Dynamic CDC Verification Methodology with Enhanced Synchronizer Jitter Modeling
Presented by Youngchan Lee, of Samsung Electronics
Case Study Overview
Youngchan Lee of Samsung Electronics presented at DAC 2022 on their Dynamic CDC verification methodology. Samsung successfully proved that additional functional errors associated with metastability can be precisely identified with design-aware dynamic CDC models, in comparison with the more conventional data-transition based models, or simulation alone.
Below are highlights of what he presented. Real Intent Meridian CDC Simportal’s automated dynamic CDC models were deployed during function verification.
Functional Verification Must Account for CDC Metastability
Metastability on clock domain crossing paths can lead to unpredictable delays and results.
The result of metastability may be that it cannot be determined whether the value of the metastable flop will be 0 or 1.
Clock domain crossing metastability
Correlation loss because of reconvergence in CDC
Designers add synchronizers to ensure sure metastability does not cause design errors. However, with synchronizers, correlation loss can happen when the signals reconverge — reconvergence issues can also cause functional failures.
While structural CDC analysis reports issues such as reconvergence, along with where the issues can cause design problems due to correlation loss, to understand whether or not there will actually be functional issues or not, designers must need to run dynamic CDC verification during simulation.
Structural CDC analysis alone is insufficient to determine:
- Functional impact of reconvergences at the fanout point.
- Synchronization correctness under metastability stress
- Signal skews problems on synchronizer paths
Thus, a more robust methodology is necessary to avoid such silicon failures and achieve complete CDC sign-off.
Dynamic CDC Models Inject Metastability into Functional Verification
Designers typically try to address these problems related to using synchronizers for metastability by supplementing structural CDC analysis by creating in-house dynamic CDC models of synchronizers for use during simulation.
The models inject metastability, so that the designers can check for any functional errors that may result.
Conventional in-house dynamic CDC model for injecting metastability during simulation
In-house dynamic CDC models not linked to CDC structural analysis
Unfortunately, these conventional, in-house dynamic CDC Models are only data-transition-based – they are unaware of relevant design context, such as the difference between synchronous and asynchronous transitions.
This missing link between structural static sign-off and functional verification results in missed issues and noise from false metastability injections.
Some examples of potential issues with traditional in-house dynamic CDC models include:
- Incorrectly injecting metastability even when only synchronous drivers changed.
- Incorrectly injecting metastability even when the pulse is wide enough.
- Failing to catch metastability due to short-pulses or combinational logic-related glitches.
- Inadequate handling of clock-gating, such as not checking whether or not clock-gating has been disabled.
Conventional in-house dynamic CDC models have inaccuracies
Because the conventional models are not fully aware of all the CDC aspects, running simulation can create unnecessary noise, as they may falsely inject metastability that cannot exist in the real silicon.
Using Automatically-Generated Design-Aware Dynamic CDC Models
Samsung’s goal was to avoid the missed metastability issues and noise associated with conventional data-transition-based dynamic CDC models — by ensuring there was a link between structural CDC analysis and dynamic CDC verification during simulation.
To achieve this, Samsung enhanced its dynamic CDC verification methodology to incorporate Real Intent’s Meridian CDC Simportal’s design-aware dynamic CDC models.
Meridian CDC Simportal automatically generates these models in a Verilog file following structural CDC analysis on the RTL – thus the models have relevant design context knowledge, such as:
The surrounding conditions when the path is triggered (e.g., the paths driving the synchronizer)
- When the path is enabled
- Whether or not there is clock gating
- Pulse width
- The path’s FIFO
- Which paths have data
Design-Aware Dynamic CDC Verification Using Meridian CDC
Design-aware models precisely inject metastability
By plugging in these design-aware dynamic CDC models, Samsung can precisely target specific metastability issues, Accurate measurement of simulation coverage of asynchronous crossings, catch real design errors and assess coverage for further debug.
Further, the models reduce noise by only injecting metastability when it can occur in silicon.
Samsung provided an example of how the design-aware dynamic CDC models injected metastability only when the asynchronous path caused a transition.
