Copy SSLStatus instead of storing the pointer to avoid crash

Currently in WebStateImpl::ClearTransientContent we store a pointer to
the SSLStatus of old visible nav-item, and compare it with the new
nav-item after interstitial is dismissed. This will lead to a crash
if old nav-item is released in the middle. Copying SSLStatus to a local
variable will avoid this crash.

Bug: 1001622
Change-Id: I0f0e78c5c8297516f79eb56c56b97b8a5c4d92e1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1816473Reviewed-by: Eugene But <eugenebut@chromium.org>
Commit-Queue: Yi Su <mrsuyi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#698844}

ios/web/web_state/web_state_impl.mm

@@ -794,8 +794,8 @@ void WebStateImpl::ClearTransientContent() {
   if (interstitial_) {
     // |visible_item| can be null if non-committed entries where discarded.
     NavigationItem* visible_item = navigation_manager_->GetVisibleItem();
-    const SSLStatus* old_status =
-        visible_item ? &(visible_item->GetSSL()) : nullptr;
+    const SSLStatus old_status =
+        visible_item ? visible_item->GetSSL() : SSLStatus();
     // Store the currently displayed interstitial in a local variable and reset
     // |interstitial_| early.  This is to prevent an infinite loop, as
     // |DontProceed()| internally calls |ClearTransientContent()|.
@@ -806,7 +806,7 @@ void WebStateImpl::ClearTransientContent() {
     // deletion.
 
     const web::NavigationItem* new_item = navigation_manager_->GetVisibleItem();
-    if (!new_item || !old_status || !new_item->GetSSL().Equals(*old_status)) {
+    if (!new_item || !visible_item || !new_item->GetSSL().Equals(old_status)) {
       // Visible SSL state has actually changed after interstitial dismissal.
       DidChangeVisibleSecurityState();
     }