);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl->push_back(new StringVal(len, buf));
+	vl->emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);

 	return true;
@ -420,24 +420,27 @@ void file_analysis::OCSP::ParseRequest(OCSP_REQUEST* req)
 #endif

 	if ( ocsp_request )
-		mgr.QueueEventFast(ocsp_request, {
-			GetFile()->GetVal()->Ref(),
-			val_mgr->GetCount(version),
-		});
+		mgr.Enqueue(ocsp_request,
+			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(version)}
+		);

 	BIO *bio = BIO_new(BIO_s_mem());

 	int req_count = OCSP_request_onereq_count(req);
 	for ( int i=0; i<req_count; i++ )
 		{
-		val_list rvl(5);
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		zeek::Args rvl;
+		rvl.reserve(5);
+		rvl.emplace_back(NewRef{}, GetFile()->GetVal());

 		OCSP_ONEREQ *one_req = OCSP_request_onereq_get0(req, i);
 		OCSP_CERTID *cert_id = OCSP_onereq_get0_id(one_req);

 		ocsp_add_cert_id(cert_id, &rvl, bio);
-		mgr.QueueEvent(ocsp_request_certificate, std::move(rvl));
+
+		if ( ocsp_request_certificate )
+			mgr.Enqueue(ocsp_request_certificate, std::move(rvl));
 		}

 	BIO_free(bio);
@ -463,10 +466,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	StringVal* status_val = new StringVal(strlen(status_str), status_str);

 	if ( ocsp_response_status )
-		mgr.QueueEventFast(ocsp_response_status, {
-			GetFile()->GetVal()->Ref(),
-			status_val->Ref(),
-		});
+		mgr.Enqueue(ocsp_response_status,
+			IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+			IntrusivePtr{NewRef{}, status_val}
+		);

 	//if (!resp_bytes)
 	//	{
@ -479,7 +482,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//int len = BIO_read(bio, buf, sizeof(buf));
 	//BIO_reset(bio);

-	val_list vl(8);
+	zeek::Args vl;
+	vl.reserve(8);

 	// get the basic response
 	basic_resp = OCSP_response_get1_basic(resp);
@ -498,26 +502,26 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		}
 #endif

-	vl.push_back(GetFile()->GetVal()->Ref());
-	vl.push_back(status_val);
+	vl.emplace_back(NewRef{}, GetFile()->GetVal());
+	vl.emplace_back(AdoptRef{}, status_val);

 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
-	vl.push_back(val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
+	vl.emplace_back(AdoptRef{}, val_mgr->GetCount((uint64_t)ASN1_INTEGER_get(resp_data->version)));
 #else
-	vl.push_back(parse_basic_resp_data_version(basic_resp));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_data_version(basic_resp));
 #endif

 	// responderID
 	if ( OCSP_RESPID_bio(basic_resp, bio) )
 		{
 		len = BIO_read(bio, buf, sizeof(buf));
-		vl.push_back(new StringVal(len, buf));
+		vl.emplace_back(make_intrusive<StringVal>(len, buf));
 		BIO_reset(bio);
 		}
 	else
 		{
 		reporter->Weird("OpenSSL failed to get OCSP responder id");
-		vl.push_back(val_mgr->GetEmptyString());
+		vl.emplace_back(AdoptRef{}, val_mgr->GetEmptyString());
 		}

 	// producedAt
@ -527,7 +531,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	produced_at = OCSP_resp_get0_produced_at(basic_resp);
 #endif

-	vl.push_back(new Val(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));
+	vl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(produced_at, GetFile(), reporter), TYPE_TIME));

 	// responses

@ -540,8 +544,9 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 		if ( !single_resp )
 			continue;

-		val_list rvl(10);
-		rvl.push_back(GetFile()->GetVal()->Ref());
+		zeek::Args rvl;
+		rvl.reserve(10);
+		rvl.emplace_back(NewRef{}, GetFile()->GetVal());

 		// cert id
 		const OCSP_CERTID* cert_id = nullptr;
@ -569,38 +574,39 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			reporter->Weird("OpenSSL failed to find status of OCSP response");

 		const char* cert_status_str = OCSP_cert_status_str(status);
-		rvl.push_back(new StringVal(strlen(cert_status_str), cert_status_str));
+		rvl.emplace_back(make_intrusive<StringVal>(strlen(cert_status_str), cert_status_str));

