With the increasing popularity of high-level design methodologies there is renewed interest in data-path equivalence checking [ 3 ][ 13 ][ 18 ][ 20 ]. In such an application, a design prototype is first implemented and validated in C/C++, and then used as the golden specification. A corresponding Verilog/VHDL design is implemented either manually or automatically through high-level synthesis tool [ 2 ][ 4 ][ 15 ]. In both cases, a miter logic for equivalence checking is formed to prove the correctness of the generated RTL model by comparing it against the original C/C++ implementation.

The data-path logic targeted in this paper is specified using Verilog/VHDL. The bit and word-level operators in Verilog/VHDL have the same semantic expressiveness as SMT QF BV theory[ 5 ]. Table I gives a one-to-one correspondence between Verilog and QF BV unsigned operators. Signed arithmetic operators are also supported. The complexity of such an equivalence problem is NP-complete. However, on the extreme end, the complexity becomes O(1) of the size of the network if the two designs are structurally the same. An NP-complete problem can be tackled by using SAT-solvers as a general procedure. To counter the capacity limitation of SAT-solving, it is crucial to reduce the complexity by identifying internal match points and by conducting transformations to bring in more structural similarity between the two sides of the miter logic.

Boolean bit-wise arithmetic extract concat comparator shifter

Verilog operators &&; k; !; ; mux &; j; ; ; mux +; ; ; =; % [] fg <; >; ; ;

SMT QF BV operators

and; or; not; xor; ite bvand; bvor; bvnot; bvxor; bvite bvadd; bvsub; bvmul; bvdiv; bvmod extract concat bvugt; bvult; bvuge; bvule

bvshl; bvshr

The differences between the two data-path logics under equivalence checking are introduced by various arithmetic transformations for timing, area and power optimizations. These optimizations are domain specific and can be very specialized towards a particular data-path design and underlying technology. They have the following characteristics: The two sides of the miter logic are architecturally different and have no internal match points.

Many expensive operators such as adders and multipliers are converted to cheaper but more complex implementations and the order of computations are changed. It is not a scalable solution to rely on SAT solving on the bit-blasted model.

The parts of the transformed portion are embedded in a cloud of bit and word level operators. Algebraic extraction [ 8 ][ 26 ] of arithmetic logic based on structural patterns is generally too restrictive to handle real-world post-optimization data-path logic.

Word-level rewriting uses local transformation. Without high-level information, local rewriting is not able to make the two sides of the miter logic structurally more similar.

Lacking high-level knowledge of the data-path logic, the equivalence problems can be very difficult for gate-level equivalence checking and general QF BV SMT solvers. Strategically, LEC views the bottleneck of such problems as having been introduced by high-level optimizations and employs a collaborative approach to isolate, recognize and reconstruct the high-level transformations to simplify the miter model by bringing in more structural similarities.

LEC takes Verilog/VHDL as the input language for the datapath logic under comparison. Internally, a miter network, as in Figure 2(a), is constructed comparing combinational logic functions F and G. Figure 1 illustrates the overall tool flow.

First, the Verific RTL parser front-end[ 6 ] is used to compile input RTL into the Verific Netlist Database. VeriABC[ 23 ] processes the Verific netlist, flattens the hierarchy and produces an intermediate DAG representation in static single assignment (SSA) form, consisting of Boolean and word-level operators as shown in Table I. Except for the hierarchical information, the SSA is a close-to-verbatim representation of the original RTL description. From SSA, a bit-blasting procedure generates a corresponding bit-level network as an AIG (And-inverter graph). Word-level simulation models can be created at the SSA level. ABC[ 1 ] equivalence checking solvers are integrated as external solvers. (a)miter network

(b)structurally hashed

An SSA netlist is a DAG of bit and word-level operators annotated with bit-width and sign information. In the tool flow, both Verific and VeriABC perform simple structural hashing at the SSA level, merging common sub-expressions. After merging, the miter logic is divided into three colored regions using cone of influence (COI) relations, as in Figure 2 (b).

Red: if the node is in the COI of F only

Original miter Word−level Simulator miter F=G input:̄x new miter target Verific Parser Frontend

VeriABC SSA Network Bit−level

AIG ABC solvers SAT

UNSAT

Learning−based Transformations

Transformed

RTL

LEC tries to solve the miter directly using random simulation on the word-level simulator or by ABC[ 1 ]’s equivalence checking procedure dcec, which is a re-implementation of iprove[ 24 ]. If unresolved, LEC applies transformations to the SSA and produces sub-models in Verilog miter format from which LEC can be recursively applied. The overall system integration is described in Section IV.

