

## Comprehensive and Automated Static Tool Based Strategies for the Detection and Resolution of Reset Domain Crossings

Yossi Mirsky (joseph.mirsky@intel.com) Intel Corporation





- Introduction to Reset Domain Crossings
- Examples of RDC Schemes
- Mitigating and Avoiding RDC Issues
- Setup and Running RDC Static Tools
- Real World Results



# CONFERENCE AND EXHIBITION CONFERENCE AND EXHIBITION CONFERENCE AND EXHIBITION CONFERENCE AND EXHIBITION



- Metastability is a major concern specifically when FF2 has a fanout > 1.
- Metastable state may propagate along fanout and settle to a random (and functionally illegal) combination of "1"s and "0"s.



- Async resets are asserted asynchronously (timing, area, power considerations), but de-asserted synchronously!
- Failure to de-assert synchronously may induce metastability into the receive reset domain if de-assert close to clock edge.

#### DVCONFERENCE AND EXHIBITION CONFERENCE AND EXHIBITION UNITED STATES

- Formerly- chips used a small number of resets.
- Today- designs employ multiple resets (power domains, IPs, SW, FW, etc.)
- Similar to CDCs, design can be divided into reset domains.
- Assertion of rst1 causes async change of value on d2 regardless of clock edge, potentially violating setup & hold.

#### **RDC Conditions**

- clk1, clk2: sync or async.
- rst1 is async

3/1/2022

- rst2 sync or async
- q1 not at reset value ('1').
- rst2 is de-asserted.







- Timing path from rst1 to d2 not considered in static timing analysis.
- Front end design bug, not backend's responsibility.



#### **RDCs cause chip failures which require silicon respins!**

- While CDC checks standard in the industry, little awareness of the critical importance of RDC issues.
- RDC issues incredibly difficult to catch, diagnose or reproduce in the silicon, may only be found by customer.
- Risk grows exponentially as design sizes, complexity and number of resets increases.
- Proper manual reviews of a design practically impossible.
- Simulation x-injection, formal assertions, etc. are neither scalable nor robust.



### **RDC Versus CDC**

### **RDC** similar to CDC.

Async data change transmitted to receive domain.

May violate of setup & hold time and cause metastability.

We relate to each async reset as its own reset domain.

Required to verify all crossings between reset domains.

Past designs had 1 reset/clock domain, checks not needed.

## RDC different than CDC.

RDC issues can occur even in the same clock domain.

Not flagged by standard CDC tools.

FFs can be affected by multiple resets simultaneously.

New categories of constraints and synchronizers to resolve.

CDC checks are already standard.



- Introduction to Reset Domain Crossings
- Examples of RDC Schemes
- Mitigating and Avoiding RDC Issues
- Setup and Running RDC Static Tools
- Real World Results







# DESIGN AND VERIFICATION BOOM BALLED STATES



- Unlike CDCs, FF's can be affected simultaneously by multiple dependent resets/scenarios.
- Reset domain definitions not always clear cut or well defined.
- 100% coverage of such complex schemes cannot be met by simulation or formal approaches; static has advantage.



- Introduction to Reset Domain Crossings
- Examples of RDC Schemes
- Mitigating and Avoiding RDC Issues
- Setup and Running RDC Static Tools
- Real World Results



# DESIGN AND VERIFICATION AVOIDING AVOIDING & Mitigating RDC

Strategies in order of preference.

### Avoid

- 1. Don't use async resets (generally not realistic <sup>(2)</sup>).
- 2. Architect design to align reset domains with functional logic to prevent/limit communication between reset domains.

### Mitigate

- 3. Define resets in the same domain.
- 4. Define reset assertion order.
- 5. Add synchronizers to RDC paths.
- 6. Implement qualifier schemes.
- 7. Waivers.

# DVCONFERENCE AND EXHIBITION 3. Same Reset Domain

3 reset relationships can be defined as same "reset domain":

- 1. 2 or more resets always asserted together, i.e. from the top, global reset, etc. (share polarity, reset value, a/sync, etc.).
- 2. Assertion of rst1 will always trigger **immediate** assertion rst2 Assertion of rst2 will always trigger **immediate** assertion rst1.
- 3. Assertion of rst1 will always trigger **delayed**\* assertion rst2 Assertion of rst2 will always trigger **delayed**\* assertion rst1.

