A Pragmatic Approach to Metastability-Aware Simulation

Joseph Bulone, Kalray

Roger Sabbagh, Mentor Graphics

© Accellera Systems Initiative 1

Metastability Effects

• Storage elements can enter a metastable state

• When timing constraints are violated

• Cycle-based effect: unpredictable propagation time

© Accellera Systems Initiative 2

din tffMTBF

clk

1

fc lk = Clock Frequency

fin = Input Signal Frequency

td = Duration of critical time window

CLK

D

Q

CLK

D QDomain A

Domain B

Setup/hold window

Single-Cycle Delay and Bleed-Through

© Accellera Systems Initiative 3

Q

D

CLK

Simulation captures a ‘1’ while

silicon produces either a ‘1’ or ‘0’.

Effect: single-cycle delay

Setup Violation

Q

D

CLK

Hold Violation

Q in silicon Q in silicon

Simulation captures a ‘0’ while

silicon produces either a ‘1’ or ‘0’.

Effect: bleed-through

CDC Reconvergence

© Accellera Systems Initiative 4

Tx1 Rx1

Tx2 Rx2

Logic

in clock

domain A

Logic

in clock

domain B

Logic in clock domain C

Setup violation

Tx1

clk_B

Tx2

Rx1

Rx1

Rx2

Rx2

Timing relationships between signals look OK in simulation…

but may be skewed in silicon

If the logic in domain B depends on such timing relationships, it will lead to a functional bug

Classical Methods

• Modified synchronizer

Incomplete Bleed-through not modeled

Misses paths with other synchronizers E.g. 3rd party IP

• CDC formal analysis

Must manually review

May miss some deep endpoints

© Accellera Systems Initiative 5

Questa CDC-FX Method

• Metastability effects model

Models bleed-through and single-cycle delay

Independent random control for each bit

Built-in coverage points

• Bind to each CDC signal

All paths covered

Independent of synchronizer type

© Accellera Systems Initiative 6

Application to the MPPA-256

• 160 Mgates

• 28 nm

• 3rd party IPs as

– DDR controller

– PCIe controller

– Ether. controller

– Flash controller

© Accellera Systems Initiative 7

The static CDC results are a user issue

• Extracted CDC scheme classification– Well-known and formally proved as correct

– Conditionally proved thus formal investigation• OK

• KO

• No conclusion

– Missing synchronizer

– Not extracted e.g. too deep reconvergence

• Small in-house IPs or synchronizers– Can be controlled and managed

• Complex 3rd party IP– Not manageable: too many (> 10 000)

© Accellera Systems Initiative 8

CDC correctness scheme can be stimuli/constraint dependent

• Correctness meaning ?

– Data register 1 interpretation ?

• How to ensure correctness ?

– Input stimuli constraints

– clkB skew and clkA frequency

• No general formal model including metastabilityeffects and constraints

© Accellera Systems Initiative 9

Software controlled

bit

Metastable bit register

Bit register 0

select_new_data

clkA domainSoftware

controlleddata

clkB domain

Metastable data register

Data register 0

Data register 1

0 1

Some partial solutions

• Systematic waiving– Usually too risky

• Specific mode selection– Time consuming

• Knowledge requirement

• Number of modes

– Mode description

– Mode transitions

• Increase convergence depth threshold– Time consuming

• Knowledge requirement

• Manual analysis

© Accellera Systems Initiative 10

The metastability-aware simulation

• Instrumentation thanks to static analysis results

– Automated

• Seed choice

• Reception clock window parameter definition

– Too large >= 100% of clock cycle • may lead to false errors

– Too small < 100% of clock cycle• may lead to missed metastability potential events

– Our choice = 99%

© Accellera Systems Initiative 11

Metastability-aware simulationwithin continuous integration flow

© Accellera Systems Initiative 12

Wait for integration request

Test for user rights

Try for a local merge

Run short test suite

Warn user

Requestcorrection

Update a main branchwith merge result

Wait for main branch update

Update passedrevision table

Derive metastability tests

Requestcorrection

Generate metastability seed

Run long test suite

Practical results

• Low impact onto overall simulation time

– Setup/compilation time: 2x

– Execution time: below parallel execution variability

• DDR controller bug observed on FPGA platform

– Diagnostic in metastable-aware simulation

– Reconvergent paths via 2 asynchronous FIFOs

• Flash controller was CDC behavior dependent onto software code

© Accellera Systems Initiative 13

Conclusion and future

• Static approach is not enough especially with 3rd party IPs

• Dynamic results will depend on stimuli quality

• Expectations as user– CDC coverage metrics improvement

– Qualification notion extension

– Formal verification environment based on• Formal modeling of metastability effects

• Formal constraints on the use model

• Formal modeling of expected behavior taking into account metastability effects

© Accellera Systems Initiative 14

Questions

© Accellera Systems Initiative 15