It is expected that FileSystemDeploymentService.ScanContext can only be read/modified after acquiring the scanLock, however, there is a flaw in the code that can leave the current ScanContext without being guarded by the scanLock when the deployment directory is scanned.

The FileSystemDeploymentService.scanDirectory iterates over all the files, and if it finds a FAILED_DEPLOY mark, it tries to acquire the lock again and release it once the work is done, which will leave the ScanContext without being guarded meanwhile it is processing other marks.

FileSystemDeploymentService.scanDirectory is a private method and it is always called with the lock acquired, so we do not need to acquire/release it again inside the for loop.