In this section, we present the techniques implemented in LEC. Even though some are simple and intuitive, they are powerful when integrated together as demonstrated in the experimental results. All techniques are essential bdecause LEC may not achieve a final proof if any one is omitted. Their interactions are illustrated in the case-study in Section V.

F(x̄)

G(̄x)

F(x̄)

G(̄x)

F(x̄)

G(̄x) red blue red

blue miter F=G purple input :̄x miter F=G kept abstract input x̄' redundant input:x̄ (c)abstraction

Purple: the node is in the COI of both sides of the miter i.e. common logic The purple region is the portion of the miter logic that has been proved equivalent already, while the red and blue regions are the unresolved ones. LEC makes progress by reducing the red/blue regions and increasing the purple region. The common logic constrains the logic for the red and blue regions, which may be abstracted (see Section III-E) to reduce redundancy and possibly expose the real bottleneck in a proof.

The above learning techniques are integrated in LEC as a set of logically independent procedures. Each procedure produces one or more sub-models, illustrated as a tree in Figure 3.

The root node is the current targeted Verilog miter model.

It has eight children. The simulator and AIG models are the ones described in Figure 1. The simplif ied sub-model is generated by constant propagation and merging proven PEPs.

The abstraction and rewrite sub-models are created by the abstraction and rewrite procedures in the previous section.

The case-split sub-model consists of a set of sub-models, corresponding to the cofactoring variables selected. In the current implementation, the user needs to input the set of signals to case-split on; eventually they will be selected by heuristics. The linear-construction node has two sub-models which will be explained in detail in Section V. When PEPs are identified through simulation, a P EP node is create with the set of unproven-PEPs as sub-models.

Verilog Miter Model simulator AIG simplified abstraction rewrite case-split linear-construction PEP pep0 pep1 ... pepm case0 case1 ... casen caseF caseG

LEC Fig. 3. Branching sub-model tree

Two nodes in the sub-model tree are terminal. One is the simulator model which can falsify the miter through random simulation. The other is the AIG model where ABC’s bit-level dcec procedure is applied. The rest of the leaf models (in bold font) are generated as Verilog miter models, which have the same format as the root node. LEC procedures can be applied recursively to these leaf nodes to extend the sub-model trees to simpler ones. The LEC proof process progresses by expanding the sub-model tree. A sub-model is resolved as SAT or UNSAT from its sub-models’ proof results.

Since there are no logical dependencies between sibling sub-models, any branch can be chosen to continue the proof process. Sibling sub-models can be forked in parallel from a parent process. A node in the sub-model tree determines its proof result from its children. Table III gives the possible return values from the first level sub-models. SIMPLIFY is returned by a P EP node to its parent model when at least one of its sub-models, pepi, is proven UNSAT, notifying the parent node to simplify further with the newly proved pepi.

Depending on the logical relationships between a parent and its immediate sub-models, a node is either disjunctive or conjunctive in semantics. In Figure 3, a Verilog miter model node Sub-model simulator

AIG simplified abstraction rewrite case-split linear construction

PEP

Return

SAT SAT/UNSAT SAT/UNSAT

UNSAT SAT/UNSAT SAT/UNSAT SAT/UNSAT

SIMPLIFY is disjunctive, which includes the root and all the leaf nodes in bold font. The case-split and linear construction nodes are conjunctive; a P EP node is disjunctive. The semantics, shown in the following tables, are used to resolve the proof result of the parent model from its immediate sub-models. To complete the calculus, we introduced two values: CON and BOT, where CON stands for an internal conflict indicating a potential LEC software bug and BOT is the bottom of the value lattice and acts like an uninitialized value.

Tables IV and V are the truth tables for the disjunction and conjunction semantics of the return values, in which UNS, UNK, SMP stand for UNSAT, UNKNOWN, and SIMPLIFY.

Assuming a bug free situation, at a disjunctive node, if either SAT or UNSAT is returned from a sub-model, this is the final proof result for the parent. In conjunction, the parent must wait until all sub-models are resolved as UNSAT before deciding that its result is UNSAT, while any SAT sub-model implies the current model is SAT. A P EP node returns SIMPLIFY to its parent if one of its sub-models, say pepi, is proven UNSAT. In this case, the parent model can apply another round of simplification to obtain a new simplif ied sub-model by merging the node pair in the just-proved pepi. The proof log in Figure VI is a sample sub-model tree where only the branches that contributed to the final proof are shown. Indentation indicates the parent-child relationship. Recursively, the proof result of the top level target is evaluated as UNSAT.

