batch_dict_exact() in _pickle.c iterates dict items using PyDict_Next() which returns borrowed references. Without a critical section, a concurrent dict mutation can invalidate the borrowed reference before Py_INCREF, causing a segfault.

The fix wraps PyDict_Next() + Py_INCREF in Py_BEGIN_CRITICAL_SECTION(obj) to prevent the dict from being mutated while converting borrowed refs to owned refs. Same approach as the existing set iteration path in the same file (line 3656).

Crashes on both 3.14t (stock install) and main (with ASan). Reproducer in the linked issue.

• Existing test_pickle passes (1000 tests, no regressions)
• Added test_free_threading/test_pickle.py that segfaults without the fix and passes with it

• Issue: Segfault in _pickle.c:batch_dict_exact when pickling dict with concurrent mutation (free-threading) #146452