1 Clock Domain Crossing
1 Clock Domain Crossing
1
Clock Domain Crossing
Overview
As modern System-on-Chip (SoC) designs continue to face increasing
size and complexity challenges, multiple asynchronous clock domains
have been employed for different I/O interfaces. A CDC-based (Clock
Domain Crossing) design is a design that has one clock asynchronous
to, or has a variable phase relation with, another clock. A CDC signal is
a signal latched by a flip-flop (FF) in one clock domain and sampled in
another asynchronous clock domain. Transferring signals between
asynchronous clock domains may lead to setup or hold timing
violations of flip-flops. These violations may cause signals to be meta-
stable. Even if synchronizers could eliminate the meta-stability,
incorrect use, such as convergence of synchronized signals or
improper synchronization protocols, may also result in functional CDC
errors. Functional validation of such SoC designs is one of the most
complex and expensive tasks. Simulation on register transfer level
(RTL) is still the most widely used method. However, standard RTL
simulation can not model the effect of meta-stability.
Within one clock domain, proper static timing analysis (STA) can
guarantee that data does not change within clock setup and hold
times. When signals pass from one clock domain to another
asynchronous domain, there is no way to avoid meta-stability since
data can change at any time.
As the CDC errors are not addressed and verified early in the design
cycles, many designs exhibit functional errors only late in their design
cycles or during post-silicon verification. Several coverage metrics are
proposed to measure the validation's adequacy and progress, such as
code based coverage, finite state machine coverage, and functional
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 2 of 35
Background
Clock domain
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 3 of 35
A clock domain crossing signal is a signal from one clock domain that
is sampled by a register in another clock domain. More details of the
clock origin/domain inference engine are given in [1].
Meta-stability
Every flip-flop (FF) that is used in any design has a specified setup and
hold time, or the time in which the data input is not legally permitted
to change before and after a sampling clock edge. This time window is
specified as a design parameter precisely to keep a data signal from
changing too close to another synchronizing signal that could cause
the output to go meta-stable.
However, if some
input (say d in
Figure 2) violates
the setup and
hold time of a
FF, the output of
the FF (q in
Figure 2) keeps
oscillating for an
indefinite
amount of time.
This unstable
value may or may not non-deterministically converge to a stable value
(either 0 or 1) before the next sampling clock edge arrives.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 4 of 35
Synchronization Techniques
The main responsibility of a synchronizer is to allow sufficient time
such that any meta-sable output can settle down to a stable value in
the destination clock domain. The most common synchronizer used by
designers is two-flip-flop (2-FF) synchronizers as shown in Figure 4.
Usually the control signals in a design are synchronized by 2-FF
synchronizers.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 5 of 35
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 6 of 35
Similar to the case of syncing a single bit control signal, the natural
way to transfer a vector control signal is to model each bit of the
vector to be separately synchronized by a FF synchronizer. You have
already seen that even if you use FF synchronizers, it usually takes
more than one cycle to propagate correct input values to the
destination domain. Now consider a case where every bit of the vector
takes a transition very close to the destination clock edge. Also
assume that, by virtue of meta-stability, only some of these transitions
are correctly captured by the destination domain in the first cycle.
Now, if the bit values of the vector decide the state of the destination
domain, after the first cycle, the destination domain may move into an
invalid state.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 7 of 35
state for Domain 2. Now, think of a situation, where the signal Sig
wants to change its value from "000" to "101" (both indicate valid
states). This requires the two bits Sig [0] and Sig [2] to transit
simultaneously. Both these transition occurs very close to the
destination sampling clock edge (see Fig 6). By virtue of meta-
stability, transition on Sig [2] gets captured correctly and the
transition on Sig [0] is missed. In this way, in the first cycle of the
destination clock, the system moves to state "100" which is invalid.
This case would not have happened, if changing the states of the
design requires changing only a single bit of the vector (Sig in this
case). In case of a single bit transition, either that transition would be
captured in the destination domain or not. This way the design either
stays in the previous state or move to a valid state. Therefore, for
vector control signals (multi-bit signals, such as address buses), the
usual solution is to use a Gray code when crossing a clock domain
boundary. A Gray code ensures that only a single bit changes as the
bus counts up or down. The presence of gray coding on vector control
signal can be checked by using assertions. For more information, see
the section "Gray Code Encoding for Vector Control Signals".