Using this sub-model tree infrastructure, any new procedures discovered in the future can be plugged into the system easily. Also, the system is fully parallelizable in that siblings can be executed at the same time. The proof process can be retrieved from the expanded sub-model tree.

V. CASE STUDY three numbers on the right are the node counts in the red, blue and purple regions (common logic) of the SSA network as distinguished in Figure 2(a). Only those sub-models that contributed to the final proof are shown in the figure. Others are ignored. As seen in Figure 5, the case-split procedure is

The design in this case-study is an industrial example taken applied twice, at lines 2 and 9. Both models have a singlefrom the image processing domain. We verify specification bit input port, which was selected for cofactoring. ABC[ 1 ] = implementation where the “specification” is a manually- immediately proved the first cofactored case, case 0 (3 and specified high-level description of the design. “Implemen- 10) , using the AIG model at 4 and 11. The time-out for the tation” is a machine-generated and highly optimized RTL dcec run was set to two seconds. Abstraction was applied at 8, implementation of the same design using[ 2 ]. The miter logic significantly reducing the common logic from 675 to 29 SSA is obtained through SLEC[ 3 ]. Therefore, the miter problem nodes, and effectively removing all the comparator logic. We is verifying that the high-level synthesis (HLS) tool did not tried abstraction on the original model without the case-split modify the design behavior. procedure and it failed to produce any result. The case-split at

This miter is sequential in nature, but here we examine a 2 removed enough Boolean logic and eliminated some corner bounded model checking (BMC) problem which checks the cases such that the abstraction procedure was able to produce correctness of the implementation at cycle N. This renders the an abstract model successfully. problem combinational. This is industrially relevant because Model 15 is the smallest unproved PEP from model 13. the sequential problem is too hard to solve in general, and It is proved using the linear construction procedure at 16, even the BMC problem at cycle N becomes too difficult for which we shall describe in detail in Section V-A. Model industrial tools. 21 is the simplified model of model 13 after merging the

The original design (specification) consists of 150 lines just-proved pep0. After simplification, most of the logic in of C++. It went through the Calypto frontend[ 3 ] and was model 21 became common logic through structural hashing, synthesized into a word-level netlist in Verilog. The generated leaving only 10 nodes in each of the blue and red regions. miter model has 1090 lines of structural Verilog code with 36 Model 21 was proved quickly by ABC which concludes the input ports: 29 of which are 7 bits wide, 2 are 9 bits, 4 are proof of the original miter. In this case, the linear-construction 28 bits and one is a single-bit wire. The miter is comparing procedure was crucial in attaining the proof. However, the two 28-bit values. We do not have knowledge about what the case-split, simplification, abstraction, and PEP models also are design does except through structural statistics: no multipliers, very important because they collaborate in removing Boolean, many adders, subtractors, comparators, shifters etc., together mux and comparator logic etc, but keeping only the part of the with Boolean logic. From a schematic produced from the original miter logic which constitutes a linear function. Only Verilog, there seems to be a sorting network implemented at this point, can a proof by the linear construction procedure using comparators, but we can not tell anything further. succeed.

Figure 5 illustrates the compositional proof produced by the LEC system by showing the sub-model tree created during A. Linear construction the proof process. Indentations indicate parent and sub-model For model 15 in Figure 5, the SSA network contains many relations and are listed in the order they were created. The +, , and operators along with extract and concat operators, but contains no Boolean operators or muxes. The input input variables to compute the coefficients: ports consist of twenty-five 7-bit or 12-bit wide ports. The miter is comparing two 15-bit wide output ports. At this point, b = F (0; 0; :::; 0) simplification and abstraction can not simplify the model a0 = F (1; 0; :::; 0) b further. Also, there are no good candidates for case-splitting. a1 = F (0; 1; :::; 0) b The local rewriting rules can not be applied effectively without ::: ohfavtihneg msoimteer glologbica.l Hinifgohrm-leavtieolni ntofohremlpatcioonnvmerugset tbhee tewxotrascidteeds an 1 = F (0; 0; :::; 1) b and applied to prove this miter model.

