Home > Community > Blogs > Functional Verification > formal verification with asynchronous clocks
Login with a Cadence account.
Not a member yet?
Create a permanent login account to make interactions with Cadence more conveniennt.

Register | Membership benefits
Get email delivery of the Functional Verification blog (individual posts).


* Required Fields

Recipients email * (separate multiple addresses with commas)

Your name *

Your email *

Message *

Contact Us

* Required Fields
First Name *

Last Name *

Email *

Company / Institution *

Comments: *

Formal Verification with Asynchronous Clocks

Comments(4)Filed under: Functional Verification, Formal Analysis, Verification methodology , PSL, SVA, verification, ABV, IEV, formal, IFV, assertions, formal verification, asssertion-based verification, Joerg Mueller

Many designs have multiple independent clock inputs with different frequency specifications and/or different frequency ranges. In simulation based environments we see regressions run with randomly varying clock phase timing parameters to cover the many possible combinations. A simple Verilog example might look like:

initial begin

clk = 0;

      forever #(RANDOM_PERIOD/2) clk = !clk;


In the formal world we can also specify the clocks as discrete crank based waveforms, using Tcl commands which allow for verification of varying clock ratios and phase relationships.

Figure 1: Clock Waveform Specification in IEV


Unfortunately, both approaches only cover a subset of all possible clock waveforms -- in effect, they represent over-constrained environments (recall Team Verify's prior post on over- constraining).  Thus, for the purpose of hunting corner case bugs in the clock synchronization logic we need a more aggressive, "under constrained" approach for the clock waveform specification.

A quick and slick solution is to simply leave the clock pins completely free as randomly toggling inputs.  In Incisive Formal or Incisive Enterprise Verifier we can achieve this by omitting the Tcl clock constraints above and adding "clock fairness constraints" instead.  Here is a PSL example:

clk1_toggles: assume always eventually! (rose(clk1));

clk2_toggles: assume always eventually! (rose(clk2));

This will create completely unrelated clock frequency and phase relationships, modeling any possible glitch and hazard scenarios you can imagine.  However, since this is an aggressively under constrained environment it might work too well and you may face failures due to extreme, illegal clock waveforms.  Still, since this is so easy to setup and run, it is usually an acceptable price for exhaustive scenario coverage in a single formal run.

Surprisingly many counter examples come with pretty regular clock shapes for at least one clock, since it is in the interest of the formal engine to provide a short trace, which requires clocks to toggle.


Figure 2: Screenshot of asynchronous clock waveform using assertion driven simulation

The point is that you can bracket the clock waveform verification with the most conservative and most aggressive approaches.  Specifically, we recommend the following 2-staged approach to verify designs with independent, asynchronous clocks:

1) Sync: Fixed simple (equivalent) synchronous clocks to flush out all bugs unrelated to clocking issues

2) Async: Unspecified clock waveforms to target bugs related to clock frequency, phase and glitch issues

Note that there are also approaches in between these extremes, which try to keep the clocks within a range using counters and auxiliary logic.  But they come with a higher price since complexity is more likely to explode with such clock generating networks.  Hence, we do not recommend such methodologies unless they are absolutely required.

Happy clocking!

Joerg Mueller
Solutions Engineer
for Team Verify

On Twitter: http://twitter.com/teamverify, @teamverify


By Dilip on October 18, 2011
I think this approach may not really help in large designs because if clocks are also considered as free inputs, the state space becomes really huge and many properties will explore (depending upon complexity of design). A better approach would be to ensure a rising edge on each clock atleast once between say [0:20cycles]

By JoergM on October 20, 2011
If we compare the actual state space created by a environment with fully asynchronous clocks and clocks with a defined frequency range (like one edge within [0:20cranks] then we find that the first approach adds 1 state bit, while the second adds a 5bit counter for every clock (counting up to 20). So we can expect that the asynchronous environment is less complex.
We recommend to not use such auxiliary counters (especially in the clock tree) until we absolutely require it.

By Alex on November 3, 2011
This approach seems not to change the order of the arrival of
signals which cross clock domains in parallel.
In good case, the receving clock domain catches the changes
at the same clock edge. In the bad case, at least one event
comes a clock period later.

By TeamVerify on November 3, 2011
Yes, this approach is creating the basic infrastructure required to stimulate asynchronous input clocks. The next step would be to inject meta-stability effects like variable delays on clock domain crossing paths. This is also possible in IEV using cutpoints and interactive Tcl constraints for example. I'll consider describing this in a subsequent blog

Leave a Comment

E-mail (will not be published)
 I have read and agree to the Terms of use and Community Guidelines.
Community Guidelines
The Cadence Design Communities support Cadence users and technologists interacting to exchange ideas, news, technical information, and best practices to solve problems and get the most from Cadence technology. The community is open to everyone, and to provide the most value, we require participants to follow our Community Guidelines that facilitate a quality exchange of ideas and information. By accessing, contributing, using or downloading any materials from the site, you agree to be bound by the full Community Guidelines.