I pushed a new version with 3 additional tests:

• A test to check that __unserialize() throws proper exceptions for malformed data
• A test that verifies user properties with conflicting names (like $flags, $heap_elements) don't interfere with the internal state
• And a last one that confirms the new indexed array format [properties, internal_state] is used consistently across heap classes. The same pattern is used in PHP_METHOD(Random_Engine_Mt19937, __unserialize) for example. Thanks for pointing out!

Tests I pushed are pretty verbose and human friendly, I wonder if they should look like ext/spl/tests/SplObjectStorage_unserialize_nested.phpt for example, with the whole internal structure?

I addressed all your comments in 3f041a3

Tests I pushed are pretty verbose and human friendly, I wonder if they should look like ext/spl/tests/SplObjectStorage_unserialize_nested.phpt for example, with the whole internal structure?

Maintenance-wise I think “technical tests” are preferable, this makes sure that they capture every nuance and with the diff output any failures are still pretty readable.

You could also take a look at the serialization tests for ext/random. Given that it's a very new extension, I'd say it's in a good shape. And I made sure to very carefully maintain the tests there.

I'm also noticing that this PR targets PHP 8.3. I'd argue this is more a feature rather than a bugfix and would recommend targeting master.

Yes. I targeted 8.3 because of the bug label on the issue, but it definitely looks like a feature. Let's target master.

The two last commits rearrange tests with a more technical approach, adds some more tests and safety about the heap being corrupted. Also, more code form Random_Engine_Mt19937 is borrowed.

Thanks for the extensive review @TimWolla!