fix: prevent deserialization to leak CurrentInstances

During deserialization of VaadinSession and UI, CurrentInstances may be set
but not present in the original instances map, causing the added instance
to leak outside the scope of the deserialization hook method.
This fix ensures all instances set by the hook are wiped out before
restoring the original instances.

Author: mcollovati

flow-server/src/main/java/com/vaadin/flow/component/Component.java

@@ -839,6 +839,7 @@ private void writeObject(ObjectOutputStream out) throws IOException {
             try {
                 out.defaultWriteObject();
             } finally {
+                CurrentInstance.clearAll();
                 CurrentInstance.restoreInstances(instances);
             }
         } else {
@@ -858,6 +859,7 @@ private void readObject(ObjectInputStream in)
             try {
                 in.defaultReadObject();
             } finally {
+                CurrentInstance.clearAll();
                 CurrentInstance.restoreInstances(instances);
             }
         } else {

flow-server/src/main/java/com/vaadin/flow/server/VaadinSession.java

@@ -1110,6 +1110,7 @@ private void readObject(ObjectInputStream stream)
             resourceRegistry = (StreamResourceRegistry) stream.readObject();
             pendingAccessQueue = new ConcurrentLinkedQueue<>();
         } finally {
+            CurrentInstance.clearAll();
             CurrentInstance.restoreInstances(old);
         }
     }
@@ -1142,6 +1143,7 @@ private void writeObject(java.io.ObjectOutputStream stream)
                 stream.writeObject(new StreamResourceRegistry(this));
             }
         } finally {
+            CurrentInstance.clearAll();
             CurrentInstance.restoreInstances(instanceMap);
         }
     }