This invention relates to design verification of digital electronic systems, and more particularly to timing verifiers.
Large electronic systems can be integrated onto a single silicon substrate using advanced semiconductor manufacturing processes. A wide variety of design tools are available to help designers capture and verify these designs before committing to manufacture of prototypes. These design tools have enabled designers to build larger and larger electronic systems with about the same design effort.
Verification of larger designs can be challenging. Large chips such as System-On-a-Chip (SOC) may have several major sub-system blocks, such as core logic, state machines, memories, processor cores, graphics engines, etc. Some of these large blocks may have been designed earlier by other design teams or even by other companies and can differ in details such as clock rates. This can pose challenges when signals from one block cross over to another block that operates at a different clock rate.
FIG. 1 highlights functional blocks that operate at different clock rates in a large design. Memory controller 10 receives and processes requests from other blocks, such as from graphics controller 12, for access of one or more memories. Memory controller 10 receives a 500 MHz clock CLK1, which is used to clock the various state machines, data paths, and control signals in memory controller 10.
Graphics controller 12 may need to operate at a different clock rate than memory controller 10. For example, graphics controller 12 may drive pixels to a display at a fixed rate determined by the display device and the graphics mode and resolution selected. In this example, graphics controller 12 receives a 1.2 GHz clock CLK2, which is divided down to produce pixel clocks, line clocks, horizontal and vertical refresh sync signals, etc.
Memory controller 10 is said to be in the CLK1 domain, while graphics controller 12 is in the CLK2 domain. Signals such as SIG_A_CK1 that pass from memory controller 10 to graphics controller 12 are clock-domain-crossing signals. Special care must be taken for these domain-crossing signals to ensure that they are re-synchronized to the new clock domain. Metastability and system failures could occur if these domain-crossing signals are not properly re-synchronized.
FIG. 2 shows a signal from one clock domain being re-synchronized to a new clock domain. One technique to re-synchronize domain-crossing signals is known as “double flopping”. The domain-crossing signal SIG_A_CK1 is generated by combinatorial logic 20 from a signal driven by flip-flop 14. Since flip-flop 14 is clocked by CLK1, SIG_A_CK1 is in the CLK1 domain and synchronized to CLK1.
When SIG_A_CK1 crosses into the CLK2 domain, it first passes through a pair of flip-flops 16, 18 that are each clocked by CLK2. An entire CLK2 cycle period is available for the intermediate signal SIG_A_SY to settle from any metastability of first flip-flop 16 caused by SIG_A_CK1 being asynchronous to CLK2. The output SIG_A_CK2 of second flip-flop 18 is more likely to be stable than the intermediate signal SIG_A_SY output by first flip-flop 16, since the intermediate signal is not sampled until one CLK2 period after the CLK1 domain signal was sampled by first flip-flop 16.
Similar double-flopping synchronizers can be placed on each signal crossing from one clock domain to another. This can greatly reduce metastability problems. However, other problems can still occur with domain-crossing signals.
FIG. 3 highlights a logic hazard caused by logic that combines re-synchronized clock-domain-crossing signals. Timing hazards can occur when domain-crossing signals are combined after synchronization. Such problems occur when the domain-crossing signals are sampled in different clock periods of the new clock. Although the synchronized domain-crossing signals are not metastable, they may become valid in different clock periods, depending on whether the domain-crossing signal was sampled by the first flip-flop of the synchronizer before or after a clock edge occurs.
Two signals, SIG_A_CK1 and SIG_B_CK1, are generated in the CLK1 domain. SIG_A_CK1 is generated by combinatorial logic 20 from the output of flip-flop 14, which is clocked by CLK1. SIG_B_CK1 is generated by combinatorial logic 22 from the output of flip-flop 24, which is also clocked by CLK1. However, combinatorial logic 22 may have a larger delay than combinatorial logic 20, causing SIG_B_CK1 to be generated with a larger delay from the CLK1 edge than SIG_A_CK1.
The larger delay of combinatorial logic 22 may cause SIG_B_CK1 to arrive at the D-input to flip-flop 26 after the next CLK2 edge, while the shorter delay of combinatorial logic 20 may allow SIG_A_CK1 to arrive at the D-input to flip-flop 16 before the next CLK2 edge. Thus there is an extra CLK2 period of synchronizing delay for SIG_B_CK1 than for SIG_A_CK1.
SIG_A_CK1 is delayed by one CLK2 period and synchronized by flip-flops 16, 18, producing SIG_A_CK2. SIG_B_CK1 is also delayed by one CLK2 period and synchronized by flip-flops 26, 28, producing SIG_B_CK2. However, SIG_B_CK2 can be one CLK2 clock period behind SIG_A_CK2, or theses signals can be generated at the same time, when the delays of combinatorial logic 20, 22 are more closely matched, or the delay to the next CLK2 edge is longer.
The exact relative timing of SIG_A_CK1 and SIG_B_CK1 is thus uncertain early in the design cycle. The delays are dependent on final wiring line lengths and other parameters that may not be known until the design is routed or even manufactured.