 		// revocation time and reason if revoked
 		if ( status == V_OCSP_CERTSTATUS_REVOKED )
 			{
-			rvl.push_back(new Val(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(revoke_time, GetFile(), reporter), TYPE_TIME));

 			if ( reason != OCSP_REVOKED_STATUS_NOSTATUS )
 				{
 				const char* revoke_reason = OCSP_crl_reason_str(reason);
-				rvl.push_back(new StringVal(strlen(revoke_reason), revoke_reason));
+				rvl.emplace_back(make_intrusive<StringVal>(strlen(revoke_reason), revoke_reason));
 				}
 			else
-				rvl.push_back(new StringVal(0, ""));
+				rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}
 		else
 			{
-			rvl.push_back(new Val(0.0, TYPE_TIME));
-			rvl.push_back(new StringVal(0, ""));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<StringVal>(0, ""));
 			}

 		if ( this_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(this_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));

 		if ( next_update )
-			rvl.push_back(new Val(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(GetTimeFromAsn1(next_update, GetFile(), reporter), TYPE_TIME));
 		else
-			rvl.push_back(new Val(0.0, TYPE_TIME));
+			rvl.emplace_back(make_intrusive<Val>(0.0, TYPE_TIME));

-		mgr.QueueEvent(ocsp_response_certificate, std::move(rvl));
+		if ( ocsp_response_certificate )
+			mgr.Enqueue(ocsp_response_certificate, std::move(rvl));

 		num_ext = OCSP_SINGLERESP_get_ext_count(single_resp);
 		for ( int k = 0; k < num_ext; ++k )
@ -616,10 +622,10 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	i2a_ASN1_OBJECT(bio, basic_resp->signatureAlgorithm->algorithm);
 	len = BIO_read(bio, buf, sizeof(buf));
-	vl.push_back(new StringVal(len, buf));
+	vl.emplace_back(make_intrusive<StringVal>(len, buf));
 	BIO_reset(bio);
 #else
-	vl.push_back(parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
+	vl.emplace_back(AdoptRef{}, parse_basic_resp_sig_alg(basic_resp, bio, buf, sizeof(buf)));
 #endif

 	//i2a_ASN1_OBJECT(bio, basic_resp->signature);
@ -628,7 +634,7 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 	//BIO_reset(bio);

 	certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
-	vl.push_back(certs_vector);
+	vl.emplace_back(AdoptRef{}, certs_vector);

 #if ( OPENSSL_VERSION_NUMBER < 0x10100000L ) || defined(LIBRESSL_VERSION_NUMBER)
 	certs = basic_resp->certs;
@ -650,7 +656,8 @@ void file_analysis::OCSP::ParseResponse(OCSP_RESPONSE *resp)
 			}
 	  }

-	mgr.QueueEvent(ocsp_response_bytes, std::move(vl));
+	if ( ocsp_response_bytes )
+		mgr.Enqueue(ocsp_response_bytes, std::move(vl));

 	// ok, now that we are done with the actual certificate - let's parse extensions :)
 	num_ext = OCSP_BASICRESP_get_ext_count(basic_resp);
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -60,11 +60,9 @@ bool file_analysis::X509::EndOfFile()
 				return false;
 			// yup, let's call the callback.

-			val_list vl(3);
-			vl.push_back(GetFile()->GetVal()->Ref());
-			vl.push_back(entry.release());
-			vl.push_back(new StringVal(cert_sha256));
-			cache_hit_callback->Call(&vl);
+			cache_hit_callback->Call(IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+			                         std::move(entry),
+			                         make_intrusive<StringVal>(cert_sha256));
 			return false;
 			}
 		}
@ -84,11 +82,11 @@ bool file_analysis::X509::EndOfFile()
 	RecordVal* cert_record = ParseCertificate(cert_val, GetFile());

 	// and send the record on to scriptland
-	mgr.QueueEvent(x509_certificate, {
-		GetFile()->GetVal()->Ref(),
-		cert_val->Ref(),
-		cert_record->Ref(), // we Ref it here, because we want to keep a copy around for now...
-	});
+	if ( x509_certificate )
+		mgr.Enqueue(x509_certificate,
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            IntrusivePtr{NewRef{}, cert_val},
+		            IntrusivePtr{NewRef{}, cert_record});

 	// after parsing the certificate - parse the extensions...