After the linear construction procedure through LEC, the miter logic is found to be implementing the following linear sum in the signed integer domain using two’s complement representation: Another round of random simulation on both the logic and the polynomial can be done to increase the likelihood of the conjecture. The same is repeated for G(x) to obtain g(x).

In integer arithmetic, f is equal to g if and only if the coefficients match exactly for each term: 16 x0 + 2 x1 + 2 x2 + 2 x3 + 2 x4 + 2 x5 One side of the miter implements the above sum as a plain linear adder chain (Figure 6(a)), the other side is a highly optimized implementation using a balanced binary tree structure (Figure 6(b)) and optimization tricks, which we don’t fully understand. This is a hard problem for bit-level engines because f = g <=> 8 i ai = a0i and b = b0

(12) So checking of f = g is trivial in this case. In other algebraic domains, domain specific reasoning may have to be applied to derive algebraic equivalence e.g. in [ 28 ].

3) Synthesizing implementations F 0=G0 for f (f =g), structurally similar to F=G: We want to find a Verilog implementation F 0(x) of f such that 1) F 0 implements f 2) F 0 is structurally similar to F To do this, all nodes in the SSA network with arithmetic operators +, are marked, and edges connecting single bits are removed. A reduced graph is then created from the marked nodes in the remaining graph maintaining the input/output relations between marked nodes. This graph is a skeleton of the implementation structure of F . For each of its nodes, we annotate it with a conjectured linear sum computed in the same way as in the above steps. The root node F is annotated with f and internal nodes annotated with linear sums fs, ft, etc. For illustration purposes, Figure 7(a) shows such an annotated reduced graph for node w. For an arbitrary node w

w=f w(̄x) s=f s(̄x) + u=...

+ + +

v=... + t=f t(̄x) x ̄ (a)annotated reduced graph Fig. 7. Annotated reduced graph

u=... w=cs⋅s+ct⋅t + f st(̄x)

+ s=... t=...

+ + +

+ v=... x ̄ (b)substituted annotation in the reduced graph with inputs from nodes s and t, from the annotation we have the following: s = fs(x) t = ft(x) w = fw(x) (10) (11)

We would like to substitute fw with variable s and t, such that w is a function of s and t in order to follow the structure of the skeleton reduced graph. Because all the functions are linear sums, we can compute, using algebraic division, two constants cs and ct such that the following holds: w = cs s + ct t + fst(x) ...

(a)linear adder chain Fig. 6. Addition implementation there are no internal match points to utilize. Therefore, LEC resorts to trying a high-level method to establish equivalence at the polynomial level. The following are the detailed steps for this specific case.

1) The conjecture: Assume the miter logic is F (x) = G(x) as in Figure 2(a). LEC conjectures the following for the arithmetic domain.

Signed integer arithmetic. The numbers are in 2’s complement representation.

Assume F (x) and G(x) are implementing the linear sums f and g of the forms f (x) = g(x) =

X ai xi + b

X a0i xi + b0 2) Determining the coefficients of f , g and proving f = g algebraically: Given the data-path logic F (x) and the linear sum formula (10), it takes n + 1 simulation patterns on the n cs is the quotient of fw=fs and ct = (fw cs fs)=ft, while fst is the remainder of the previous division. The substitution is conducted in one topological traversal from the inputs to the miter output. After substitution, the annotated reduced graph is essentially a multi-level implementation of the above linear sum. Because the linear sum annotated at each node in the reduced graph is only a conjecture, it may not be exactly the same function as in the original miter logic. However, in reimplementing f using this structure, certain similarities are still captured through the construction process.

This multi-level circuit is implemented by traversing the substituted reduced graph, and creating a corresponding Verilog file for F 0. It is generated by allocating a bit-vector at each internal node with its bit-width equivalent to output port of F . The same can be done for G to obtain G0. The reason why LEC goes through so much trouble to obtain separate RTL implementations for F 0 and G0 (even though they are both implementing f ), is that we need to prove F = F 0 and G = G0 separately next. Without the structural similarities created through this procedure, proving equivalence with an arbitrary F 0 and G0 would be as difficult as proving the original F = G. Generally, only with these extra similarities injected, can the miter model be simplified enough to allow SAT sweeping to succeed for F = F 0 and G = G0.

