Keep SVGImage alive across its animation timer callback.

Source/core/svg/graphics/SVGImageChromeClient.cpp

Index: Source/core/svg/graphics/SVGImageChromeClient.cpp
diff --git a/Source/core/svg/graphics/SVGImageChromeClient.cpp b/Source/core/svg/graphics/SVGImageChromeClient.cpp
index 331860cd6e53373c47b0b837ab9add0d040826f2..303d554f7e83ec64f39b7bbb8b5ca130af31df00 100644
--- a/Source/core/svg/graphics/SVGImageChromeClient.cpp
+++ b/Source/core/svg/graphics/SVGImageChromeClient.cpp
@@ -86,8 +86,22 @@ void SVGImageChromeClient::animationTimerFired(Timer<SVGImageChromeClient>*)
     // serviceScriptedAnimations runs requestAnimationFrame callbacks, but SVG
     // images can't have any so we assert there's no script.
     ScriptForbiddenScope forbidScript;
+
+    // As neither SVGImage nor this chrome client object are on the Oilpan heap,
+    // this object's reference to the SVGImage will not be traced should a GC
+    // strike below. Hence, we must ensure that they both remain alive for
+    // duration of this call.
+    //
+    // This is cannot arise non-Oilpan as an ImageResource is an owned object
+    // and will be promptly released along with its (SVG)Image..and everything
+    // below, including this object and its timer. For code simplicity, the
+    // object protection isn't made the conditional on Oilpan.
+    //
+    // FIXME: Oilpan: move this and other ChromeClients to the Oilpan heap
+    // to render this protection redundant.
+    RefPtr<SVGImage> protect(m_image);
     m_image->frameView()->page()->animator().serviceScriptedAnimations(monotonicallyIncreasingTime());
     m_image->frameView()->updateLayoutAndStyleForPainting();
 }
 
-}
+} // namespace blink