@ -291,16 +289,16 @@ void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex)
 		{
 		if ( x509_ext_basic_constraints )
 			{
-			RecordVal* pBasicConstraint = new RecordVal(BifType::Record::X509::BasicConstraints);
+			auto pBasicConstraint = make_intrusive<RecordVal>(BifType::Record::X509::BasicConstraints);
 			pBasicConstraint->Assign(0, val_mgr->GetBool(constr->ca ? 1 : 0));

 			if ( constr->pathlen )
 				pBasicConstraint->Assign(1, val_mgr->GetCount((int32_t) ASN1_INTEGER_get(constr->pathlen)));

-			mgr.QueueEventFast(x509_ext_basic_constraints, {
-				GetFile()->GetVal()->Ref(),
-				pBasicConstraint,
-			});
+			mgr.Enqueue(x509_ext_basic_constraints,
+				IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+				std::move(pBasicConstraint)
+			);
 			}

 		BASIC_CONSTRAINTS_free(constr);
@ -422,7 +420,7 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)
 			}
 		}

-		RecordVal* sanExt = new RecordVal(BifType::Record::X509::SubjectAlternativeName);
+		auto sanExt = make_intrusive<RecordVal>(BifType::Record::X509::SubjectAlternativeName);

 		if ( names != 0 )
 			sanExt->Assign(0, names);
@ -438,10 +436,9 @@ void file_analysis::X509::ParseSAN(X509_EXTENSION* ext)

 		sanExt->Assign(4, val_mgr->GetBool(otherfields));

-		mgr.QueueEvent(x509_ext_subject_alternative_name, {
-			GetFile()->GetVal()->Ref(),
-			sanExt,
-		});
+		mgr.Enqueue(x509_ext_subject_alternative_name,
+		            IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            std::move(sanExt));
 	GENERAL_NAMES_free(altname);
 	}

--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@ -257,12 +257,19 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 			}
 		}

-	StringVal* ext_val = GetExtensionFromBIO(bio, GetFile());
+	auto ext_val = GetExtensionFromBIO(bio, GetFile());
+
+	if ( ! h )
+		{
+		// let individual analyzers parse more.
+		ParseExtensionsSpecific(ex, global, ext_asn, oid);
+		return;
+		}

 	if ( ! ext_val )
-		ext_val = new StringVal(0, "");
+		ext_val = make_intrusive<StringVal>(0, "");

-	RecordVal* pX509Ext = new RecordVal(BifType::Record::X509::Extension);
+	auto pX509Ext = make_intrusive<RecordVal>(BifType::Record::X509::Extension);
 	pX509Ext->Assign(0, make_intrusive<StringVal>(name));

 	if ( short_name and strlen(short_name) > 0 )
@ -280,22 +287,18 @@ void file_analysis::X509Common::ParseExtension(X509_EXTENSION* ex, const EventHa
 	// but I am not sure if there is a better way to do it...

 	if ( h == ocsp_extension )
-		mgr.QueueEvent(h, {
-			GetFile()->GetVal()->Ref(),
-			pX509Ext,
-			val_mgr->GetBool(global ? 1 : 0),
-		});
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+					std::move(pX509Ext),
+					IntrusivePtr{AdoptRef{}, val_mgr->GetBool(global)});
 	else
-		mgr.QueueEvent(h, {
-			GetFile()->GetVal()->Ref(),
-			pX509Ext,
-		});
+		mgr.Enqueue(h, IntrusivePtr{NewRef{}, GetFile()->GetVal()},
+		            std::move(pX509Ext));

 	// let individual analyzers parse more.
 	ParseExtensionsSpecific(ex, global, ext_asn, oid);
 	}

-StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
+IntrusivePtr<StringVal> file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	{
 	BIO_flush(bio);
 	ERR_clear_error();
@ -313,7 +316,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 	if ( length == 0 )
 		{
 		BIO_free_all(bio);
-		return val_mgr->GetEmptyString();
+		return {AdoptRef{}, val_mgr->GetEmptyString()};
 		}

 	char* buffer = (char*) malloc(length);
@ -328,7 +331,7 @@ StringVal* file_analysis::X509Common::GetExtensionFromBIO(BIO* bio, File* f)
 		}