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 8 of 35
For
many
open-
ended
data-
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 9 of 35
User-
defined
Synchronizers
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 10 of 35
CDC
Analysis
Following are
the basic steps
for CDC analysis
and checking
(irrespective of
toolset
implementation):
The most important task of any CDC structural analyzer is to find out
all the signals (CDC) that cross clock boundaries. In Leda, rule
NTL_CDC01 (For more information, see the section "CDC Ruleset" in
chapter 2.) reports all the un-synchronized CDC paths. However a CDC
path may be synchronized in the destination clock domain. Thus,
identification of synchronization schemes is very important to avoid
reporting false CDC reports. Automatic detection of synchronizers is
very tough and may depend on the underlying design principle.
Therefore, sometime, the designer needs to provide additional
information for the underlying synchronization schemes.
Once extraction of information for all the CDC paths (synchronized and
un-synchronized) is over, you need to see whether there are structural
defects before and after the synchronizers.
Many design teams choose a few synchronizer styles, apply them to all
signals crossing clock domains and enforce their usage by design style
rules and design reviews. Although proper synchronizers are essential
for multi-clock designs, they are insufficient to avoid all possible
problems regarding signals crossing clock domains. Considerable extra
care must be taken in the design process to avoid these problems.
Some of the structural problems that may cause functional errors in
multi-clock based systems are as follows.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 11 of 35
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 12 of 35
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 13 of 35
Therefore, even when meta-stability does not occur, any pair of bits
can get out of synchronization if routing differences and electrical
effects cause the two bits to have different delays before reaching
their respective synchronizers. It is possible for one synchronizer to
sample its input and capture a signal change before the other
synchronizer captures the change, at which point the two copies of the
signal will be skewed by a cycle and no longer correlated.
Leda has six rules that check all the above structural checks for CDC
signals. The purpose of these rules is to provide the following
information. Detailed description of all the Leda structural checks is
provided in chapter 2.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 14 of 35
Flip-flop Synchronizer
MUX Synchronizer
Handshake Synchronizer
FIFO Synchronizer
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 15 of 35
These two checks are mandatory to ensure valid operation in real life.
The AEP (automatically extracted properties) engine of Leda generates
and binds assertions that check correct functionality of the
synchronizers and validates correct use of the synchronizers by its
environment. To identify the synchronizers, the AEP engine uses the
Leda structural analyzer. In the following paragraphs, you will
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 16 of 35
Flip-flop Synchronizers
Description
The FF synchronizers (shown in Fig 16) form the basic building block
for most of the existing synchronization circuits. A simple FF
synchronizer consists of m (> 1) FF modeled as a shift register running
on the 'destination clock'. Once the presence of a FF synchronizer
having m stages is detected, the following property is generated to
ensure that the device functions correctly in presence of this
synchronizer.
Input data values must be stable for m+1 destination clock edges.
Implementation
Example SVA codes for the above properties are given as follows. This
assertion verifies the stability of din as observed in the destination
clock domain. Signal rst is the reset signal (if any, with the appropriate
polarity) extracted from the synchronizer FF, din is the single bit input
to the first FF of the synchronizer.
property p_stability;
disable iff (rst)
@(<appropriate_edge> dclk)
!$stable (din) |=> $stable
(din)[*m] );
endproperty
A_p_stability: assert property (p_stability);
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 17 of 35
MUX Synchronizers
Description
Designs typically have both control and data paths. As shown in the
following figure (Fig 17), the control paths are usually flop-
synchronized while the synced-in control signals are used to
synchronize the data paths. Here, these data paths use a controlled
synchronizer MUX for crossing clock domains. These control MUXs are
sometimes called D-MUX, MUX synchronizer, or sync MUX.
Implementation
Stability of Data
property p_data_stable;
disable iff (drst)
@(<appropriate edge> dclk)
((dready) |=> ($stable (data) ||
(!dready));
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 18 of 35
endproperty
A_p_data_stable: assert property (p_data_stable);
Description
Implementation
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 19 of 35
Similar properties for the destination clock domain (dclk) are given as
follows.
