Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Verification of Clock Domain Crossing Using Gate-level Models of Metastable Flip-Flops Ghaith Tarawneh, Andrey Mokhov and Alex Yakovlev Newcastle.

Published byCory Chapman Modified over 8 years ago

Similar presentations

Presentation on theme: "Formal Verification of Clock Domain Crossing Using Gate-level Models of Metastable Flip-Flops Ghaith Tarawneh, Andrey Mokhov and Alex Yakovlev Newcastle."— Presentation transcript:

1 Formal Verification of Clock Domain Crossing Using Gate-level Models of Metastable Flip-Flops Ghaith Tarawneh, Andrey Mokhov and Alex Yakovlev Newcastle University, UK 17 th March 2016

2 Talk Outline  Clock Domain Crossing (CDC) Refresher  Sate-of-the-Art CDC Verification and its Limitations  Proposed CDC Verification Methodology  Testbench Verification Results

3 What is CDC?  Clock Domain Crossing (CDC) takes place when a signal is generated in one clock domain and latched in another.

4 Why is it problematic? 1. Incoming asynchronous transitions may violate the setup/hold time conditions of destination (receiver) flip-flops leading to metastability.

5 Why is it problematic?

6

7

8

9 2. Non-deterministic crossing latencies: transitions that are simultaneous at the sender’s end may arrive in different receiver clock cycles

10 Why is it problematic? 3. Transitions propagating through crossover combinational logic may cause temporary glitches to appear at the inputs of their destination flip-flops

11 Why is it problematic?  These problematic analogue phenomena may cause: 1. Irrecoverable state transitions 2. Data corruption  But are invisible in digital simulation … and so can escape conventional (digital) testbench and formal verification but manifest in silicon!

12 Talk Outline  Clock Domain Crossing (CDC) Refresher  Sate-of-the-Art CDC Verification and its Limitations  Proposed CDC Verification Methodology  Testbench Verification Results

13 Commercial CDC Verification Tools  Most commercial tools are linters for safe CDC design rules of thumb, e.g.: RULE1: use synchronizers to latch control signals RULE2: avoid implementing combinational logic in crossover paths (with exceptions) RULE3: don’t synchronize data signals (with exceptions)  These rules are heuristics based on theoretical understanding of CDC issues – they guarantee that CDC failures don’t happen.

14 Commercial CDC Verification Tools

15 Limitations State of the art commercial tools are reliable at spotting CDC errors but … 1. generate a considerable number of false positive warnings (reported figures from commercial SoCs: 100k CDC warnings out of which 90% were false positives*) 2. require the designer to specify how interface logic is supposed to behave and where exceptions to CDC rules must be made 3. are restricted to verifying stereotypical synchronization schemes and design patterns 4. cannot demonstrate the mechanics or consequences of failures * Lee Y, Kim N, Kim JB, Min B. Millions to thousands issues through knowledge based SoC CDC Verification. InSoC Design Conference (ISOCC), 2012 International 2012 Nov 4 (pp. 391-394). IEEE.

16 Talk Outline  Clock Domain Crossing (CDC) Refresher  Sate-of-the-Art CDC Verification and its Limitations  Proposed CDC Verification Methodology  Testbench Verification Results

17 Proposed CDC Verification Methodology Structural and functional rule-checking is really just a walk-around solution. We propose to address the fundamental challenge at the heart of CDC verification …

18 “ ” making metastability and other problematic CDC phenomena observable in digital simulation The (Real) Main Challenge of CDC Verification No structural or functional heuristics to find out when unobservable problems may occur: just make problems visible in simulation.

19 Proposed Verification Methodology  We developed a tool to apply this verification methodology. The basic idea:

20 How does the tool work? 1. Flip-flops are replaced with model cells that can simulate (1) setup/hold time violations, (2) non-deterministic inputs/outputs and (3) prolonged clk-to-q delays. Ports: D and Q are the data input/output pins (same as regular flip-flops) V (input) indicates when the setup/hold time conditions are violated M (output) indicates when the flip-flop is metastable T (output) indicates when the output transitions V, M and T use “active-x encoding” (x is active, 0 or 1 is inactive)

21 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

22 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

23 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

24 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

25 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

26 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

27 How does the tool work? 2. Combinational path duplicates are added to simulate logical masking and the transfer of timing violations between model flip-flops.