\*Assuming delay is minimal enough. Designer must determine that the interim values in receive reset domain are functionally irrelevant.



- Often resets exhibit an assertion relationship or dependency.
- For example: shallow global resets such as power\_on\_good may always trigger deeper, local resets, but not the opposite.
- This "reset order" can be captured for the tool as constraints:
  - Assuming assertion of rst1 will always trigger immediate or delayed assertion rst2 (but not vice versa).
  - Tool will not report RDC violations for direction rst1→ rst2, but will report rst2 → rst1.

#Constraints Reset order rst1 to rst2 Potentially Reset order rst2 to rst3 usefully, but can **#Tool will conclude itself** be dangerous Reset order rst1 to rst3



- Similar to reset order, can filter out RDC violations from one reset domain to another but without tool making assumptions.
- Example: assume power domain 2 always\_off.





- Just like CDCs, RDCs cause silicon bugs through asynchronous data changes that violate setup & hold.
- Standard CDC sync schemes ensure data values stabilize before propagating to the receive domain's functional logic.
- Tools detect synchronized RDC paths, won't report violations.





- "Pre-indication" signals indicating an imminent reset assertion can be created or may already exist in the design.
- Used to "qualify" or gate RDC paths between 2 reset domains.
- Define qualifier signal through constraints, tool won't report affected RDCs.



### 6. 3 Qualifiers Schemes



#### Assuming qualifier active low.

- Qualifier must arrive before reset assertion.
- Qualifier must be sampled in reset & clock receive domain.
- Separate AND gate must be implemented for every RDC.
- Possible to use OR gate qualifier with active high.

Caution! Tools accept qualifier definitions "as-is"!

2017

DESIGN AND VERIFICA

CONFERENCE AND EXHIBITION



- Introduction to Reset Domain Crossings
- Examples of RDC Schemes
- Mitigating and Avoiding RDC Issues
- Setup and Running RDC Static Tools
- Real World Results



#### CONFERENCE AND EXHIBITION UNITED STATES Setup & Running RDC Static Tools

- Industry standard CDC/LINT tools can now flag RDC issues.
- Capable of running as a static check, flat on large designs.
- Most effective full chip, as most RDCs between blocks.
- 2 methods for adding RDC to flow:
  - 1. If already using platform CDC/LINT tool that supports RDC, just add reset definitions and relevant RDC rules.
  - 2. Add new RDC tool in parallel to flow (minimal setup).
    - Filelist, clock/reset domain info, & functional mode constraints can be quickly adapted from pre-existing CDC/LINT tool flow.
    - May need to slightly massage clock/reset tree naming.
    - Shouldn't be necessary to convert/translate CDC waivers, stable signal declarations, etc.







- Introduction to Reset Domain Crossings
- Examples of RDC Schemes
- Mitigating and Avoiding RDC Issues
- Setup and Running RDC Static Tools
- Real World Results





- Several RDC bugs found in silicon triggered search for better solution as manual methods (i.e. GREP) were not effective.
- Our internal POR static CDC/LINT tools don't support RDC so we added a 2<sup>nd</sup> tool in parallel.
- First RDC static tool trial in mid 2014 on large network chip close to tape out & mature (clean LINT/CDC/simulation/etc.).
  - ~2.5 Million FFs, ~52 Million NAND Gates.
  - 13 Clock Domains
  - 8 Reset Domains
- Found several serious RDC bugs that required RTL/design fixes and designers fixed many issues "on the fly".



- Users found the RDC flow robust, accurate, friendly to debug, & low noise when employing the strategies outlined above.
- Expect initially a large number of real RDC violations.
- During our initial RDC trial a smaller parallel project declined to adopt RDC flow due to time constraints, and an easily detectable RDC bug was found in their silicon.
- RDC checks have now become POR for our division.
- Since the trial, RDC tools continue to improve with many enhancements such as new qualifier constraints and formal capabilities.
- RDC checks continue to gain recognition towards becoming a standard part of verification flow in Intel and the industry.



3/1/2022



- Similar to standard static CDC and LINT flows, can waive.
- Last resort after other methods failed and proper review.
- Certain RDC tools provide dynamic TCL capabilities to generate waivers based on the fan-in or fan-out of the RDC.