Cases Comparing Design-Aware vs. Data-Transition Based Dynamic CDC Models
The three cases below compare how the two model types each perform during dynamic CDC verification.
Case 1
Clock Edge Rise/Fall
Design-aware model – Correctly identifies that the synchronizer can go metastable when there is a pulse, and the clock edge rises and/or falls.
Data-transition-based model – Correctly identifies this metastability.
Case 2
Short Pulse/Glitch
Design-aware model — Will detect that a short pulse can cause a glitch based on specific design conditions. The model’s logic can detect changes that happen between the clock edges, has a glitch model embedded in the Verilog file, and so it can detect a glitch is going to happen and then inject metastability.
Data-transition-based model – May completely miss a metastability issue associated with a short pulse. Since it’s just checking the signal change based on the clock cycle, and is not aware of the design, it will miss a very short signal change between the clock pulses and not inject metastability.
Case 3
Combinatorial Glitch
Design-aware model – Can detect a very short combinational glitch that can occur and then inject metastability accordingly. This is because it is aware of design logic and has an embedded glitch model, it’s aware of the driving conditions, the logic between the synchronizer drivers, and the first flop of the synchronizer.
Data-transition-based model – May completely miss the issue and not inject metastability.
Samsung’s Methodology Combines Static CDC & Dynamic CDC Flows
Samsung’s new methodology links CDC structural static sign-off and functional verification to ensure Samsung doesn’t miss any metastability issues that impact functionality.
The verification process is as follows:
Step 1.
Run conventional simulation without any dynamic CDC models. The goal here is to ensure the simulation regressions are clean without any metastability effects.
In parallel with this simulation, they run structural CDC static sign-off with Meridian CDC. And generate design-aware Dynamic CDC model from Meridian CDC Simportal.
Step 2.
Once they have a clean simulation, Samsung runs simulations using the design-aware dynamic CDC models to inject metastability to verify that their design works correctly under the stress of metastability. (“metastability-aware simulation”)
Step 3.
Samsung generates a ‘metastability-injection coverage report.’
When the dynamic CDC models are plugged into simulation, they generate a coverage report that Samsung uses to ensure that their design is working correctly under the stress of metastability.
The ‘metastability-injection coverage report’ shows:
- What synchronizers were triggered?
- What synchronizations were changed?
- Did the injections cause a functional problem?
- For which synchronizers was metastability injected?
Samsung wants its test suite or regression to ensure that all the synchronizes are injected with metastability. They may need to add more test cases to ensure the coverage is good enough for sign-off. They may add more test benches if needed to inject more metastability and/or change the random seeds for specific synchronizers.
Bugs Revealed during Case Study Experiments
Below are selected bugs that Samsung revealed when running their experiments for this case study.
Bug 1
Malfunction due to misaligned pulse
Simulation only: Design appears to work correctly.
Simulation with design-aware metastability models: Read operation failure is observed. Simulation shows that when a short pulse is generated, the write operation does not happen correctly – the data was not written on the memory. Later, the read operation fails due to misaligned paths caused by metastability.
Bug 2
Combinational glitches captured on RX-side
Simulation only: Design appears to work correctly.
Simulation with design-aware metastability models: Captured and propagated the combinatorial glitch, showing a finite state machine error.
Bug 3
Unexpected short pulses detected
Simulation only: Design appears to work correctly.
Simulation with design-aware metastability models: A very fast clock was transmitting, and a slow clock was receiving. The short pulse was detected, metastability was injected and functional failures were identified.
Conclusion
By doing metastability-aware simulation using dynamic CDC models and injecting metastability will reveal design errors detected that pure functional simulation does not reveal.
Samsung further enhanced its dynamic CDC verification methodology by replacing its conventional, data-transition-based models, with design-aware model. The new approach links static sign-off and functional verification by leveraging static CDC analysis, such as glitches, reconverging paths, and short-pulses, to reveal new bug cases.
Doing so requires no additional effort and offers a seamless flow from static CDC sign-off to dynamic CDC verification. This is because the new models were automatically generated from the static sign-off database.
Finally, the injection statistics can be managed internally for coverage metrics.