28 Talk Outline  Clock Domain Crossing (CDC) Refresher  Sate-of-the-Art CDC Verification and its Limitations  Proposed CDC Verification Methodology  Testbench Verification Results

29 Formal Verification Flow

30 Test Circuit  We used the following sender-receiver circuit as a test run.

31 Test Circuit - Verification Results Synchroniser(s)AssertionSource Netlist None as_correct_transfer ✓ as_sender_handshake ✓ as_no_blocked_transfer ✓ Sender Only as_correct_transfer ✓ as_sender_handshake ✓ as_no_blocked_transfer ✓ Receiver Only as_correct_transfer ✓ as_sender_handshake ✓ as_no_blocked_transfer ✓ Both as_correct_transfer ✓ as_sender_handshake ✓ as_no_blocked_transfer ✓ ✓ = assertion received pass status (no counter-examples found)

32 Test Circuit - Verification Results Synchroniser(s)AssertionSource NetlistAugmented Netlist None as_correct_transfer ✓ - as_sender_handshake ✓ - as_no_blocked_transfer ✓ - Sender Only as_correct_transfer ✓ - as_sender_handshake ✓✓ as_no_blocked_transfer ✓ - Receiver Only as_correct_transfer ✓ - as_sender_handshake ✓ - as_no_blocked_transfer ✓ - Both as_correct_transfer ✓✓ as_sender_handshake ✓✓ as_no_blocked_transfer ✓✓ ✓ = assertion received pass status (no counter-examples found)

33 More Verification Tests …  We also used the tool to verify a number of multi-clock designs whose functional correctness we knew apriori (from theory).

34 More Verification Tests … TestbenchDescriptionCDC IssueStructural ChecksProposed Tool 1Data transfer (4-phase handshaking and synchronizers)(none) ✓✓ 2Data transfer (4-phase handshaking, no synchronizers)Data Corruption-- 3Data transfer (no handshaking, data synchronization, Gray coding)(none)- ✓ 4Data transfer (no handshaking, data synchronization, non-Gray coding)Data Corruption-- 5Data transfer (no handshaking, no synchronization, quasi-stable data)(none)- ✓ 6Multiplexer in crossover path(none) ✓✓ 7Combinational logic in crossover path (glitch-prone)Glitches-- 8Combinational logic in crossover path (glitch-free)(none)- ✓ 9Two synchronization pointsPath Reconvergence-- 10Two synchronization points (not activated simultaneously)(none)- ✓ False Positives 40 False Negatives 00

35 What are the benefits? Structural/Functional Rule-checking (Conventional) Simulating CDC Phenomena (Proposed) False PositivesManyLow/none Designer Input must specify adopted patterns and rule exceptions Zero configuration ApplicabilityLimited to known design patternsGeneral Failure mechanisms and consequences Unknown Demonstrated in signal waveforms

36 What are the benefits?

37 Conclusion  Presented a new method to verify multi-clock designs  The method relies on reproducing CDC faults in digital simulation  In testing the method revealed an inherent ability to report many known CDC design issues (e.g. synchronization, non-deterministic latencies, glitches, path convergence, data corruption)  Offers several advantages on top of state-of-the-art commercial CDC verification (e.g. fewer false positives, zero configuration, applicability to non-stereotypical designs)

38 Thank you There is a live demo of the tool starting NOW (10:00 – 12:00) at the University Booth UB09.4 – come and see the tool at work!

Download ppt "Formal Verification of Clock Domain Crossing Using Gate-level Models of Metastable Flip-Flops Ghaith Tarawneh, Andrey Mokhov and Alex Yakovlev Newcastle."

Similar presentations

IC TESTING.

IC TESTING.
Self-Timed Logic Timing complexity growing in digital design -Wiring delays can dominate timing analysis (increasing interdependence between logical and.

Self-Timed Logic Timing complexity growing in digital design -Wiring delays can dominate timing analysis (increasing interdependence between logical and.
Clock Domain Crossing (CDC)

Clock Domain Crossing (CDC)
1 Lecture 16 Timing  Terminology  Timing issues  Asynchronous inputs.

1 Lecture 16 Timing  Terminology  Timing issues  Asynchronous inputs.
Systematic method for capturing “design intent” of Clock Domain Crossing (CDC) logic in constraints Ramesh Rajagopalan Cisco Systems.

Systematic method for capturing “design intent” of Clock Domain Crossing (CDC) logic in constraints Ramesh Rajagopalan Cisco Systems.
Automated Method Eliminates X Bugs in RTL and Gates Kai-hui Chang, Yen-ting Liu and Chris Browy.

