feat: add coverage load-base offset conversion and debugAddressToSymbol function

fm4v · claude · fm4v · commit 75df70517da7 · 2026-03-19T09:33:43.000+01:00
Convert coverage addresses to file offsets by subtracting the binary's load base
so that dumps are portable across processes with different ASLR bases. This matches
how `addressToSymbol` works: the fallback path in `SymbolIndex::findSymbol` treats
values as raw file offsets when they're not in any mapped object.

Add `SymbolIndex::diagnose` to explain why symbol resolution succeeds or fails:
returns `"found:&lt;name&gt;"`, `"no_object"`, or `"no_symbol[object=&lt;path&gt;:offset=0x&lt;hex&gt;]"`.

Add `debugAddressToSymbol` SQL function backed by `diagnose`, useful for
investigating why `coverageCurrent()` produces empty symbols.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Common/Coverage.cpp b/src/Common/Coverage.cpp
@@ -9,6 +9,7 @@
 #include <vector>
 
 #include <Common/IO.h>
+#include <Common/SymbolIndex.h>
 #include <base/coverage.h>
 
 #include <fmt/format.h>
@@ -35,14 +36,23 @@ void dumpCoverage()
 
     if (const char * coverage_filename_prefix = getenv("CLICKHOUSE_WRITE_COVERAGE")) // NOLINT(concurrency-mt-unsafe)
     {
-        auto dump = [](const std::string & name, auto span)
+        /// Convert runtime virtual addresses to file offsets by subtracting the binary's load base.
+        /// This makes the dump portable across processes with different ASLR bases:
+        /// when the server inserts the dump and calls addressToSymbol(), SymbolIndex::findSymbol()
+        /// will use the fallback path that treats the value directly as a file offset — the same
+        /// mechanism used by system.stack_trace (after PR #82809).
+        uintptr_t load_base = 0;
+        if (const DB::SymbolIndex::Object * self = DB::SymbolIndex::instance().thisObject())
+            load_base = reinterpret_cast<uintptr_t>(self->address_begin);
+
+        auto dump = [load_base](const std::string & name, auto span)
         {
-            /// Write only non-zeros.
+            /// Write only non-zeros, converted to file offsets.
             std::vector<uintptr_t> data;
             data.reserve(span.size());
             for (auto addr : span)
                 if (addr)
-                    data.push_back(addr);
+                    data.push_back(addr - load_base);
 
             int fd = ::open(name.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0400);
             if (-1 == fd)
diff --git a/src/Common/SymbolIndex.cpp b/src/Common/SymbolIndex.cpp
@@ -6,6 +6,8 @@
 #include <Common/MemoryTrackerDebugBlockerInThread.h>
 #include <Common/SymbolIndex.h>
 
+#include <fmt/format.h>
+
 #include <algorithm>
 #include <optional>
 
@@ -544,6 +546,28 @@ const SymbolIndex::Object * SymbolIndex::findObject(const void * address) const
     return find(address, data.objects);
 }
 
+String SymbolIndex::diagnose(const void * address) const
+{
+    /// Mirror findSymbol exactly: if address is not in any mapped object,
+    /// fall back to treating it as a raw file offset (same as findSymbol does).
+    const Object * object = findObject(address);
+    const void * offset = address;
+
+    if (object)
+        offset = reinterpret_cast<const void *>(
+            reinterpret_cast<uintptr_t>(address) - reinterpret_cast<uintptr_t>(object->address_begin));
+
+    const Symbol * symbol = find(offset, data.symbols);
+    if (!symbol)
+    {
+        if (!object)
+            return "no_object";
+        return fmt::format("no_symbol[object={}:offset=0x{:x}]", object->name, reinterpret_cast<uintptr_t>(offset));
+    }
+
+    return fmt::format("found:{}", symbol->name);
+}
+
 const SymbolIndex::Object * SymbolIndex::thisObject() const
 {
     return findObject(reinterpret_cast<const void *>(+[]{}));
diff --git a/src/Common/SymbolIndex.h b/src/Common/SymbolIndex.h
@@ -42,6 +42,11 @@ class SymbolIndex : private boost::noncopyable
     const Object * findObject(const void * address) const;
     const Object * thisObject() const;
 
