void abort() { };
                                                                                                                                                          
                                                                          

/*@ 
    requires (((cond != 0) && (x <= 0))) && (cond != 0);
    ensures (((cond != 0) && (x <= 0))) && (1);
@*/
void __VERIFIER_assert(int cond) {
  if (!(cond)) {
    ERROR: {/*@ assert(0); */;abort();}
  }
  return;
}
_Bool __VERIFIER_nondet_bool();
int __VERIFIER_nondet_int();

//x is an input variable
int x;

void foo() {
  x--;
}

/*@ 
    requires ((x <= 0));
    ensures ((\old(x) <= 0));
@*/
int main() {
  x=__VERIFIER_nondet_int();
/*@
loop invariant ((\old(x) <= 0));
@*/
  while (x > 0) {
    _Bool c = __VERIFIER_nondet_bool();
    if(c) foo();
    else foo();
  }
  __VERIFIER_assert(x<=0);
}