Automated Method Eliminates X Bugs in RTL and Gates Kai-hui Chang, Yen-ting Liu and Chris Browy.
Timing Override Verification (TOV) Erik Seligman CS 510, Lecture 18, March 2009.

Timing Override Verification (TOV) Erik Seligman CS 510, Lecture 18, March 2009.
Leonardo da Vinci ALLEGRO © J. M. Martins Ferreira - University of Porto (FEUP / DEEC)1 Scan design techniques J. M. Martins Ferreira FEUP / DEEC - Rua.

Leonardo da Vinci ALLEGRO © J. M. Martins Ferreira - University of Porto (FEUP / DEEC)1 Scan design techniques J. M. Martins Ferreira FEUP / DEEC - Rua.
Presenter : Shih-Tung Huang 2015/4/30 EICE team Automated Data Analysis Solutions to Silicon Debug Yu-Shen Yang Dept. of ECE University of Toronto Toronto,

Presenter : Shih-Tung Huang 2015/4/30 EICE team Automated Data Analysis Solutions to Silicon Debug Yu-Shen Yang Dept. of ECE University of Toronto Toronto,
Prof. John Nestor ECE Department Lafayette College Easton, Pennsylvania 18042 ECE 426 - VLSI System Design Lecture 10 - Communicating.

Prof. John Nestor ECE Department Lafayette College Easton, Pennsylvania ECE VLSI System Design Lecture 10 - Communicating.
ELEC 256 / Saif Zahir UBC / 2000 Timing Methodology Overview Set of rules for interconnecting components and clocks When followed, guarantee proper operation.

ELEC 256 / Saif Zahir UBC / 2000 Timing Methodology Overview Set of rules for interconnecting components and clocks When followed, guarantee proper operation.
Computer Architecture CS 215

Computer Architecture CS 215
1 KU College of Engineering Elec 204: Digital Systems Design Lecture 12 Basic (NAND) S – R Latch “Cross-Coupling” two NAND gates gives the S -R Latch:

1 KU College of Engineering Elec 204: Digital Systems Design Lecture 12 Basic (NAND) S – R Latch “Cross-Coupling” two NAND gates gives the S -R Latch:
Delay/Phase Regeneration Circuits Crescenzo D’Alessandro, Andrey Mokhov, Alex Bystrov, Alex Yakovlev Microelectronics Systems Design Group School of EECE.

Delay/Phase Regeneration Circuits Crescenzo D’Alessandro, Andrey Mokhov, Alex Bystrov, Alex Yakovlev Microelectronics Systems Design Group School of EECE.
Module 12.  In Module 9, 10, 11, you have been introduced to examples of combinational logic circuits whereby the outputs are entirely dependent on the.

Module 12.  In Module 9, 10, 11, you have been introduced to examples of combinational logic circuits whereby the outputs are entirely dependent on the.
1 CS 151: Digital Design Chapter 5: Sequential Circuits 5-3: Flip-Flops I.

1 CS 151: Digital Design Chapter 5: Sequential Circuits 5-3: Flip-Flops I.
Charles Kime & Thomas Kaminski © 2008 Pearson Education, Inc. (Hyperlinks are active in View Show mode) Chapter 5 – Sequential Circuits Part 1 – Storage.

Charles Kime & Thomas Kaminski © 2008 Pearson Education, Inc. (Hyperlinks are active in View Show mode) Chapter 5 – Sequential Circuits Part 1 – Storage.
Presenter : Ching-Hua Huang 2012/4/16 A Low-latency GALS Interface Implementation Yuan-Teng Chang; Wei-Che Chen; Hung-Yue Tsai; Wei-Min Cheng; Chang-Jiu.

Presenter : Ching-Hua Huang 2012/4/16 A Low-latency GALS Interface Implementation Yuan-Teng Chang; Wei-Che Chen; Hung-Yue Tsai; Wei-Min Cheng; Chang-Jiu.
1. 2 Logic Circuits Sequential Circuits Combinational Circuits Consists of logic gates whose outputs are determined from the current combination of inputs.

1. 2 Logic Circuits Sequential Circuits Combinational Circuits Consists of logic gates whose outputs are determined from the current combination of inputs.
Sequential circuit Digital electronics is classified into combinational logic and sequential logic. In combinational circuit outpus depends only on present.

Sequential circuit Digital electronics is classified into combinational logic and sequential logic. In combinational circuit outpus depends only on present.

Similar presentations

Ads by Google