Clock Domain Crossing

Why One Missing Synchronizer Can Kill a Chip — The Silent Danger of CDC

Clock Domain Crossing occurs whenever a digital signal travels from a flip-flop clocked by one clock to a flip-flop clocked by a different, asynchronous clock. The receiving flip-flop has no guarantee that data arrives with adequate setup or hold time — it can go metastable: its output floats between 0 and 1 for an unpredictable duration before resolving.

The danger is that CDC failures do not show up in RTL simulation. Standard simulation uses ideal, zero-skew clocks — metastability never occurs. The failure only appears in silicon at speed, often under specific temperature or voltage conditions, making it extraordinarily hard to debug post-fabrication.

Metastability: When Your Flip-Flop Can't Decide — and MTBF Is the Only Defense

Metastability is not a defect — it is a fundamental property of bistable circuits. What matters is the Mean Time Between Failures (MTBF): the average time between metastability events that propagate and cause functional errors. The goal is to make MTBF longer than the expected product lifetime.

Adding a second synchronizer flip-flop gives the metastable node a full extra clock period to resolve — this exponentially improves MTBF. A 2-FF synchronizer at 500 MHz in a modern process node typically achieves MTBF > 10¹² years — effectively infinite for practical purposes.

The 2-FF Synchronizer — Industry's Cheapest, Most Reliable CDC Fix

The two flip-flop synchronizer is the fundamental CDC building block. Both flip-flops are clocked by the destination clock. The first stage may go metastable but has an entire clock period to resolve before the second stage samples it.

module sync_2ff #(parameter STAGES = 2) (
    input  wire clk_dst,
    input  wire rst_dst_n,
    input  wire async_in,
    output wire sync_out
);
    (* ASYNC_REG = "TRUE" *)
    reg [STAGES-1:0] sync_chain;

    always @(posedge clk_dst or negedge rst_dst_n) begin
        if (!rst_dst_n)
            sync_chain <= {STAGES{1'b0}};
        else
            sync_chain <= {sync_chain[STAGES-2:0], async_in};
    end

    assign sync_out = sync_chain[STAGES-1];
endmodule

Use 3-FF synchronizers (STAGES=3) when the destination clock is faster than the source clock, or when the design runs at very high frequencies where a single clock period does not provide sufficient resolution time.

Multi-Bit CDC: Why Synchronizing Each Bit Separately Is Wrong

Synchronizing multiple bits independently is incorrect. Each bit may be captured at a different clock edge — producing an invalid intermediate value. For example, a 4-bit counter transitioning from 0111 to 1000 has all four bits changing simultaneously. Independent synchronizers may capture some bits as 0 and others as 1, producing a value like 1111 or 0000 that never actually occurred.

Gray Code — The One-Bit-Change Rule That Makes Multi-Bit CDC Safe

Gray code is named after Frank Gray (Bell Labs, 1953). Its defining property — only one bit changes per step — makes it ideal for multi-bit CDC.

// Binary to Gray
assign gray = binary ^ (binary >> 1);

// Gray to Binary (for a 4-bit example)
assign binary[3] = gray[3];
assign binary[2] = gray[3] ^ gray[2];
assign binary[1] = gray[3] ^ gray[2] ^ gray[1];
assign binary[0] = gray[3] ^ gray[2] ^ gray[1] ^ gray[0];

// Parameterized Gray to Binary
genvar i;
generate
    for (i = WIDTH-2; i >= 0; i = i - 1) begin
        assign binary[i] = binary[i+1] ^ gray[i];
    end
endgenerate

Async FIFO Pointer Sync — Where Gray Code Does the Real Work

An async FIFO uses separate write and read clocks. The write pointer increments in the write clock domain; the read pointer increments in the read clock domain. To compute full/empty flags, each pointer must be visible to the other clock domain — synchronized via Gray-coded 2-FF chains.

// Write-domain: binary pointer → Gray → synchronize to read domain
always @(posedge wr_clk or negedge wr_rst_n) begin
    if (!wr_rst_n) wr_ptr_bin <= 0;
    else if (wr_en && !full) wr_ptr_bin <= wr_ptr_bin + 1;
end

// Convert to Gray before crossing
assign wr_ptr_gray = wr_ptr_bin ^ (wr_ptr_bin >> 1);

// Synchronize Gray pointer into read domain (2-FF)
always @(posedge rd_clk or negedge rd_rst_n) begin
    if (!rd_rst_n)
        {wr_ptr_gray_s2, wr_ptr_gray_s1} <= 0;
    else
        {wr_ptr_gray_s2, wr_ptr_gray_s1} <= {wr_ptr_gray_s1, wr_ptr_gray};
end

// Empty flag: read pointer equals synchronized write pointer (Gray compare)
assign empty = (rd_ptr_gray == wr_ptr_gray_s2);

// Full flag: MSB and next-MSB differ, remaining bits equal (Gray code property)
assign full = (wr_ptr_gray == {~rd_ptr_gray_s2[PTR_W-1:PTR_W-2],
                                 rd_ptr_gray_s2[PTR_W-3:0]});

Industry CDC Sign-Off Tools — What Gets Run Before Every Tapeout

Manual code review is insufficient for CDC verification in complex SoCs with hundreds of clock domains. Static CDC analysis tools are mandatory before tape-out.

8 CDC Rules Every RTL Engineer Must Follow Before Tapeout

• ✓Use 2-FF (or 3-FF at high frequency) synchronizers for every single-bit CDC signal
• ✓Never pass multi-bit buses directly across asynchronous clock domains
• ✓Convert counters and pointers to Gray code before any clock boundary crossing
• ✓Use async FIFO for high-bandwidth data transfers between different-rate clocks
• ✓Apply ASYNC_REG attribute (or equivalent) to ensure synchronizer FFs are co-located
• ✓Run SpyGlass CDC or Questa CDC — resolve every violation before tapeout
• ✓Constrain CDC paths in SDC with set_false_path or set_max_delay -datapath_only
• ✓Document every intentional CDC crossing in the design spec with its synchronization method

See It Live — 2-FF Synchronizer Waveform Visualizer

Observe how a 2-FF synchronizer transfers a signal from a slower source clock domain to a faster destination clock domain — and the latency introduced by synchronization.

CDC FAQs: Questions Every Engineer Asks (and Searches For)