- The receiver should continue to assert the dack signal till dreq is
asserted at the destination clock (dclk) domain.
- The receiver should not assert a new acknowledgement (dack), until
a new request is received in the destination clock (dclk) domain.
A SVA property that covers the above two checks is given as follows.
property dest_conformance (clk, rst, ssig, dsig);
disable iff (rst)
@(<appropriate edge> clk)
ssig |=>dsig;
endproperty
A_dest_conformance_req: assert property (dest_conformance (dclk, drst,
dreq, dack));
A_dest_conformance_new_req:
assert property (dest_conformance (dclk, drst, !dreq, !dack));
3. Data stability
- The receiver should continue to receive stable data till it asserts the
acknowledgment.
The following SVA property implements the above two scenarios.
property data_stability (clk, rst, dreq, dack, data);
disable iff (rst)
@(<appropriate edge> clk) (dreq && !dack) => $stable (data);
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 20 of 35
endproperty
A_data_stability_dest:
assert property (dest_stability (dclk, drst, dreq, dack, data));
Description
Implementation
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 21 of 35
rdata value against the local data variable whenever the corresponding
read occurs. The first_match is required in p_data_integrity to ensure
the property checks rdata on the first occurrence of a read with the
corresponding cnt, otherwise it waits for ever for a rdata match at the
rcnt value. You should create a module M, which contains the
assertions. It is then bound to the nearest top-level module instance
containing the FIFO code.
property p_data_integrity
int cnt; logic [$bits (wdata)-1:0] data;
(rdata == data));
endproperty : p_data_integrity
Description
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 22 of 35
Once such multi-bit signals are identified, the purpose of the function
checks is to verify that state changes on the source side before
entering the bit synchronizers follow the Gray code.
Implementation
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 23 of 35
In the following section, you will read how Leda generates these
assertions and how to use these assertions for verification.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 24 of 35
The section "CDC Tcl Interface" provides details of the current CDC Tcl
interface. Additionally, each of the CDC assertion specific rules
NTL_CDC14 - NTL_CDC16 also provides signal specific information
about the CDC synchronizers. An example is provided in the section
"CDC Analysis".
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 25 of 35
i_<RULE_LABEL>_<INSTANCE_NUMBER>
The generated assertions can be verified on the design using (1) VCS
(simulation based verification) or (2) Magellan (formal verification). To
simplify building of the assertions, a file (named leda_prop_file.lst)
containing the list of automatically generated files is created. As a
result, you only need to attach file 'leda_prop_file.lst' to the associated
checker tool.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 26 of 35
for generating the assertions. The assertions and the associated files
are created by default.
Failure Debugging
In case of any CDC assertion violations for a design, you need to use
the debugging aids of the associated checker (VCS/Magellan) for
finding the root cause of the failure.
Some of the CDC rules can identify certain situations and generate
properties for dynamic and formal verification. Different rules
generating properties are written in the same SystemVerilog file
LEDA_<top>_properties.sv. You can control the number of properties
generated by the CDC rules using the following command:
Syntax
Syntax
Assertion Library
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 27 of 35
The following assertion is generated for the condition that data signals
must be stable while the control signal is asserted (from source of
control path asserted until target of control path deasserted):
bind top aep_assert_data_stable #( 2, "Error : CDC data signal S must
be stable while control signal is asserted") CDC06_test_v_40 (ck2, rst,
DataIn, CtrlSource, CtrlTarget);
Grey Coding
The following assertion is generated by the rule that checks if two or more signals
are gray coded (for example, multi-bit control signals).
bind top aep_assert_gray_coding #( BitWidth, "Error : multibit control
signals must be gray coded") CDC08_test_v_40 (ck1, rst, CtrlSig );
Another form of correlation loss can occur when a signal has fan-outs
into multiple synchronizers. The two branches of the signal can have
different delays; the electrical and routing effects can also cause
different delays in the clocks going to the two synchronizers.
Therefore, if the two synchronizers sample their inputs at different
times then the two copies of the signal can be skewed by a cycle and
no longer correlated.