 	BIO_read(bio, (void*) buffer, length);
-	StringVal* ext_val = new StringVal(length, buffer);
+	auto ext_val = make_intrusive<StringVal>(length, buffer);

 	free(buffer);
 	BIO_free_all(bio);
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@ -13,6 +13,7 @@
 class EventHandlerPtr;
 class Reporter;
 class StringVal;
+template <class T> class IntrusivePtr;

 namespace file_analysis {

@ -34,7 +35,7 @@ public:
 	 *
 	 * @return The X509 extension value.
 	 */
-	static StringVal* GetExtensionFromBIO(BIO* bio, File* f = 0);
+	static IntrusivePtr<StringVal> GetExtensionFromBIO(BIO* bio, File* f = 0);

 	static double GetTimeFromAsn1(const ASN1_TIME* atime, File* f, Reporter* reporter);

--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@ -189,12 +189,12 @@ function x509_get_certificate_string%(cert: opaque of x509, pem: bool &default=F
 	else
 		i2d_X509_bio(bio, h->GetCertificate());

-	StringVal* ext_val = file_analysis::X509::GetExtensionFromBIO(bio);
+	auto ext_val = file_analysis::X509::GetExtensionFromBIO(bio);

 	if ( ! ext_val )
-		ext_val = val_mgr->GetEmptyString();
+		ext_val = {AdoptRef{}, val_mgr->GetEmptyString()};

-	return ext_val;
+	return ext_val.release();
 	%}

 ## Verifies an OCSP reply.
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@ -38,15 +38,15 @@ refine connection MockConnection += {
 		if ( ! x509_ocsp_ext_signed_certificate_timestamp )
 			return true;

-		mgr.QueueEventFast(x509_ocsp_ext_signed_certificate_timestamp, {
-			bro_analyzer()->GetFile()->GetVal()->Ref(),
-			val_mgr->GetCount(version),
-			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			val_mgr->GetCount(timestamp),
-			val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm()),
-			val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm()),
-			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
-			});
+		mgr.Enqueue(x509_ocsp_ext_signed_certificate_timestamp,
+			IntrusivePtr{NewRef{}, bro_analyzer()->GetFile()->GetVal()},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(version)},
+			make_intrusive<StringVal>(logid.length(), reinterpret_cast<const char*>(logid.begin())),
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(timestamp)},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(digitally_signed_algorithms->HashAlgorithm())},
+			IntrusivePtr{AdoptRef{}, val_mgr->GetCount(digitally_signed_algorithms->SignatureAlgorithm())},
+			make_intrusive<StringVal>(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
+			);

 		return true;
 		%}
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@ -283,11 +283,10 @@ bool Manager::CreateStream(Stream* info, RecordVal* description)
 		TableEntryVal* v;
 		while ( (v = info->config->AsTable()->NextEntry(k, c)) )
 			{
-			ListVal* index = info->config->RecoverIndex(k);
+			auto index = info->config->RecoverIndex(k);
 			string key = index->Index(0)->AsString()->CheckString();
 			string value = v->Value()->AsString()->CheckString();
 			rinfo.config.insert(std::make_pair(copy_string(key.c_str()), copy_string(value.c_str())));
-			Unref(index);
 			delete k;
 			}
 		}
@ -1335,7 +1334,6 @@ void Manager::EndCurrentSend(ReaderFrontend* reader)

 	while ( ( ih = stream->lastDict->NextEntry(lastDictIdxKey, c) ) )
 		{
-		ListVal * idx = 0;
 		IntrusivePtr<Val> val;

 		Val* predidx = 0;
@ -1344,12 +1342,11 @@ void Manager::EndCurrentSend(ReaderFrontend* reader)

 		if ( stream->pred || stream->event )
 			{
-			idx = stream->tab->RecoverIndex(ih->idxkey);
-			assert(idx != 0);
-			val = stream->tab->Lookup(idx);
+			auto idx = stream->tab->RecoverIndex(ih->idxkey);
+			assert(idx != nullptr);
+			val = stream->tab->Lookup(idx.get());
 			assert(val != 0);
-			predidx = ListValToRecordVal(idx, stream->itype, &startpos);
-			Unref(idx);
+			predidx = ListValToRecordVal(idx.get(), stream->itype, &startpos);
 			ev = BifType::Enum::Input::Event->GetVal(BifEnum::Input::EVENT_REMOVED).release();
 			}

