Fixed an array rewriting bug found by fuzzer

3 files changed, 29 insertions, 2 deletions

diff --git a/src/theory/arrays/theory_arrays_rewriter.h b/src/theory/arrays/theory_arrays_rewriter.h
index dbbfd04dd..62782f90e 100644
--- a/src/theory/arrays/theory_arrays_rewriter.h
+++ b/src/theory/arrays/theory_arrays_rewriter.h
@@ -344,7 +344,14 @@ public:
               elements.push_back(store[2]);
               store = store[0];
             }
-            n = nm->mkNode(kind::STORE, store, index, value);
+            if (value.getKind() == kind::SELECT &&
+                value[0] == store &&
+                value[1] == index) {
+              n = store;
+            }
+            else {
+              n = nm->mkNode(kind::STORE, store, index, value);
+            }
             while (!indices.empty()) {
               n = nm->mkNode(kind::STORE, n, indices.back(), elements.back());
               indices.pop_back();
diff --git a/test/regress/regress0/aufbv/Makefile.am b/test/regress/regress0/aufbv/Makefile.am
index 764dd6573..1a698b180 100644
--- a/test/regress/regress0/aufbv/Makefile.am
+++ b/test/regress/regress0/aufbv/Makefile.am
@@ -45,7 +45,8 @@ TESTS =	\
 	fuzz11.smt \
 	fuzz12.smt \
 	fifo32bc06k08.delta01.smt \
-	rewrite_bug.smt
+	rewrite_bug.smt \
+	array_rewrite_bug.smt
 
 
 EXTRA_DIST = $(TESTS)
diff --git a/test/regress/regress0/aufbv/array_rewrite_bug.smt b/test/regress/regress0/aufbv/array_rewrite_bug.smt
new file mode 100644
index 000000000..972dec530
--- /dev/null
+++ b/test/regress/regress0/aufbv/array_rewrite_bug.smt
@@ -0,0 +1,19 @@
+(benchmark fuzzsmt
+:logic QF_AUFBV
+:extrafuns ((a1 Array[14:11]))
+:status sat
+:formula
+(let (?n1 bv1[16])
+(let (?n2 (extract[13:0] ?n1))
+(let (?n3 bv0[11])
+(let (?n4 (store a1 ?n2 ?n3))
+(let (?n5 bv0[14])
+(let (?n6 (select a1 ?n5))
+(let (?n7 (store ?n4 ?n5 ?n6))
+(let (?n8 (zero_extend[3] ?n6))
+(let (?n9 (select ?n7 ?n8))
+(let (?n10 (sign_extend[2] ?n9))
+(let (?n11 (zero_extend[3] ?n10))
+(flet ($n12 (bvugt ?n1 ?n11))
+$n12
+)))))))))))))