4) Proving F = F 0 and G = G0 : We construct two miter models F = F 0 and G = G0 as caseF and caseG in Figure 3, and apply LEC separately to each. By construction, each miter should be simpler than the original F = G because of the increased structural similarity between the two sides of the miter. Another round of LEC might reduce this miter logic, if not prove it directly through bit-level solvers. In the present case, F = F 0 was proven instantly because F is a simple linear adder chain, and so is F 0. Proving G = G0 takes more time using ABCs dcec because G is a highly optimized implementation of f and the multi-level implementation from the annotated reduced graph only captures part of the similarity.

But, the injected similarity was sufficient enough to reduce the complexity to be within dcec’s capacity.

5) Proving that F 0=G0 implements f =g : To complete the proof, we still have the proof obligation that F 0 and G0 implement f and g respectively. By construction from the reduced graph, the generated Verilog is a verbatim translation from the multi-level form of f . However, we need to bridge the gap between Verilog’s bit-vector arithmetic vs. the integer arithmetic of the linear sum. To do so, we created SVA assertions to check that every Verilog statement captures the integer value in full without losing precision due to underflows or overflows.

c[n : 0] =a[n assert (a[n : 0] == (c[n : 0] b[m : 0])[n : 0]) c[m : 0] =fa[n : 0]g[m : 0]; assert a[n : 0] == f(n m) fc[m

1]g; c[m : 0]g The first two sets of assertions ensure there is no overflow of signed integer add and no non-zero remainder of division.

The third one ensures that extraction does not change the value in two’s complement representation. The SVA checkers are formally verified separately using the VeriABC[ 23 ] flow, which in turn uses ABCs model checker.

From the above procedures, we established the following:

f (x) = g(x)

Table VI shows the experimental results comparing Boolector[ 11 ], Z3[ 16 ] and iprove[ 24 ] using a 24-hour timeout limit on an 2.6Ghz Intel Xeon processor. These models are generated directly using SLEC[ 3 ] for checking C-to-RTL equivalence or extracted as a sub-target from PEPs. The first column is the miter design name. The second column is the number of lines of Verilog for the miter model specification. Run-time or time-out results are reported for each solver in columns 3 to 6. Although the miter models are not big in terms of lines of Verilog, they are quite challenging for Boolector, Z3 and iprove. The run-time of LEC is the total CPU time including Verilog compilation. It was expected that iprove would not prove any of them because it works on the bitblasted model without any high-level information that the other solvers have. where aH , aL, bH , bL are the 32-bit slices of the original 64-bit bit-vectors. Both Boolector and Z3 are able to prove it. LEC proves it by first utilizing rewriting rules to transform the 64x64 multiplier into four 32x32 multipliers, matching the other four in the RHS of the miter. As they are matched exactly, they become common logic in the miter model. LEC then produces an abstraction and obtains a reduced model with all the multipliers removed: the outputs of the multipliers become free inputs in the abstract model. The abstract model is then proven instantly by ABC’s dcec on the AIG model.

The miter d1, extracted from a PEP sub-model, is a demonstration of rewrite rule 6 in Table II using 32-bit multiplication. As both Boolector and Z3 fail to prove equivalence within the time-limit, they likely do not have this rewriting rule implemented.

To prove d2, LEC conducts conditional rewriting using rule (2) by first statically proving an invariant in the form of (3). After the transformation, the multipliers are matched exactly on both sides of the miter and removed in the subsequent abstract model. The final miter model is proved instantly by ABC on the bit level AIG.

The miter model d3 has part of its logic similar to mul 64 64 embedded inside. LEC proves d3 by first applying rewriting rules repeatedly until no more rewriting is possible. Then, LEC computes a reduced model through abstraction. In the reduced model, LEC conducts a case-split on a one-bit input. The case-0 AIG model is proven instantly, while case-1 is proven in about 10 minutes by ABC.

The miter d4 is proven by first conducting a case-split of two bit-vector inputs: cofactoring on whether the bit-vector equals zero or not. Three of the four cofactored cases are proven instantly. The one unresolved goes through a round of simplification and abstraction. On the then obtained sub-model, three one-bit inputs are identified and cofactored through case-split procedures. LEC prove all eight cases quickly within a few seconds.

Miter d5 is extracted from model 15 in Figure 5 which contains the purely linear sum miter described in the casestudy section. For this simpler miter, Z3 is able to prove it in 9 hours while both iprove and Boolector time out. This shows that LEC’s transformations through collaborating procedures successfully reduce the surrounding logic in the original model, which was preventing Z3 to prove it in 24 hours.

