Effective Clock Domain Crossing Verification

Using constraints for accurate CDC analysis and reduced need for waivers without manual inspection.


As chips grow ever larger and more complex, gate count and amount of embedded memory grow dramatically. The number of clock domains is also increasing steadily. Several dozen different clocks are common in today’s chips, with some designs having more than a thousand domains. There are several reasons for this explosion:

  • Multiple external interfaces with distinct clock requirements
  • Licensed IP blocks within the chip requiring different clock speeds
  • Functions that can be slowed down to conserve power
  • On-chip buses with portions of the chip on independent clocks

Many of these clocks are asynchronous to each other. This gives the development team a lot of flexibility, but it introduces the challenges of clock domain crossing (CDC) design and verification. A CDC occurs at every point where a signal crosses from a source clock domain to an independent, asynchronous destination clock domain. As the two clocks run in parallel, their edges vary, sometimes aligning and sometimes not. This variation can lead to signal glitches and other serious issues.

The best-known CDC challenge is metastability, in which the signal from the source clock domain changes value too close to the destination clock edge. The destination flip-flop may enter a metastable state and its output will take some time to settle to a high or low value. The result can be downstream logic using an incorrect value. The most common way to address this issue is adding a second flip-flop stage on the destination clock. The probability of metastability escaping the two-stage synchronizer is very low.

Data coherency or convergence issues can also lead to functional failures. For a multi-bit CDC, the delay variations due to clock signal routing mean that different bits can be captured on opposite sides of a destination clock edge, corrupting the value.  Gray Coding is often used to resolve this issue. Similarly, if two signals from the source domain are synchronized separately and then converge in the destination domain, they can be offset by one cycle. CDC errors can also occur when reset signals are not synchronized for the destination clock domain.

In theory, most CDC-related problems can be found by detailed code reviews. Missing synchronizers, clock conditioning logic, and Gray encoders can be detected that way, but manual inspection is tedious and error prone. Accordingly, tools have been developed to automate checking for many CDC issues. These checks resemble linting in that they analyze the design register transfer level (RTL) code or gate-level netlist to find errors. However, this analysis requires more powerful engines that may include formal technology.

Synopsys VC SpyGlass CDC is a solution that removes the limitations of older verification flows by using constraints to yield precise analysis. This flow requires no user input beyond specifying the input clocks and the relationships among them. The Synopsys Design Constraint (SDC) format is used to provide this information, ensuring highly accurate results. Waivers are available but most reported violations determined not to be problems can be eliminated by additional constraints on the design.

VC SpyGlass CDC statically traces from the input clocks through the entire design, identifying clock domains and determining which flip-flops are in which domains. From there, it finds all CDCs and checks for synchronizers. Deeper analysis using internal static and formal verification engines detects any CDC convergence issues or reset violations. The Verdi Automated Debug System enables efficient CDC-aware debug with side-by-side viewing of violation reports, source code, and generated schematics.

Especially for initial runs, many CDC violations may be reported. Waiving large groups of violations, especially with wildcards, is risky. VC SpyGlass CDC uses machine leaning and root cause analysis to identify and cluster violations with similar profiles. Since many violations can arise from only a few design errors, this clustering can reduce thousands of violation messages to a small number for the user to examine. Once all messages are resolved, VC SpyGlass CDC proves that there are no remaining violations.

It is possible for users to make errors when specifying constraints. VC SpyGlass CDC has a unique way to verify constraints with a hybrid flow using the Synopsys VCS simulator. VC SpyGlass CDC converts the constraints into a database that allows designers to check to make sure the assumptions embodied in the SDCs are not violated. The generated file is included in simulation runs, and any violations are reported. This gives a high degree of confidence in the correctness of the constraints.

CDCs must be designed and verified carefully to avoid problems that could cause a chip turn. Manual design reviews are impractical, and older CDC analysis tools produce noisy reports that encourage the dangerous practice of waiving violations. Synopsys VC SpyGlass CDC addresses these concerns. Its use of constraints enables more accurate analysis and reduces the need for waivers. Its fully automated flow eliminates manual RTL and SDC inspection. The result is the industry’s premiere solution for CDC analysis and debug.

For more information, download the CDC white paper.

Leave a Reply

(Note: This name will be displayed publicly)