gh-152107: Fix crash creating a dict item iterator under MemoryError

dictiter_new() for item iterators allocates di_result via
_PyTuple_FromPairSteal() before calling _PyObject_GC_TRACK(di). If that
allocation fails (OOM), the error path runs Py_DECREF(di) on the
not-yet-tracked iterator and dictiter_dealloc()'s _PyObject_GC_UNTRACK(di)
asserts the object is GC-tracked -- aborting on debug builds and corrupting
the GC list (later segfault) on release builds.

An iterator with di_result == NULL is already in a valid state, so track it
right after initialization, before the only fallible allocation. The OOM
error path then deallocates a properly tracked object.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: zangjiucheng

Lib/test/test_dict.py

@@ -9,7 +9,7 @@
 import unittest
 import weakref
 from test import support
-from test.support import import_helper
+from test.support import import_helper, script_helper
 
 
 class CustomHash:
@@ -116,6 +116,30 @@ def test_items(self):
         self.assertRaises(TypeError, d.items, None)
         self.assertEqual(repr(dict(a=1).items()), "dict_items([('a', 1)])")
 
+    @support.cpython_only
+    def test_item_iterator_no_memory(self):
+        # gh-152107: dictiter_new() for a dict item-iterator allocates
+        # di_result via _PyTuple_FromPairSteal() before _PyObject_GC_TRACK().
+        # When that allocation fails under OOM the error path decref'd the
+        # still-untracked iterator, and dictiter_dealloc() unconditionally
+        # untracked it -- asserting on a debug build and corrupting the GC
+        # list (later segfault) on a release build.  Make sure it doesn't crash.
+        import_helper.import_module("_testcapi")
+        # _strptime() builds dict item-iterators while the size-2 tuple
+        # freelist is drained, so _PyTuple_FromPairSteal() in dictiter_new()
+        # actually allocates and can fail under the set_nomemory() sweep.
+        code = """if 1:
+            import _strptime
+            from _testcapi import set_nomemory
+            for start in range(60):
+                set_nomemory(start)
+                try:
+                    _strptime._strptime("", "")
+                except BaseException:
+                    pass
+        """
+        script_helper.assert_python_ok("-c", code)
+
     def test_views_mapping(self):
         mappingproxy = type(type.__dict__)
         class Dict(dict):

Misc/NEWS.d/next/Core_and_Builtins/2026-06-24-14-05-00.gh-issue-152107.K3jX9p.rst

@@ -0,0 +1,3 @@
+Fix a crash when creating a :class:`dict` item iterator (for example
+``iter(d.items())`` or ``reversed(d.items())``) under a memory-allocation
+failure.  Patch by Jiucheng Zang.

Objects/dictobject.c

@@ -5520,6 +5520,11 @@ dictiter_new(PyDictObject *dict, PyTypeObject *itertype)
     else {
         di->di_pos = 0;
     }
+    di->di_result = NULL;
+    /* An iterator with di_result == NULL is in a valid state, so track it
+       now -- before the only fallible allocation below.  This keeps the OOM
+       error path from deallocating a not-yet-tracked iterator. */
+    _PyObject_GC_TRACK(di);
     if (itertype == &PyDictIterItem_Type ||
         itertype == &PyDictRevIterItem_Type) {
         di->di_result = _PyTuple_FromPairSteal(Py_None, Py_None);
@@ -5528,10 +5533,6 @@ dictiter_new(PyDictObject *dict, PyTypeObject *itertype)
             return NULL;
         }
     }
-    else {
-        di->di_result = NULL;
-    }
-    _PyObject_GC_TRACK(di);
     return (PyObject *)di;
 }