Many designs have multiple independent clock inputs with different frequency specifications and/or different frequency ranges. In simulation based environments we see regressions run with randomly varying clock phase timing parameters to cover the many possible combinations. A simple Verilog example might look like:
initial begin
clk = 0;
forever #(RANDOM_PERIOD/2) clk = !clk;
end
In the formal world we can also specify the clocks as discrete crank based waveforms, using Tcl commands which allow for verification of varying clock ratios and phase relationships.
Figure 1: Clock Waveform Specification in IEV
Unfortunately, both approaches only cover a subset of all possible clock waveforms -- in effect, they represent over-constrained environments (recall Team Verify's prior post on over- constraining). Thus, for the purpose of hunting corner case bugs in the clock synchronization logic we need a more aggressive, "under constrained" approach for the clock waveform specification.
A quick and slick solution is to simply leave the clock pins completely free as randomly toggling inputs. In Incisive Formal or Incisive Enterprise Verifier we can achieve this by omitting the Tcl clock constraints above and adding "clock fairness constraints" instead. Here is a PSL example:
clk1_toggles: assume always eventually! (rose(clk1));
clk2_toggles: assume always eventually! (rose(clk2));
This will create completely unrelated clock frequency and phase relationships, modeling any possible glitch and hazard scenarios you can imagine. However, since this is an aggressively under constrained environment it might work too well and you may face failures due to extreme, illegal clock waveforms. Still, since this is so easy to setup and run, it is usually an acceptable price for exhaustive scenario coverage in a single formal run.
Surprisingly many counter examples come with pretty regular clock shapes for at least one clock, since it is in the interest of the formal engine to provide a short trace, which requires clocks to toggle.
Figure 2: Screenshot of asynchronous clock waveform using assertion driven simulation
The point is that you can bracket the clock waveform verification with the most conservative and most aggressive approaches. Specifically, we recommend the following 2-staged approach to verify designs with independent, asynchronous clocks:1) Sync: Fixed simple (equivalent) synchronous clocks to flush out all bugs unrelated to clocking issues
2) Async: Unspecified clock waveforms to target bugs related to clock frequency, phase and glitch issues
Note that there are also approaches in between these extremes, which try to keep the clocks within a range using counters and auxiliary logic. But they come with a higher price since complexity is more likely to explode with such clock generating networks. Hence, we do not recommend such methodologies unless they are absolutely required.
Happy clocking!
Joerg Mueller
Solutions Engineer
for Team Verify
On Twitter: http://twitter.com/teamverify, @teamverify