Guard deferred DoReadPage callback against disposed scan iterator

BufferAndLoad defers page reads via BumpCurrentEpoch(() => DoReadPage(...)).
These drain callbacks capture 'this' and access instance state (frame memory,
loadCompletionEvents, etc.). For read-ahead pages, the callback may still be
in the epoch drain list when the scan completes and the iterator is disposed.
The callback then accesses freed native frame memory (AccessViolationException)
or null arrays (NullReferenceException), and the resulting exception from
within a drain callback leaves the epoch in a held state, causing cascading
'Trying to acquire protected epoch' assertion failures.

Fix: add a volatile isDisposed flag that is set at the start of Dispose(),
before any resources are freed. DoReadPage checks this flag and returns early
if the iterator has been disposed. This is a simple, race-free guard that
requires no epoch manipulation in Dispose.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: badrishc

libs/storage/Tsavorite/cs/src/core/Allocator/ScanIteratorBase.cs

@@ -28,6 +28,9 @@ public abstract class ScanIteratorBase
         /// <summary>Epoch from the store</summary>
         protected readonly LightEpoch epoch;
 
+        /// <summary>Set when the iterator is disposed; deferred drain callbacks check this to avoid accessing freed resources.</summary>
+        volatile bool isDisposed;
+
         /// <summary>Current address for iteration</summary>
         protected long currentAddress;
         /// <summary>Next address for iteration</summary>
@@ -208,14 +211,13 @@ protected bool BufferAndLoad(long currentIterationAddress, long currentPage, lon
 
                         void DoReadPage(int frameIndex)
                         {
-                            // The drain callback may execute after the iterator has been disposed (loadCompletionEvents set to null),
-                            // because the callback is deferred via BumpCurrentEpoch and only runs when SafeToReclaimEpoch advances.
-                            // This can happen for read-ahead pages (frameIndex > 0) when the scan completes before the callback runs.
-                            var events = loadCompletionEvents;
-                            if (events is null)
+                            // This callback may be deferred via BumpCurrentEpoch and execute after the
+                            // iterator is disposed. Check the disposed flag to avoid accessing freed
+                            // frame memory (AV) or disposed arrays.
+                            if (isDisposed)
                                 return;
                             AsyncReadPageFromDeviceToFrame(readBuffer, readPage: frameIndex + GetPageOfAddress(currentIterationAddress, logPageSizeBits), untilAddress: endIterationAddress,
-                                context: Empty.Default, out events[nextFrame], devicePageOffset: 0, device: null, objectLogDevice: null, loadCTSs[nextFrame]);
+                                context: Empty.Default, out loadCompletionEvents[nextFrame], devicePageOffset: 0, device: null, objectLogDevice: null, loadCTSs[nextFrame]);
                             loadedPages[nextFrame] = pageEndAddress;
                         }
                     }
@@ -322,6 +324,11 @@ private bool WaitForFrameLoad(long currentAddress, long currentFrame)
         /// </summary>
         public virtual void Dispose()
         {
+            // Mark as disposed before freeing resources. Deferred DoReadPage callbacks (registered via
+            // BumpCurrentEpoch in BufferAndLoad) check this flag and no-op if set, avoiding access to
+            // freed frame memory (AV) or disposed arrays (NRE).
+            isDisposed = true;
+
             for (var i = 0; i < frameSize; i++)
             {
                 // Wait for ongoing reads to complete/fail; if the wait throws (e.g. due to cancellation), we still