gh-151895: Fix marshal.loads() crash on dict reference-tracking failure

[tonghuaroot]

r_object() in Python/marshal.c could dereference a NULL dictionary. When loading a back-referenced dict (FLAG_REF), the TYPE_DICT branch calls R_REF(v), which expands to v = r_ref(v, flag, p) and can return NULL when r_ref()'s internal PyList_Append() fails under MemoryError. The branch then fell through to PyDict_SetItem(v, ...) with v == NULL, crashing the interpreter (SIGSEGV on a release build, an assertion abort on a debug build) instead of raising a clean MemoryError.

Every sibling container branch — TYPE_TUPLE, TYPE_LIST, TYPE_FROZENDICT, and the set/frozenset branches — already follows R_REF(v) with an if (v == NULL) break; (or if (idx < 0)) guard; TYPE_DICT was the only one missing it. This adds the guard. r_ref() has already decref'd the dict on its failure path, so the early break propagates the exception cleanly and marshal.loads() raises MemoryError.

A regression test is added in Lib/test/test_marshal.py that uses _testcapi.set_nomemory() to fail the reference-tracking allocation while loading a back-referenced dict: it crashes the interpreter without this change and raises MemoryError with it. test_marshal passes.

This is a regression introduced in 2e37d83 (gh-148653), which refactored the TYPE_DICT/TYPE_FROZENDICT branches to share code and dropped the dict path's if (v == NULL) break;. It first shipped in v3.15.0b1, so only main and 3.15 are affected (3.13 and 3.14 still have the guard); no released version is exposed. Needs backport to 3.15.

• Issue: marshal.loads() crashes on a back-referenced dict when an allocation fails (3.15 regression) #151895

[aisk]

We usually don't add tests for cases where the return value of malloc is not checked, so I don't think this test case is necessary. Otherwise, the change looks good to me.

[tonghuaroot]

Good point — dropped the test in a178dac; the r_object() TYPE_DICT guard is unchanged. Thanks for the review!