To prevent these correlation loss scenarios, Leda has two CDC rules
that confirm that there is no "re-convergence of synchronized signals"
in the design.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 28 of 35
Examples:
For CDC05 rule, two one bit signals are synchronized by two 2-FF
synchronizers in two different target domains (CLK2 and CLK3), thus
forms two different CDC elements. After the synchronization is done,
these two signals converge in an AND gate.
For CDC07 rule, a single bit signal has fan-outs two 2-FF
synchronizers. After the synchronization is done (in the single target
domain CLK2 thus forming a single CDC element), these two signals
converge in an AND gate. The HDL codes and related CDC error
messages are given as follows.
For more information about these rules, see the chapter "Clock
Domain Crossing Rules".
set_cdc_ignored_path
Syntax
Although -from and -to are optional, at least one of the options must
be used. If you don't specify any one of the options, then it's value is
considered as 'any'. For example:
For the above command, any CDC path from top.rst will be ignored.
set_cdc_synchronizer
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 29 of 35
Syntax
For all the specified synchronizers, the parameters are a list of strings
that specify some values. The following table lists the parameters that
are applicable for various synchronizers.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 30 of 35
set_cdc_group
The CDC inference engine first uses the information from the
set_cdc_group command. If this information is incomplete, then it tries
to automatically complete it. When the command set_cdc_group
contains only the -paths directive and no -synchronizer information,
then the synchronizer is recognized automatically. Similarly, if you
provide only the synchronizer type information, then the parameters
(specially for fifo and handshake) is computed automatically.
Syntax
set_cdc_input_delay
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 31 of 35
Syntax
You can instantiate this module in a design and specify a new clock,
say "clk1" that controls the pin in_data. To avoid debugging the whole
design and to just focus on this synchronizer module, you need to
specify the set_cdc_input_delay command in the leda_clock_file.tcl as
follows:
set_cdc_input_delay -clock clk1 -delay_value 1 -pin_port_list
{SYNCHRONIZED_MODULE.in_data}
set_cdc_output_delay
create_cdc_clock
Use the command to specify a given pin of the cell as a clock pin of a
hard IP cell.
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 32 of 35
Example
You can specify hard IP blocks and provide information about the
relation between clocks and data ports of the block. A cell which is
instantiated from a library and does not contain any statement (only
port definition) is considered a hard IP cell. In such case, for efficient
CDC checking, you can specify the relationship between data pins and
clock pins.
The command to specify a given pin of the cell as a clock pin of a hard
IP cell is as follows:
create_cdc_clock -name clock_name source_objects
For example, the previous illustration shows a hard IP block with two
clocks, two input ports, and two output ports:
Here the connection from O1 to the D input of the third flip-flop has a
CDC issue that could be detected if you provide the following relations:
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 33 of 35
If the cell has only one clock, all the pins will be considered to be
controlled by this clock. The clock will be detected automatically by the
clock inference if it is connected to other clock signals in the design.
extract_cdc_info
Use the extract_cdc_info command to run the CDC inference within the
Tcl shell mode in order to refine the different parameters for this
inference.
Syntax
extract_cdc_info
You need to execute this command only after elaboration. You can
then use the report_cdc_info command to visualize the inferred CDC
elements. You may execute this command many times, but it is
important to run the clear_cdc_info command before any call.
report_cdc_info
Syntax
This command reports all the CDC elements set using the command
set_cdc_group syntax. This allows you to visualize the inferred
information.
When you redirect the output of this command to a file, the console
does not display any information.
You can customize and source this file from the tcl_shell or the
design_config file to have a clean CDC inference.
clear_cdc_info
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 34 of 35
Syntax
clear_cdc_info
In the Tcl shell mode, you may be interested to try several parameters
until you get the correct CDC inference. In order to do this
incrementally, you can call the clear_cdc_info command to reset
everything and start the inference with new parameters.
set_cdc_parameter
Syntax
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018
1 Clock Domain Crossing Page 35 of 35
https://filebox.ece.vt.edu/~athanas/4514/ledadoc/html/pol_cdc.html 10/13/2018