Without commenting on whether this is a bug or not, your code isn't that safe.

Extending a class that implements Serializable and then hoping that properties in the child class are preserved across serialization/deserialization only works by chance - it is not a reliable way of programming.

The code below gives an example of where class A serializes/deserializes itself correctly, but doesn't know about class B, so doesn't do what the programmer of class B hoped, which is what you're seeing with ArrayObject. I don't believe there are any guarantees made by ArrayObject (or other classes) that what you are trying to do is going to work.

Either using composition rather than inheritance would be much safer, or writing serialize/unserialize methods on the child method would allow you to control the serialization/deserialization. Alternatively, just not using serialize/unserialize and instead using your own interface can also be more predictable than the "magic" internal methods.

class A implements Serializable {

    private $aValue;

    function __construct($aValue) {
        $this->aValue = $aValue;
    }

    function serialize() {
        $data = [];
        $data['aValue'] = $this->aValue;
        return json_encode($data);
    }

    function unserialize($serialized) {
        $data = json_decode($serialized, true);
        $this->aValue = $data['aValue'];
    }
}

class B extends A {
    function __construct($aValue, $bValue) {
        parent::__construct($aValue);
        $this->bValue = $bValue;
    }
}

$obj1 = new B("Give me an A!", "Give me a B!");
$serialized = serialize($obj1);
$obj2 = unserialize($serialized);
var_dump($obj1);
var_dump($obj2);

I known what you are talking about. But I double check the source code in github.

https://github.com/php/php-src/blob/PHP-7.0.4/ext/spl/spl_array.c#L1700

and

https://github.com/php/php-src/blob/PHP-7.0.4/ext/spl/spl_array.c#L1804

It show when an ArrayObject was been serialized and un-serialized, it would carry the data in the storage and the members in this object. And in the serialized result string, storage data would use the keyword 'x:', and the members would use the keyword 'm:'.

So let's check the serialized string about an ArrayObject. In my case, the string is: 

C:4:"Test":80:{x:i:2;a:2:{s:1:"a";s:1:"a";s:1:"b";s:1:"b";};m:a:1:{s:10:"�Test�name";s:2:"ok";}}

We can see, the field "name" and its value "ok" was been stored.

Ok, let's drop all about it. Just think about these things:

1. In the un-serialized object, we can see the property "$name" has his value "ok". But now the problem is the method "getName" can not access his private property.

2. Let's see a more detail case: 

class Test extends ArrayObject
{

	private $name = null;

	protected $test = null;

	public function __construct(array $input)
	{
		parent::__construct($input, ArrayObject::ARRAY_AS_PROPS);
//		parent::__construct($input, ArrayObject::STD_PROP_LIST);
	}

	public function setName($name)
	{
		$this->name = $name;
		$this->test = $name;
		return $this;
	}

	public function getName()
	{
		return $this->name;
	}

	public function getTest()
	{
		return $this->test;
	}
}

$test = new Test(['a' => 'a', 'b' => 'b']);
$test->setName('ok');

$ser = serialize($test);
$unSer = unserialize($ser);

var_dump($unSer->getName()); // null
var_dump($unSer->getTest()); // ok
var_dump($unSer);

The method "getTest" will return the right result. So what would you say about it?

This is not a superficial issue, There are a lot of pecl extensions using unserialize method. Such as memcache, phpredis. This question brought a lot of chain of problems.