+    /// For debugging: explain why findSymbol returned nullptr.
+    /// Returns the symbol name (if found), "no_object" (address not in any mapped binary),
+    /// or "no_symbol[object=<name>:offset=0x<hex>]" (in binary but no symbol at that offset).
+    String diagnose(const void * address) const;
+
     const std::vector<Symbol> & symbols() const { return data.symbols; }
     const std::vector<Object> & objects() const { return data.objects; }
 
diff --git a/src/Functions/debugAddressToSymbol.cpp b/src/Functions/debugAddressToSymbol.cpp
@@ -0,0 +1,116 @@
+#if defined(__ELF__) && !defined(OS_FREEBSD)
+
+#include <Common/SymbolIndex.h>
+#include <Columns/ColumnString.h>
+#include <Columns/ColumnsNumber.h>
+#include <DataTypes/DataTypeString.h>
+#include <Functions/IFunction.h>
+#include <Functions/FunctionFactory.h>
+#include <Functions/FunctionHelpers.h>
+#include <Access/Common/AccessFlags.h>
+#include <Interpreters/Context.h>
+
+
+namespace DB
+{
+
+namespace ErrorCodes
+{
+    extern const int ILLEGAL_COLUMN;
+}
+
+namespace
+{
+
+/// Diagnostic variant of addressToSymbol.
+/// Instead of returning empty string on failure, returns:
+///   "no_object"                                     — address not in any mapped binary
+///   "no_symbol[object=<path>:offset=0x<hex>]"       — in binary but no ELF symbol at that offset
+///   "<demangled_name>"                               — resolved successfully (same as addressToSymbol)
+///
+/// Use this to categorize why coverageCurrent() produces empty symbols:
+///
+///   SELECT debugAddressToSymbol(arrayJoin(coverageCurrent())) AS diag,
+///          count() AS cnt
+///   GROUP BY diag
+///   ORDER BY cnt DESC
+///   LIMIT 20
+class FunctionDebugAddressToSymbol : public IFunction
+{
+public:
+    static constexpr auto name = "debugAddressToSymbol";
+
+    static FunctionPtr create(ContextPtr context)
+    {
+        context->checkAccess(AccessType::addressToSymbol);
+        return std::make_shared<FunctionDebugAddressToSymbol>();
+    }
+
+    String getName() const override { return name; }
+    size_t getNumberOfArguments() const override { return 1; }
+    bool isSuitableForShortCircuitArgumentsExecution(const DataTypesWithConstInfo &) const override { return true; }
+    bool useDefaultImplementationForConstants() const override { return true; }
+
+    DataTypePtr getReturnTypeImpl(const ColumnsWithTypeAndName & arguments) const override
+    {
+        FunctionArgumentDescriptors mandatory_args{
+            {"address_of_binary_instruction", &isUInt64, nullptr, "UInt64"}
+        };
+        validateFunctionArguments(*this, arguments, mandatory_args);
+        return std::make_shared<DataTypeString>();
+    }
+
+    ColumnPtr executeImpl(const ColumnsWithTypeAndName & arguments, const DataTypePtr &, size_t input_rows_count) const override
+    {
+        const ColumnPtr & column = arguments[0].column;
+        const ColumnUInt64 * column_concrete = checkAndGetColumn<ColumnUInt64>(column.get());
+
+        if (!column_concrete)
+            throw Exception(ErrorCodes::ILLEGAL_COLUMN,
+                "Illegal column {} of argument of function {}", column->getName(), getName());
+
+        const typename ColumnVector<UInt64>::Container & data = column_concrete->getData();
+        auto result_column = ColumnString::create();
+
+        const SymbolIndex & symbol_index = SymbolIndex::instance();
+
+        for (size_t i = 0; i < input_rows_count; ++i)
+        {
