Efficient clock domain crossover verification

Low power-high performance


Use of constraints for accurate CDC analysis and reduced need for overrides without manual inspection.

As chips get bigger and more complex, the number of gates and the amount of built-in memory increase dramatically. The number of clock domains is also steadily increasing. Several dozen different clocks are common in chips today, with some designs having over a thousand domains. There are several reasons for this explosion:

  • Multiple external interfaces with separate clock requirements
  • Licensed IP blocks in the chip requiring different clock speeds
  • Functions that can be slowed down to save energy
  • Bus on chip with parts of the chip on independent clocks

Many of these clocks are asynchronous with each other. This gives the development team a lot of flexibility, but it introduces the challenges of clock domain crossover (CDC) design and verification. A CDC occurs at every point where a signal passes from a source clock domain to an independent, asynchronous destination clock domain. As the two clocks work in parallel, their edges vary, sometimes aligning and sometimes not. This variation can cause signal problems and other serious issues.

The most well-known CDC challenge is metastability, in which the source clock domain signal changes value too close to the destination clock edge. The destination latch may enter a metastable state and it will take some time for its output to stabilize at a high or low value. The result may be downstream logic using an incorrect value. The most common way to solve this problem is to add a second toggle stage on the destination clock. The probability of metastability escaping the two-stage synchronizer is very low.

Problems with consistency or data convergence can also lead to functional failures. For a multi-bit CDC, variations in delay due to clock signal routing mean that different bits can be captured on opposite sides of a destination clock edge, altering the value. Gray coding is often used to solve this problem. Likewise, if two signals from the source domain are synchronized separately and then converge in the destination domain, they may be shifted by one cycle. CDC errors can also occur when the reset signals are not synchronized for the destination clock domain.

In theory, most CDC issues can be detected by detailed code reviews. Missing synchronizers, clock conditioning logic, and Gray encoders can be detected this way, but manual inspection is tedious and prone to errors. As a result, tools have been developed to automate the verification of many CDC issues. These checks are similar to linting in that they scan the design register transfer level (RTL) code or the gate-level netlist for errors. However, this analysis requires more powerful engines which may include formal technology.

Synopsys VC SpyGlass CDC is a solution that removes the limitations of old checkout flows by using constraints to produce accurate analysis. This flow does not require any user input beyond specifying the input clocks and the relationships between them. The Synopsys Design Constraint (SDC) format is used to provide this information, ensuring very accurate results. Waivers are available, but most reported violations that are not issues can be eliminated by additional design constraints.

VC SpyGlass CDC statically plots from input clocks throughout design, identifying clock domains and determining which flip-flops are in which domains. From there it finds all CDCs and searches for synchronizers. Further analysis using static and formal internal check engines detects any CDC convergence issues or reset violations. The Verdi Automated Debugging System enables efficient CDC-aware debugging with side-by-side viewing of violation reports, source code, and generated schematics.

Especially for the first few executions, many violations of CDC can be reported. Giving up large groups of violations, especially with wildcards, is risky. VC SpyGlass CDC uses machine analysis and root cause analysis to identify and group violations with similar profiles. Because many violations can result from just a few design errors, this grouping can reduce thousands of violation messages to a few that the user can review. After all messages are resolved, VC SpyGlass CDC proves that there are no more violations remaining.

It is possible that users will make mistakes when specifying constraints. VC SpyGlass CDC has a unique way to check constraints with a hybrid flow using the Synopsys VCS simulator. VC SpyGlass CDC converts the constraints into a database that allows designers to verify that the assumptions incorporated in the SDCs are not violated. The generated file is included in simulation runs and any violations are reported. This gives a high degree of confidence in the correctness of the constraints.

CDCs should be carefully designed and audited to avoid issues that could cause a chip trick. Manual design reviews are impractical, and old CDC analysis tools produce noisy reports that encourage the dangerous practice of forgoing violations. Synopsys VC SpyGlass CDC addresses these concerns. Its use of constraints allows for a more precise analysis and reduces the need for overrides. Its fully automated flow eliminates manual RTL and SDC inspection. The result is the industry’s first solution for CDC analysis and debugging.

For more information, download the CDC white paper.

Rahul chirania

(All posts)

Rahul Chirania is an application engineer at Synopsys.