@ -1785,16 +1782,18 @@ bool Manager::Delete(ReaderFrontend* reader, Value* *vals)
 bool Manager::CallPred(Func* pred_func, const int numvals, ...) const
 	{
 	bool result = false;
-	val_list vl(numvals);
+	zeek::Args vl;
+	vl.reserve(numvals);

 	va_list lP;
 	va_start(lP, numvals);
 	for ( int i = 0; i < numvals; i++ )
-		vl.push_back( va_arg(lP, Val*) );
+		vl.emplace_back(AdoptRef{}, va_arg(lP, Val*));

 	va_end(lP);

-	auto v = pred_func->Call(&vl);
+	auto v = pred_func->Call(vl);
+
 	if ( v )
 		result = v->AsBool();

@ -1838,12 +1837,14 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu

 	bool convert_error = false;

-	val_list vl(num_vals);
+	zeek::Args vl;
+	vl.reserve(num_vals);

 	for ( int j = 0; j < num_vals; j++)
 		{
 		Val* v = ValueToVal(i, vals[j], convert_error);
-		vl.push_back(v);
+		vl.emplace_back(AdoptRef{}, v);
+
 		if ( v && ! convert_error && ! same_type(type->FieldType(j), v->Type()) )
 			{
 			convert_error = true;
@ -1854,21 +1855,17 @@ bool Manager::SendEvent(ReaderFrontend* reader, const string& name, const int nu
 	delete_value_ptr_array(vals, num_vals);

 	if ( convert_error )
-		{
-		for ( const auto& v : vl )
-			Unref(v);
-
 		return false;
-		}
-	else
-		mgr.QueueEvent(handler, std::move(vl), SOURCE_LOCAL);
+	else if ( handler )
+		mgr.Enqueue(handler, std::move(vl), SOURCE_LOCAL);

 	return true;
 }

 void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	{
-	val_list vl(numvals);
+	zeek::Args vl;
+	vl.reserve(numvals);

 #ifdef DEBUG
 	DBG_LOG(DBG_INPUT, "SendEvent with %d vals",
@ -1878,16 +1875,18 @@ void Manager::SendEvent(EventHandlerPtr ev, const int numvals, ...) const
 	va_list lP;
 	va_start(lP, numvals);
 	for ( int i = 0; i < numvals; i++ )
-		vl.push_back( va_arg(lP, Val*) );
+		vl.emplace_back(AdoptRef{}, va_arg(lP, Val*));

 	va_end(lP);

-	mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
+	if ( ev )
+		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}

 void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 	{
-	val_list vl(events.size());
+	zeek::Args vl;
+	vl.reserve(events.size());

 #ifdef DEBUG
 	DBG_LOG(DBG_INPUT, "SendEvent with %" PRIuPTR " vals (list)",
@ -1895,9 +1894,10 @@ void Manager::SendEvent(EventHandlerPtr ev, list<Val*> events) const
 #endif

 	for ( list<Val*>::iterator i = events.begin(); i != events.end(); i++ )
-		vl.push_back( *i );
+		vl.emplace_back(AdoptRef{}, *i);

-	mgr.QueueEvent(ev, std::move(vl), SOURCE_LOCAL);
+	if ( ev )
+		mgr.Enqueue(ev, std::move(vl), SOURCE_LOCAL);
 	}

 // Convert a bro list value to a bro record value.
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@ -48,7 +48,7 @@ void PcapSource::Close()
 	Closed();

 	if ( Pcap::file_done )
-		mgr.QueueEventFast(Pcap::file_done, {new StringVal(props.path)});
+		mgr.Enqueue(Pcap::file_done, make_intrusive<StringVal>(props.path));
 	}

 void PcapSource::OpenLive()
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@ -710,7 +710,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)

 	// Raise the log event.
 	if ( stream->event )
-		mgr.QueueEventFast(stream->event, {columns->Ref()}, SOURCE_LOCAL);
+		mgr.Enqueue(stream->event, columns);

 	// Send to each of our filters.
 	for ( list<Filter*>::iterator i = stream->filters.begin();
@ -723,11 +723,9 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 			{
 			// See whether the predicates indicates that we want
 			// to log this record.
-			val_list vl{columns->Ref()};
-
 			int result = 1;
+			auto v = filter->pred->Call(columns);

-			auto v = filter->pred->Call(&vl);
 			if ( v )
 				result = v->AsBool();