+            String diag = symbol_index.diagnose(reinterpret_cast<const void *>(data[i]));
+            result_column->insertData(diag.data(), diag.size());
+        }
+
+        return result_column;
+    }
+};
+
+}
+
+REGISTER_FUNCTION(DebugAddressToSymbol)
+{
+    factory.registerFunction<FunctionDebugAddressToSymbol>(
+        FunctionDocumentation
+        {
+            .description = R"(
+Diagnostic variant of `addressToSymbol`. Returns a string explaining why symbol resolution succeeded or failed:
+- Symbol name if resolution succeeded
+- `"no_object"` if the address is not within any mapped binary's address range
+- `"no_symbol[object=<path>:offset=0x<hex>]"` if the address maps into a binary but no ELF symbol covers that file offset
+
+Requires `allow_introspection_functions = 1`.
+
+Typical usage to categorize coverage failures:
+
+```sql
+SELECT debugAddressToSymbol(arrayJoin(coverageCurrent())) AS diag, count() AS cnt
+GROUP BY diag ORDER BY cnt DESC LIMIT 20
+```
+)",
+            .category = FunctionDocumentation::Category::Introspection
+        }
+    );
+}
+
+}
+
+#endif
diff --git a/tests/queries/0_stateless/04039_debug_address_to_symbol.reference b/tests/queries/0_stateless/04039_debug_address_to_symbol.reference
diff --git a/tests/queries/0_stateless/04039_debug_address_to_symbol.sql b/tests/queries/0_stateless/04039_debug_address_to_symbol.sql
@@ -0,0 +1,54 @@
+-- Tags: no-parallel
+-- Validates debugAddressToSymbol diagnostic function using system.stack_trace.
+-- Does NOT require SANITIZE_COVERAGE.
+--
+-- debugAddressToSymbol(addr) returns:
+--   "no_object"                    — address not in any mapped binary's address range,
+--                                    and also fails as a raw file offset
+--   "no_symbol_in_object:<path>:offset=0x<hex>" — in binary but no ELF symbol at offset
+--   "found:<symbol>"               — resolved successfully
+
+SET allow_introspection_functions = 1;
+
+-- 1. Invalid address → must return 'no_object'
+SELECT debugAddressToSymbol(toUInt64(1234)) AS result;
+
+-- 2. Valid stack_trace addresses → addressToSymbol returns non-empty for them,
+--    debugAddressToSymbol must return 'found:' prefixed strings (never 'no_object')
+SELECT countIf(NOT startsWith(diag, 'found:')) = 0 AS all_valid_addrs_are_found
+FROM (
+    SELECT
+        addr,
+        addressToSymbol(addr)      AS sym,
+        debugAddressToSymbol(addr) AS diag
+    FROM (SELECT arrayJoin(trace) AS addr FROM system.stack_trace LIMIT 1)
+    WHERE sym != ''
+);
+
+-- 3. debugAddressToSymbol 'found:' result must contain the same symbol as addressToSymbol
+SELECT countIf(substring(diag, 7) != sym) = 0 AS found_prefix_matches_addressToSymbol
+FROM (
+    SELECT
+        addressToSymbol(addr)      AS sym,
+        debugAddressToSymbol(addr) AS diag
+    FROM (SELECT arrayJoin(trace) AS addr FROM system.stack_trace LIMIT 1)
+    WHERE sym != ''
+      AND startsWith(debugAddressToSymbol(addr), 'found:')
+);
+
+-- 4. Category breakdown of stack_trace addresses (informational)
+SELECT
+    multiIf(
+        diag = 'no_object',            'no_object',
+        startsWith(diag, 'no_symbol'), 'no_symbol_in_object',
+        startsWith(diag, 'found:'),    'found',
+                                       'other'
+    ) AS category,
+    count() AS cnt
+FROM (
+    SELECT debugAddressToSymbol(arrayJoin(trace)) AS diag
+    FROM system.stack_trace
+    LIMIT 1
+)
+GROUP BY category
+ORDER BY cnt DESC;
