Many designs have multiple independent clock inputs with different frequency specifications and/or different frequency ranges. In simulation based environments we see regressions run with randomly varying clock phase timing parameters to cover the many possible combinations. A simple Verilog example might look like:

**initial begin**

**clk = 0;**

** forever #(RANDOM_PERIOD/2) clk = !clk;**

**end**

In the formal world we can also specify the clocks as discrete crank based waveforms, using Tcl commands which allow for verification of varying clock ratios and phase relationships.

Figure 1: Clock Waveform Specification in IEV

Unfortunately, both approaches only cover a subset of all possible clock waveforms -- in effect, they represent over-constrained environments (recall Team Verify's prior post on over- constraining). Thus, for the purpose of hunting corner case bugs in the clock synchronization logic we need a more aggressive, "under constrained" approach for the clock waveform specification.

A quick and slick solution is to simply leave the clock pins completely free as randomly toggling inputs. In Incisive Formal or Incisive Enterprise Verifier we can achieve this by omitting the Tcl clock constraints above and adding "clock fairness constraints" instead. Here is a PSL example:

**clk1_toggles: assume always eventually! (rose(clk1));**

**clk2_toggles: assume always eventually! (rose(clk2));**

This will create completely unrelated clock frequency and phase relationships, modeling any possible glitch and hazard scenarios you can imagine. However, since this is an aggressively under constrained environment it might work too well and you may face failures due to extreme, illegal clock waveforms. Still, since this is so easy to setup and run, it is usually an acceptable price for exhaustive scenario coverage in a single formal run.

Surprisingly many counter examples come with pretty regular clock shapes for at least one clock, since it is in the interest of the formal engine to provide a short trace, which requires clocks to toggle.

Figure 2: Screenshot of asynchronous clock waveform using assertion driven simulation

The point is that you can bracket the clock waveform verification with the most conservative and most aggressive approaches. Specifically, we recommend the following 2-staged approach to verify designs with independent, asynchronous clocks:1) Sync: Fixed simple (equivalent) synchronous clocks to flush out all bugs unrelated to clocking issues

2) Async: Unspecified clock waveforms to target bugs related to clock frequency, phase and glitch issues

Note that there are also approaches in between these extremes, which try to keep the clocks within a range using counters and auxiliary logic. But they come with a higher price since complexity is more likely to explode with such clock generating networks. Hence, we do not recommend such methodologies unless they are absolutely required.

Happy clocking!

Joerg Mueller

Solutions Engineer

for Team Verify

On Twitter: http://twitter.com/teamverify, @teamverify

Yes, this approach is creating the basic infrastructure required to stimulate asynchronous input clocks. The next step would be to inject meta-stability effects like variable delays on clock domain crossing paths. This is also possible in IEV using cutpoints and interactive Tcl constraints for example. I'll consider describing this in a subsequent blog

This approach seems not to change the order of the arrival of

signals which cross clock domains in parallel.

e.g.

In good case, the receving clock domain catches the changes

at the same clock edge. In the bad case, at least one event

comes a clock period later.

If we compare the actual state space created by a environment with fully asynchronous clocks and clocks with a defined frequency range (like one edge within [0:20cranks] then we find that the first approach adds 1 state bit, while the second adds a 5bit counter for every clock (counting up to 20). So we can expect that the asynchronous environment is less complex.

We recommend to not use such auxiliary counters (especially in the clock tree) until we absolutely require it.

I think this approach may not really help in large designs because if clocks are also considered as free inputs, the state space becomes really huge and many properties will explore (depending upon complexity of design). A better approach would be to ensure a rising edge on each clock atleast once between say [0:20cycles]