The re-synchronized signals SIG_A_CK2 and SIG_B_CK2 are combined within the CLK2 domain by AND gate 32 and OR gate 34. Gates 32, 34 produce inputs to state machine 30, which is clocked by CLK2 or a derivative. State machine 30 may advance to state 2 when AND gate 32 drives NS2 high, but advance to a different state 3 when OR gate 34 drives NS3 high.
FIG. 4A is a timing diagram illustrating a state machine entering an expected state in response to re-synchronized domain-crossing signals. Signals SIG_A_CK1 and SIG_B_CK1 are generated from the same (first) CLK1 rising edge in the waveform. SIG_B_CK1 is generated with a larger delay than SIG_A_CK1, perhaps due to longer delays in combinatorial logic after the CLK1 flip-flop, due to longer lines, or due to higher-capacitance loads.
Both SIG_A_CK1 and SIG_B_CK1 arrive sufficiently before the next CLK2 rising edge so that they meet the set-up time requirement and change the state of the first flip-flops in each synchronizer. Thus both SIG_A_SY and SIG_B_SY go high after the rising CLK2 edge. The outputs SIG_A_CK2 and SIG_B_CK2 of the second flip-flops in each synchronizer go high on the following CLK2 rising edge, at the second dotted vertical line from the left in the figure.
The state machine in the CLK2 domain combines the re-synchronized signals SIG_A_CK2 and SIG_B_CK2 to determine what state to enter next. Since both SIG_A_CK2 and SIG_B_CK2 are high at the third CLK2 rising edge (right-most dotted vertical line), the state machine enters state 2. This is the desired or expected state.
FIG. 4B is a timing diagram illustrating a state machine entering an un-expected state in response to varying delays of re-synchronized domain-crossing signals. Signal A is synchronized as shown for FIG. 4A. However, signal B is delayed further and misses the CLK2 rising edge.
The delay for generating SIG_B_CK1 is slightly longer than in FIG. 4A. SIG_B_CK1 is still low when the CLK2 rising edge occurs that samples SIG_A_CK1 high (leftmost dotted vertical line). SIG_B_SY remains low for another CLK2 period. SIG_B_CK1 is finally sampled high on the next CLK2 rising edge, at the middle dotted vertical line. Then SIG_B_SY goes high, one CLK2 period later than in FIG. 4A. SIG_B_CK2 finally goes high another CLK2 period later, at the left-most dotted vertical line.
At the left-most dotted line, the state machine examines the re-synchronized signals SIG_A_CK2 and SIG_B_CK2 to determine what state to enter next. Rather than both SIG_A_CK2 and SIG_B_CK2 being high, only SIG_A_CK2 is high. SIG_B_CK2 is still low, since SIG_B_CK1 missed being clocked by the second CLK2 rising edge at the left-most dotted line in the figure.
The SIG_A_CK2 and SIG_B_CK2 signals are sampled highlow, causing the AND gate (NS2) to be low and the OR gate (NS3) to be high. The state machine then enters state 3 rather than the expected state 2. The wrong state is entered due to the slight shift in the SIG_B_CK1 signal, causing it to miss being sampled by the same CLK2 edge as SIG_A_CK1.
The state machine entering state 3 may be un-expected and even un-desired. The designer may expect that both SIG_A_CK2 and SIG_B_CK2 go high at the same time, rather than one CLK2 period later. The designer can redesign the state machine to account for this behavior if he is aware of the hazard. Unfortunately, the designer may not be aware of this timing hazard, since the designer may not have designed the blocks in the CLK1 domain.
In this simple example of two high-going signals, there are four possible combinations of the re-synchronized A and B signals:
1.) SIG_A_CK1 and SIG_B_CK1 both arrive before the CLK2 edge. Then SIG_A_CK2 and SIG_B_CK2 are both sampled high (11).
2.) SIG_A_CK1 arrives before CLK2 but SIG_B_CK1 arrives after the CLK2 edge. Then SIG_A_CK2 is sampled high but SIG_B_CK2 is sampled low (10).
3.) SIG_A_CK1 and SIG_B_CK1 both arrive after the CLK2 edge. Then SIG_A_CK2 and SIG_B_CK2 are both sampled low (00).
4.) SIG_A_CK1 arrives after the CLK2 edge but SIG_B_CK1 arrives before the CLK2 edge. Then SIG_A_CK2 is sampled low but SIG_B_CK2 is sampled high (01).
Many other combinations of signals and relative timings can occur on a large design. Keeping track of these many possible logic hazards is difficult and tedious. Early in the design cycle the exact delays may not be known. Failures may not be observed during early simulation with idealized delays, but may appear later when better delay models using wiring-trace lengths and output loads are added. By then it may be difficult to change the design to prevent the hazard.
Even once better R-C delay models are used for simulation, the synchronizing hazards may still appear in the future, such as when a design is moved to a new manufacturing process or when the clock frequencies used are changed. Oftentimes successful chips are updated to newer processes or use with faster clocks than was originally intended or simulated.
A more automated approach to discovering where these re-synchronizing hazards occur and what can happen to the down-stream logic is desirable. A logic verifier that can better simulate such logic hazards that can occur with clock-domain-crossing signals is desired.