1. Why CDC Testing is Critical
Clock domain crossing bugs are notoriously hard to find because they're probabilistic. A metastability failure occurs randomly, maybe 1-in-10-billion times, making traditional simulation inadequate.
This requires specialized testing strategies:
- Unit testing: Verify each synchronizer works in isolation
- Integration testing: Test synchronizers in full chip context
- Formal verification: Mathematically prove CDC properties
- Constraint verification: Ensure timing is met at each stage
- Coverage analysis: Measure how thoroughly CDC is tested
2. Unit Testing: Synchronizer Components
Dual-FF Synchronizer Test
// Testbench for dual-FF synchronizer
module tb_async_synchronizer_2ff;
reg clk_b, rst_b;
reg [7:0] async_in;
wire [7:0] sync_out;
async_synchronizer_2ff #(.WIDTH(8)) dut (
.clk_b(clk_b),
.rst_b(rst_b),
.async_in(async_in),
.sync_out(sync_out)
);
always #5 clk_b = ~clk_b;
initial begin
clk_b = 0; rst_b = 1;
async_in = 8'h00;
#100;
// Test 1: Single-bit transitions
async_in = 8'h01;
repeat(4) @(posedge clk_b);
assert(sync_out == 8'h01) else $error("Failed: single-bit sync");
// Test 2: Multi-bit (tests Gray code not pure FF)
async_in = 8'hAA;
repeat(4) @(posedge clk_b);
assert(sync_out == 8'hAA) else $error("Failed: multi-bit sync");
// Test 3: Rapid changes (metastability stress)
repeat(10) begin
async_in = $random;
repeat(2) @(posedge clk_b); // Only 2 cycles (stressed)
end
$finish;
end
endmodule
Gray Code Conversion Test
Verify binary ↔ Gray encoding at all boundary values:
- 0 (0x00) → 0 (0x00)
- 1 (0x01) → 1 (0x01)
- 2 (0x02) → 3 (0x03)
- 255 (0xFF) → 128 (0x80)
- Wrap-around: 255 → 0 produces single-bit change
3. Integration Testing: Full Chip CDC
Dual-Clock FIFO Stress Test
Test the FIFO under realistic conditions:
- Back-to-back writes: Fill FIFO while reading continuously
- Burst writes: Write data at max rate, read slowly
- Burst reads: Read at max rate, write slowly
- Wrap-around: Pointers wrap from max → 0
- Empty/full transitions: Monitor flags during transitions
- Frequency mismatch: Test at various clock frequency ratios (2:1, 3:1, 5:1, etc.)
Expected behavior: No data loss, no corruption, correct empty/full flags, all under frequency variations and metastability stress.
4. Coverage Analysis
Code Coverage
Traditional metrics:
- Line coverage: Every line of CDC code executed
- Branch coverage: Every if/else branch taken
- Toggle coverage: Every signal toggles at least once
Target: ≥95% code coverage for CDC modules
CDC-Specific Coverage
Beyond traditional coverage, track:
- Metastable window: Async input sampled during setup/hold violation (intentional)
- Pointer wrap: Pointers wrap around 0 during testing
- Full/empty transitions: FIFO transitions between full ↔ not-full, empty ↔ not-empty
- Gray code all values: Test Gray code with all possible input values
5. Constraint Verification
CDC constraints ensure timing closure:
| Constraint | Purpose | How to Verify |
|---|---|---|
| No combinational paths between clock domains | Prevents async delay coupling | Lint tool (CDC lint) |
| Synchronized signals have dual-FF minimum | Metastability protection | CDC rule checker |
| Gray code on multi-bit crossings | Glitch prevention | Design review + lint |
| No async reset without synchronization | Reset sync required | CDC linter |
| Setup/hold met on FF input | Prevent violation timing | Static timing analysis (STA) |
6. Formal Verification (Introduction)
Formal tools (Cadence Incisive, Mentor Questa) can mathematically prove CDC properties:
Properties to verify:
- MTBF bounds (e.g., "MTBF > 1 million years")
- No deadlock between domains
- FIFO never loses data
- Empty/full flags never both asserted simultaneously
- Pointer arithmetic correct under wrap-around
Formal verification is expensive but essential for high-reliability designs (automotive, aerospace, medical devices).
7. Simulation-Based CDC Testing
Clock Skew Injection
Introduce phase shifts between clocks to stress synchronizers:
- Clock B leads Clock A by 30%
- Clock A leads Clock B by 60%
- Verify synchronizers still work correctly
Temperature and Voltage Variation
Simulate worst-case conditions:
- Slow process, high temperature, low voltage (worst-case metastability)
- Fast process, low temperature, high voltage (different timing behavior)
8. Production Test Patterns
CDC bugs may only manifest under specific test patterns. Include CDC-aware tests in production test suite:
- Pattern 1: Rapid toggles on async inputs (exercise metastability window)
- Pattern 2: Long idle periods followed by activity (test edge cases)
- Pattern 3: Maximum frequency stress (all synchronizers busy simultaneously)
- Pattern 4: Burst activity at each clock ratio (test FIFO pointer wrap)
9. Common CDC Testing Mistakes
- ❌ Mistake: Testing CDC at constant temperature/voltage (misses corner cases)
- ✓ Fix: Test across PVT (process, voltage, temperature) corners
- ❌ Mistake: Assuming simulation proves metastability safety (only formal verification proves MTBF)
- ✓ Fix: Use formal tools for high-reliability designs
- ❌ Mistake: Not testing wrap-around behavior in FIFO
- ✓ Fix: Explicit wrap-around test case (255 → 0 transition)
10. Testing Checklist
- ✅ Unit tests for all synchronizers (2FF, Gray, pulse)
- ✅ Integration tests for FIFO (back-to-back, burst, wrap-around)
- ✅ Frequency mismatch testing (2:1, 3:1, 5:1 ratios)
- ✅ ≥95% code coverage on CDC modules
- ✅ CDC-specific coverage (metastable window, pointer wrap, full/empty transitions)
- ✅ Constraint verification (CDC lint pass, no combinational cross-domain paths)
- ✅ Formal verification of key properties (MTBF, deadlock-free, no data loss)
- ✅ PVT corner simulation (slow/high-temp, fast/low-temp)
- ✅ Production test patterns (rapid toggles, max frequency stress)
- ✅ Design review sign-off
Next (Day 7): Formal verification techniques and tools for CDC.