So if I leave UBSan and ASan out of the equation and compile with gcc and run this script:

Program received signal SIGSEGV, Segmentation fault.
update_refs (containers=<optimized out>) at Modules/gcmodule.c:353
353             _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
(gdb) bt
#0  update_refs (containers=<optimized out>) at Modules/gcmodule.c:353
#1  collect (generation=generation@entry=2,
    n_collected=n_collected@entry=0x7fffffffe2f8,
    n_uncollectable=n_uncollectable@entry=0x7fffffffe300,
    nofail=nofail@entry=0) at Modules/gcmodule.c:962
#2  0x00005555555d5365 in collect_with_callback (generation=2)
    at Modules/gcmodule.c:1135
#3  PyGC_Collect () at Modules/gcmodule.c:1622
#4  _PyGC_CollectIfEnabled () at Modules/gcmodule.c:1635
#5  0x00005555555b8e28 in Py_FinalizeEx () at Python/pylifecycle.c:978
#6  0x00005555555b9225 in Py_FinalizeEx () at Python/pylifecycle.c:1119
#7  0x00005555555d2ed2 in Py_Main (argc=<optimized out>, argv=<optimized out>)
    at Modules/main.c:921
#8  0x00005555555aa1cb in main (argc=2, argv=<optimized out>)
    at ./Programs/python.c:102
(gdb) list
348     update_refs(PyGC_Head *containers)
349     {
350         PyGC_Head *gc = containers->gc.gc_next;
351         for (; gc != containers; gc = gc->gc.gc_next) {
352             assert(_PyGCHead_REFS(gc) == GC_REACHABLE);
353             _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
354             /* Python's cyclic gc should never see an incoming refcount
355              * of 0:  if something decref'ed to 0, it should have been
356              * deallocated immediately at that time.
357              * Possible cause (if the assert triggers):  a tp_dealloc

Valgrind shows a null deref as well after some invalid reads and conditional jumps. I've attached the log, it's a bit verbose.