fix: prevent serialization to leak CurrentInstances (#21277)

During serialization and deserialization of VaadinSession and UI,
CurrentInstances may be set but not present in the original instances map,
causing the added instance to leak outside the scope of the deserialization
hook method.
This fix ensures all instances set by the hooks are wiped out before
restoring the original instances.

Author: mcollovati

flow-server/src/main/java/com/vaadin/flow/component/Component.java

@@ -839,6 +839,7 @@ private void writeObject(ObjectOutputStream out) throws IOException {
             try {
                 out.defaultWriteObject();
             } finally {
+                CurrentInstance.clearAll();
                 CurrentInstance.restoreInstances(instances);
             }
         } else {
@@ -858,6 +859,7 @@ private void readObject(ObjectInputStream in)
             try {
                 in.defaultReadObject();
             } finally {
+                CurrentInstance.clearAll();
                 CurrentInstance.restoreInstances(instances);
             }
         } else {

flow-server/src/main/java/com/vaadin/flow/server/VaadinSession.java

@@ -1110,6 +1110,7 @@ private void readObject(ObjectInputStream stream)
             resourceRegistry = (StreamResourceRegistry) stream.readObject();
             pendingAccessQueue = new ConcurrentLinkedQueue<>();
         } finally {
+            CurrentInstance.clearAll();
             CurrentInstance.restoreInstances(old);
         }
     }
@@ -1142,6 +1143,7 @@ private void writeObject(java.io.ObjectOutputStream stream)
                 stream.writeObject(new StreamResourceRegistry(this));
             }
         } finally {
+            CurrentInstance.clearAll();
             CurrentInstance.restoreInstances(instanceMap);
         }
     }