The above experiments demonstrate the effectiveness of LEC’s collaborating procedures of simplification, rewriting, case-splitting and abstraction computations. The LEC architecture allows these procedures to be applied recursively through a sub-model tree: the model obtained by one procedure introduces new opportunities for applying other procedures in the next iteration. As exemplified in miter d4, the initial case-split gives rise to new opportunities for simplification as new constants are introduced by cofactoring. Then a new round of abstraction is able to remove enough common logic and expose three one-bit inputs as case-split candidates in the reduced model, which in turn gives rise to another casesplit transformation that leads to the final proof. None of this is possible without the transformations being applied in sequence.

In bit-level equivalence-checking procedures [ 24 ][ 25 ], simulation, SAT-sweeping, AIG rewriting and internal equivalence identification are all relevant to data-path equivalencechecking. In LEC, these types of procedures are conducted at the word-level. Word-level rewriting is difficult if only a bit-level model is available. For example, with no knowledge of the boundary of a multiplier, normalizing its operands is impractical at the bit-level . Although abstraction and casesplit techniques in LEC can be applied at the bit-level in theory, these are not used due to the difficulty of computing an abstraction boundary or of finding good cofactoring candidates.

SMT solving is relevant because a data-path is a subset of QF BV theory. Methods such as [ 7 ][ 11 ][ 16 ][ 14 ][ 17 ][ 19 ], are state-of-art QF BV solvers. These employ different implementations of word-level techniques in rewriting, abstraction, case-splitting, and simplification, and interleave Boolean and word-level reasoning via a generalized DPLL framework or through abstraction refinements of various forms. Hector[ 20 ] is closest to LEC in terms of technology and targeted application domains, and has a rich set of word-level rewriting rules along with some theorem prover [ 7 ] procedures to validate every rewriting applied. Hector also has an orchestration of a set of bit-level solvers using SAT and BDD engines to employ once the bit-level miter model is constructed. Strategically, LEC relies less on the capacity of SAT solver; instead it builds a compositional proof infrastructure and employs iterative transformations to finally obtain a proof through sub-model trees. The goal of these LEC learning procedures is to reverse engineer the embedded high-level algebraic transformations and bring more similarity between both sides of the miter model.

The techniques in [ 26 ] [ 31 ][ 33 ] also try to reconstruct an algebraic model from the underlying logic, but they employ a bottom up approach and their primitive element is a half-adder. The method in [ 8 ] simplifies the algebraic construction by solving an integer linear programming problem. The limitation of these approaches is that they rely on the structural pattern of the underlying logic to reconstruct the algebraic model. On the other hand, the linear construction case-study in Section V-A constructs the polynomial through probing with simulation patterns. This is more general as it uses only the functional information of the data-path logic. For different domains, other techniques may well be more applicable such as the bottom-up approach. The use of vanishing polynomials and Grobner bases in [ 27 ][ 28 ] to prove equivalence between polynomials in the modulo integer domain can be utilized once a polynomial form is reconstructed in LEC. In many data-path miter models, such a polynomial in a certain domain or theory is likely embedded in other control and data-path logic. Direct application of algebraic techniques is often not practical. Thus the collaborating procedures in LEC are designed to bridge this gap and isolate such polynomials so that these high level theories can then be applied.

In conducting consistency checking between C and Verilog RTL, the work [ 21 ] focuses on how to process a C program to generate formal models. The tool relies on SMT solvers [ 11 ][ 16 ][ 14 ] as the back-end solving engines.

In terms of tool architecture, [ 9 ] [ 10 ] [ 22 ], all employ a sophisticated set of transformations to simplify the target model during verification. These are done at the bit-level. The LEC infrastructure allows future extension to take advantage of multi-core parallelization as demonstrated in [ 30 ]. [ 12 ] [ 32 ], use a dedicated data-structures to represent the proofobligations, while LEC relies on the sub-model tree to track the compositional proof strategy used at each node.

In LEC, we build a system of collaborating procedures for data-path equivalence-checking problems found from an industrial setting. The strategy is to utilize Boolean level solvers, conduct the transformations at the word-level and to synthesize internal similarities by lifting the reasoning to the algebraic level . Using a real industrial case-study, we demonstrated the applicability of the sub-tree infrastructure for integrating a compositional proof methodology using LEC.