Description of problem:
C programs often place locks alongside the struct fields that they protect. There is currently no syntax for using clang's TSA _attribute_((guarded_by(...))) with sibling struct fields in C programs.

This limits the usefulness of TSA in C programs. In QEMU, we are only able to use TSA with global mutexes for this reason.

Note this is a known limitation upstream. See https://bugs.llvm.org/show_bug.cgi?id=20403.

Version-Release number of selected component (if applicable):
clang-15.0.7-2.el9.x86_64

How reproducible:

Steps to Reproduce:
1. $ cat >a.c
#include <assert.h>
#include <pthread.h>

typedef pthread_mutex_t _attribute_((capability("mutex"))) mutex;

struct foo
{
mutex lock;
int counter _attribute_((guarded_by(/* how to express ->lock? */)));
};

static void foo_inc(struct foo *f)
{
pthread_mutex_lock(&f->lock);
f->counter++;
pthread_mutex_unlock(&f->lock);
}

int main(int argc, char **argv)
{
struct foo f = {};
int ret;

ret = pthread_mutex_init(&f.lock, NULL);
assert(ret == 0);

foo_inc(&f);

ret = pthread_mutex_destroy(&f.lock);
assert(ret == 0);
return 0;
}

2. clang -Wthread-safety -o a a.c

Actual results:
Unable to compile because there is no syntax to guard ->counter with ->lock.

Expected results:
Able to compile and check that ->lock is held when ->counter is accessed.

Additional info: