Valgrind suppression with using frame-level wildcard (ellipses)

Question

I'm catching quite a few uninitialized value(s) under Valgrind. The finding is expected because its related to to OpenSSL's PRNG:

==5787== Use of uninitialised value of size 8
==5787==    at 0x533B449: _x86_64_AES_encrypt_compact (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x533B6DA: fips_aes_encrypt (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x56FBC47: ??? (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x56FBD27: ??? (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x56FBE47: ??? (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0xFFEFFFE17: ???
==5787==  Uninitialised value was created by a heap allocation
==5787==    at 0x4C28D84: malloc (vg_replace_malloc.c:291)
==5787==    by 0x53575AF: CRYPTO_malloc (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x53FB52B: drbg_get_entropy (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x534C312: fips_get_entropy (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x534CABE: FIPS_drbg_instantiate (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x53FB94E: RAND_init_fips (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x5403F5D: EVP_add_cipher (in /usr/local/ssl/lib/libcrypto.so.1.0.0)
==5787==    by 0x507B7C0: SSL_library_init (in /usr/local/ssl/lib/libssl.so.1.0.0)
==5787==    by 0x4103E7: DoStartupOpenSSL() (ac-openssl-1.cpp:494)
==5787==    by 0x419504: main (main.cpp:69)
==5787== 

But I'm having trouble suppressing it (and that's not expected). I'm trying to use the following three rules, which use frame-level wildcards.

{
   RAND_init_fips (1)
   Memcheck:Cond
   ...
   fun:RAND_init_fips
   ...
}

{
   RAND_init_fips (2)
   Memcheck:Value8
   ...
   fun:RAND_init_fips
   ...
}

{
   RAND_init_fips (3)
   Memcheck:Value4
   ...
   fun:RAND_init_fips
   ...
}

I don't want to do things like initialize the memory because of the Debian PRNG fiasco a few years ago. Plus, its the OpenSSL FIPS Object Module, so I can't modify it because the source code and resulting object file are sequestered.

I'm not sure what the issue is because it appears RAND_init_fips surrounded by frame level-wildcards should match the finding. Any ideas what might be going wrong here?

Answer 1

According to Tom Hughes on the Valgrind User's mailing list, its not possible to write the suppression rule: