// verifast_options{disable_overflow_check target:ILP32}
/*
  Bresenham's line drawing algorithm 
  from Srivastava et al.'s paper From Program Verification to Program Synthesis in POPL '10 
*/
extern void abort(void);
//@ requires true;
//@ ensures true;
void reach_error()
//@ requires false;
//@ ensures true;
{}extern int __VERIFIER_nondet_int(void);
//@ requires true;
//@ ensures true;
void assume_abort_if_not(int cond) 
//@ requires true;
//@ ensures (cond != 0);
{if(!cond) 
//@ requires true;
//@ ensures true;
{abort();}}
void __VERIFIER_assert(int cond) 
//@ requires (1 <= cond);
//@ ensures (1 <= cond);
{    if (!(cond)) {
    ERROR:
        {reach_error();}
    }
    return;
}

int main() 
//@ requires module(bresenham_ll_valuebound10__verifast_instrumented, true);
//@ ensures junk();
{
    //@ open_module(); 
    int X, Y;
    long long x, y, v, xy, yx;
    X = __VERIFIER_nondet_int();
    assume_abort_if_not(X>=0 && X<=10);
    Y = __VERIFIER_nondet_int();
    assume_abort_if_not(Y>=0 && Y<=10);
    v = ((long long) 2 * Y) - X;         // cast required to avoid int overflow
    y = 0;
    x = 0;

while (1)
//@ invariant ((((((x < (X + 1)) || ((y * x) == ((X * y) + y))) && (X <= 10)) && (((Y * 2) + (2 * (Y * x))) == ((((X * y) * 2) + X) + v))) && (0 <= Y)) && (0 <= X));
    {
        yx = (long long) Y*x;
        xy = (long long) X*y;
	__VERIFIER_assert( 2*yx - 2*xy - X + (long long) 2*Y - v == 0);
        if (!(x <= X))
            break;
        // out[x] = y

        if (v < 0) {
            v = v + (long long) 2 * Y;
        } else {
            v = v + 2 * ((long long) Y - X);
            y++;
        }
        x++;
    }
    xy = (long long) x*y;
    yx = (long long) Y*x;
    __VERIFIER_assert(2*yx - 2*xy - X + (long long) 2*Y - v + 2*y == 0);

    return 0;
}