diff --git a/ci/ci_steps.sh b/ci/ci_steps.sh
index e5c9923324b15..145590019fa61 100755
--- a/ci/ci_steps.sh
+++ b/ci/ci_steps.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-ENVOY_BUILD_SHA=fc747b3c2fd49b1260484572071fe4194cd6824d
+ENVOY_BUILD_SHA=1d2a2100708d1012cd61054ce04d4dc4e3b03ff2
 
 # Script that lists all the steps take by the CI system when doing Envoy builds.
 set -e
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
index 4fbfcfa915e2e..73cd6feed5378 100755
--- a/ci/do_ci.sh
+++ b/ci/do_ci.sh
@@ -91,6 +91,7 @@ elif [[ "$1" == "bazel.coverage" ]]; then
   export GCOVR_DIR="${ENVOY_BUILD_DIR}/bazel-envoy"
   export TESTLOGS_DIR="${ENVOY_BUILD_DIR}/bazel-testlogs"
   export BUILDIFIER_BIN="/usr/lib/go/bin/buildifier"
+  export WORKSPACE=ci
   # There is a bug in gcovr 3.3, where it takes the -r path,
   # in our case /source, and does a regex replacement of various
   # source file paths during HTML generation. It attempts to strip
@@ -101,7 +102,6 @@ elif [[ "$1" == "bazel.coverage" ]]; then
   # some Bazel created symlinks to the source directory in its output
   # directory. Wow.
   cd "${ENVOY_BUILD_DIR}"
-  export BAZEL_TEST_OPTIONS="${BAZEL_TEST_OPTIONS} -c dbg"
   SRCDIR="${GCOVR_DIR}" "${ENVOY_SRCDIR}"/test/run_envoy_bazel_coverage.sh
   rsync -av "${ENVOY_BUILD_DIR}"/bazel-envoy/generated/coverage/ "${ENVOY_COVERAGE_DIR}"
   exit 0
diff --git a/source/exe/signal_action.h b/source/exe/signal_action.h
index 14e94240aa28d..de7eae41d0d87 100644
--- a/source/exe/signal_action.h
+++ b/source/exe/signal_action.h
@@ -60,6 +60,12 @@ class SignalAction : NonCopyable {
    */
   void doGoodAccessForTest();
   void tryEvilAccessForTest(bool end);
+  /**
+   * The actual signal handler function with prototype matching signal.h
+   *
+   * Public so that we can exercise it directly from a test.
+   */
+  static void sigHandler(int sig, siginfo_t* info, void* context);
 
 private:
   /**
@@ -91,10 +97,6 @@ class SignalAction : NonCopyable {
    * Return the memory size we actually map including two guard pages.
    */
   size_t mapSizeWithGuards() const { return altstack_size_ + guard_size_ * 2; }
-  /**
-   * The actual signal handler function with prototype matching signal.h
-   */
-  static void sigHandler(int sig, siginfo_t* info, void* context);
   /**
    * Install all signal handlers and setup signal handling stack.
    */
diff --git a/test/exe/signals_test.cc b/test/exe/signals_test.cc
index 8c2697a62789c..aa46d72b7e4e6 100644
--- a/test/exe/signals_test.cc
+++ b/test/exe/signals_test.cc
@@ -16,10 +16,10 @@ namespace Envoy {
 #define ASANITIZED /* Sanitized by GCC */
 #endif
 
-// Memory violation signal tests are disabled under address sanitizer.  The
-// sanitizer does its own special signal handling and prints messages that are
-// not ours instead of what this test expects.  The signals special handled by ASAN
-// include SIGSEGV, SIGBUS, and SIGFPE.
+// Death tests that expect a particular output are disabled under address sanitizer.
+// The sanitizer does its own special signal handling and prints messages that are
+// not ours instead of what this test expects.  As of latest Clang this appears
+// to include abort() as well.
 #ifndef ASANITIZED
 TEST(Signals, InvalidAddressDeathTest) {
   SignalAction actions;
@@ -52,7 +52,6 @@ TEST(Signals, BadMathDeathTest) {
     raise(SIGFPE);
   }(), "backtrace.*Floating point");
 }
-#endif
 
 #if defined(__x86_64__) || defined(__i386__)
 // Unfortunately we don't have a reliable way to do this on other platforms
@@ -81,6 +80,7 @@ TEST(Signals, RestoredPreviousHandlerDeathTest) {
   // Outer SignalAction should be active again:
   EXPECT_DEATH([]() -> void { abort(); }(), "backtrace.*Aborted");
 }
+#endif
 
 TEST(Signals, IllegalStackAccessDeathTest) {
   SignalAction actions;
@@ -107,4 +107,11 @@ TEST(Signals, LegalStackAccessTest) {
   SignalAction actions;
   actions.doGoodAccessForTest();
 }
+
+TEST(Signals, HandlerTest) {
+  siginfo_t fake_si;
+  fake_si.si_addr = nullptr;
+  SignalAction::sigHandler(SIGURG, &fake_si, nullptr);
+}
+
 } // Envoy
diff --git a/test/run_envoy_bazel_coverage.sh b/test/run_envoy_bazel_coverage.sh
index 3e9fa1d71d5c7..da72377048fd7 100755
--- a/test/run_envoy_bazel_coverage.sh
+++ b/test/run_envoy_bazel_coverage.sh
@@ -7,6 +7,7 @@ set -e
 [[ -z "${TESTLOGS_DIR}" ]] && TESTLOGS_DIR="${SRCDIR}/bazel-testlogs"
 [[ -z "${BAZEL_COVERAGE}" ]] && BAZEL_COVERAGE=bazel
 [[ -z "${GCOVR}" ]] && GCOVR=gcovr
+[[ -z "${WORKSPACE}" ]] && WORKSPACE=envoy
 
 # This is the target that will be run to generate coverage data. It can be overriden by consumer
 # projects that want to run coverage on a different/combined target.
@@ -23,6 +24,9 @@ do
 done
 echo "Cleanup completed."
 
+# Force dbg for path consistency later, don't include debug code in coverage.
+BAZEL_TEST_OPTIONS="${BAZEL_TEST_OPTIONS} -c dbg --copt=-DNDEBUG"
+
 # Run all tests under "bazel test", no sandbox. We're going to generate the
 # .gcda inplace in the bazel-out/ directory. This is in contrast to the "bazel
 # coverage" method, which is currently broken for C++ (see
@@ -45,6 +49,15 @@ COVERAGE_DIR="${SRCDIR}"/generated/coverage
 mkdir -p "${COVERAGE_DIR}"
 COVERAGE_SUMMARY="${COVERAGE_DIR}/coverage_summary.txt"
 
+# Copy .gcno objects into the same location that we find the .gcda.
+# TODO(htuch): Should use rsync, but there are some symlink loops to fight.
+pushd "${GCOVR_DIR}"
+for f in $(find -L bazel-out/ -name "*.gcno")
+do
+  cp --parents "$f" bazel-out/local-dbg/bin/test/coverage/coverage_tests.runfiles/"${WORKSPACE}"
+done
+popd
+
 # gcovr is extremely picky about where it is run and where the paths of the
 # original source are relative to its execution location.
 cd "${SRCDIR}"