fix: Resolve critical concurrency issues in directory sealing

This commit addresses multiple race conditions and lock ordering issues:

1. Fixed generation capture timing: Now captures generation at the
   correct point relative to lock acquisition/release to prevent races.

2. Moved markGapLoaded after sealing: Ensures gaps are only marked as
   loaded after successful sealing, preventing inconsistent state.

3. For inode == parent with lock=true: Eliminated unnecessary
   unlock/relock pattern. Now seals directly while holding parent.mu
   and marks gap afterward.

4. For inode != parent with lock=true: Properly manages lock ordering
   by capturing parent generation before unlock, sealing inode with
   its own lock, then reacquiring parent lock to mark gap only if
   parent hasn't changed.

5. For lock=false: Caller manages locks, so we seal and mark gap
   while respecting caller's lock ownership.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: ovaistariq

core/dir.go

@@ -342,53 +342,42 @@ func (parent *Inode) listObjectsSlurp(inode *Inode, startAfter string, sealEnd b
 	}
 
 	if seal {
-		// Calculate nextStartAfter first before marking gap
+		// Calculate nextStartAfter first
 		var calculatedNextStartAfter string
 		if obj != nil {
 			calculatedNextStartAfter = *obj.Key
 		}
 
-		// Remember this range as already loaded before we release locks
-		parent.dir.markGapLoaded(NilStr(startWith), calculatedNextStartAfter)
-
-		var inodeGen uint64
-
-		// Capture generation right before unlocking to minimize staleness window
-		if inode != parent {
-			inodeGen = atomic.LoadUint64(&inode.dir.generation)
-		} else {
-			inodeGen = atomic.LoadUint64(&parent.dir.generation)
-		}
-
 		// When lock=true, we need to release parent lock before sealing inode
 		// to avoid lock ordering issues. When lock=false, caller already holds
 		// the lock and we must NOT release it (they'll handle lock ordering).
 		if lock {
-			parent.mu.Unlock()
-
 			if inode != parent {
+				// Capture generation right before unlocking parent
+				inodeGen := atomic.LoadUint64(&parent.dir.generation)
+				parent.mu.Unlock()
+
 				inode.mu.Lock()
-				// Check if generation changed while we didn't hold the lock
-				if atomic.LoadUint64(&inode.dir.generation) == inodeGen {
-					inode.sealDir()
-				}
+				inode.sealDir()
 				inode.mu.Unlock()
-			} else {
-				// inode == parent, we need to reacquire the lock after unlocking
-				parent.mu.Lock()
 
-				// Check generation after reacquiring lock
+				// Reacquire parent lock and verify its generation
+				parent.mu.Lock()
 				if atomic.LoadUint64(&parent.dir.generation) == inodeGen {
-					parent.sealDir()
+					// Parent hasn't changed, mark gap as loaded
+					parent.dir.markGapLoaded(NilStr(startWith), calculatedNextStartAfter)
 				}
-
-				// Ensure parent lock is released before return in seal path
+				parent.mu.Unlock()
+			} else {
+				// inode == parent, we already hold the lock so seal directly
+				parent.sealDir()
+				// Mark gap as loaded after sealing
+				parent.dir.markGapLoaded(NilStr(startWith), calculatedNextStartAfter)
 				parent.mu.Unlock()
 			}
 		} else {
 			// lock=false: Caller holds parent.mu, so we can't do unlock/relock.
 			// This is used by Rename which already handles lock ordering properly.
-			// Just seal the inode directly.
 			if inode != parent {
 				inode.mu.Lock()
 				inode.sealDir()
@@ -397,6 +386,8 @@ func (parent *Inode) listObjectsSlurp(inode *Inode, startAfter string, sealEnd b
 				// inode == parent, caller holds parent.mu so we can seal directly
 				inode.sealDir()
 			}
+			// Mark gap as loaded after sealing
+			parent.dir.markGapLoaded(NilStr(startWith), calculatedNextStartAfter)
 		}
 
 		nextStartAfter = ""