@ -737,23 +735,25 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)

 		if ( filter->path_func )
 			{
-			Val* path_arg;
-			if ( filter->path_val )
-				path_arg = filter->path_val->Ref();
-			else
-				path_arg = val_mgr->GetEmptyString();
+			IntrusivePtr<Val> path_arg;

-			Val* rec_arg;
+			if ( filter->path_val )
+				path_arg = {NewRef{}, filter->path_val};
+			else
+				path_arg = {AdoptRef{}, val_mgr->GetEmptyString()};
+
+			IntrusivePtr<Val> rec_arg;
 			BroType* rt = filter->path_func->FType()->Args()->FieldType("rec");

 			if ( rt->Tag() == TYPE_RECORD )
-				rec_arg = columns->CoerceTo(rt->AsRecordType(), true).release();
+				rec_arg = columns->CoerceTo(rt->AsRecordType(), true);
 			else
 				// Can be TYPE_ANY here.
-				rec_arg = columns->Ref();
+				rec_arg = columns;

-			val_list vl{id->Ref(), path_arg, rec_arg};
-			auto v = filter->path_func->Call(&vl);
+			auto v = filter->path_func->Call(IntrusivePtr{NewRef{}, id},
+			                                 std::move(path_arg),
+			                                 std::move(rec_arg));

 			if ( ! v )
 				return false;
@ -868,11 +868,10 @@ bool Manager::Write(EnumVal* id, RecordVal* columns_arg)
 			TableEntryVal* v;
 			while ( (v = filter->config->AsTable()->NextEntry(k, c)) )
 				{
-				ListVal* index = filter->config->RecoverIndex(k);
+				auto index = filter->config->RecoverIndex(k);
 				string key = index->Index(0)->AsString()->CheckString();
 				string value = v->Value()->AsString()->CheckString();
 				info->config.insert(std::make_pair(copy_string(key.c_str()), copy_string(value.c_str())));
-				Unref(index);
 				delete k;
 				}

@ -1059,8 +1058,7 @@ threading::Value** Manager::RecordToFilterVals(Stream* stream, Filter* filter,

 	if ( filter->num_ext_fields > 0 )
 		{
-		val_list vl{filter->path_val->Ref()};
-		auto res = filter->ext_func->Call(&vl);
+		auto res = filter->ext_func->Call(IntrusivePtr{NewRef{}, filter->path_val});

 		if ( res )
 			ext_rec = {AdoptRef{}, res.release()->AsRecordVal()};
@ -1516,7 +1514,7 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
 		return true;

 	// Create the RotationInfo record.
-	RecordVal* info = new RecordVal(BifType::Record::Log::RotationInfo);
+	auto info = make_intrusive<RecordVal>(BifType::Record::Log::RotationInfo);
 	info->Assign(0, winfo->type->Ref());
 	info->Assign(1, make_intrusive<StringVal>(new_name));
 	info->Assign(2, make_intrusive<StringVal>(winfo->writer->Info().path));
@ -1535,11 +1533,9 @@ bool Manager::FinishedRotation(WriterFrontend* writer, const char* new_name, con
 	assert(func);

 	// Call the postprocessor function.
-	val_list vl{info};
-
 	int result = 0;

-	auto v = func->Call(&vl);
+	auto v = func->Call(std::move(info));
 	if ( v )
 		result = v->AsBool();

--- a/src/main.cc
+++ b/src/main.cc
@ -218,7 +218,7 @@ void done_with_network()
 		mgr.Drain();
 		// Don't propagate this event to remote clients.
 		mgr.Dispatch(new Event(net_done,
-		                       {new Val(timer_mgr->Time(), TYPE_TIME)}),
+		                       {make_intrusive<Val>(timer_mgr->Time(), TYPE_TIME)}),
 		             true);
 		}

@ -269,7 +269,7 @@ void terminate_bro()

 	EventHandlerPtr zeek_done = internal_handler("zeek_done");
 	if ( zeek_done )
-		mgr.QueueEventFast(zeek_done, val_list{});
+		mgr.Enqueue(zeek_done, zeek::Args{});

 	timer_mgr->Expire();
 	mgr.Drain();
@ -826,7 +826,7 @@ int main(int argc, char** argv)

 	EventHandlerPtr zeek_init = internal_handler("zeek_init");
 	if ( zeek_init )	//### this should be a function
-		mgr.QueueEventFast(zeek_init, val_list{});
+		mgr.Enqueue(zeek_init, zeek::Args{});

 	EventRegistry::string_list dead_handlers =
 		event_registry->UnusedHandlers();
@ -873,10 +873,10 @@ int main(int argc, char** argv)
 			if ( i->skipped )
 				continue;

-			mgr.QueueEventFast(zeek_script_loaded, {
-				new StringVal(i->name.c_str()),
-				val_mgr->GetCount(i->include_level),
-			});
+			mgr.Enqueue(zeek_script_loaded,
+				make_intrusive<StringVal>(i->name.c_str()),
+				IntrusivePtr{AdoptRef{}, val_mgr->GetCount(i->include_level)}
+			);
 			}
 		}

--- a/src/option.bif
+++ b/src/option.bif
@ -16,14 +16,15 @@ static bool call_option_handlers_and_set_value(StringVal* name, ID* i,
 		for ( auto handler_function : i->GetOptionHandlers() )
 			{
 			bool add_loc = handler_function->FType()->AsFuncType()->ArgTypes()->Types()->length() == 3;
-			val_list vl(2 + add_loc);
-			vl.push_back(name->Ref());
-			vl.push_back(val->Ref());
+			zeek::Args vl;
+			vl.reserve(2 + add_loc);
+			vl.emplace_back(NewRef{}, name);
+			vl.emplace_back(val);

 			if ( add_loc )
-				vl.push_back(location->Ref());
+				vl.emplace_back(NewRef{}, location);

-			val = handler_function->Call(&vl); // consumed by next call.
+			val = handler_function->Call(vl); // consumed by next call.

 			if ( ! val )
 				{
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.

+#include <optional>
 #include <sstream>
 #include <fstream>
 #include <dirent.h>
@ -619,15 +620,21 @@ int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const
 	return rc;
 	}

-std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent, val_list* vargs) const
+std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent, const zeek::Args& vecargs) const
 	{
 	HookArgumentList args;
+	std::optional<val_list> vargs;

 	if ( HavePluginForHook(META_HOOK_PRE) )
 		{
+		vargs = val_list(vecargs.size());
+
+		for ( const auto& v : vecargs )
+			vargs->push_back(v.get());
+
 		args.push_back(HookArgument(func));
 		args.push_back(HookArgument(parent));
-		args.push_back(HookArgument(vargs));
+		args.push_back(HookArgument(&vargs.value()));
 		MetaHookPre(HOOK_CALL_FUNCTION, args);
 		}

@ -637,11 +644,19 @@ std::pair<bool, Val*> Manager::HookCallFunction(const Func* func, Frame* parent,

 	if ( l )
 		{
+		if ( ! vargs )
+			{
+			vargs = val_list(vecargs.size());
+
+			for ( const auto& v : vecargs )
+				vargs->push_back(v.get());
+			}
+
 		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
 			{
 			Plugin* p = (*i).second;

-			v = p->HookCallFunction(func, parent, vargs);
+			v = p->HookCallFunction(func, parent, &vargs.value());

 			if ( v.first )
 				break;
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@ -6,11 +6,11 @@
 #include <map>
 #include <string_view>

-
 #include "Plugin.h"
 #include "Component.h"

 #include "../Reporter.h"
+#include "../ZeekArgs.h"

 namespace plugin {

@ -253,7 +253,7 @@ public:
 	 * functions and events, it may be any Val and must be ignored). If no
 	 * plugin handled the call, the method returns null.
 	 */
-	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame *parent, val_list* args) const;
+	std::pair<bool, Val*> HookCallFunction(const Func* func, Frame* parent, const zeek::Args& args) const;

 	/**
 	 * Hook that filters the queuing of an event.
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@ -19,6 +19,7 @@ class ODesc;
 class Frame;
 class Func;
 class Event;
+template <class T> class IntrusivePtr;

 namespace threading {
 struct Field;
--- a/src/reporter.bif
+++ b/src/reporter.bif
@ -182,7 +182,6 @@ function Reporter::set_weird_sampling_whitelist%(weird_sampling_whitelist: strin
 		auto index = wl_val->RecoverIndex(k);
 		string key = index->Index(0)->AsString()->CheckString();
 		whitelist_set.emplace(move(key));
-		Unref(index);
 		delete k;
 		}
 	reporter->SetWeirdSamplingWhitelist(whitelist_set);
--- a/Show more
+++ b/Show more