In the recent blog post on the challenges of clock domain crossing (CDC), we asserted that CDC errors can break your ASIC. Reset domain crossing (RDC) errors can be equally catastrophic, so in Part 2 we will discuss what the RDC challenges facing IP integrators are.
Turns out you need robust signoff for CDC AND RDC!
Historically, resets were confined to externally generated power-on (POR) or warm resets, where the entire ASIC design is reset to a known start state. Nowadays, large ASICs can contain hundreds of separate resets. These are generated internally under the control of software (or hardware), for the purposes of power management, debug, or for error-recovery mechanisms such as those required for safety-critical systems, for example.
As with clock gating, reset mechanisms have a functional behavior that must be functionally verified. This is a traditional verification, or system validation, problem that can be solved with traditional verification strategies, both dynamic and static. Metastability induced from asynchronous resets is another class of design flaw that can lead to a total chip failure, with all the associated costs of re-spinning a modern multi-billion gate ASIC! It’s a class of problem that you can rarely work around in software. This risk is exacerbated by the ever-increasing complexity of resets. A portion of the chip with a unique reset signal is called a reset domain, and a signal traveling from one reset domain to another creates an RDC. RDCs can be susceptible to metastability, and this can even occur within a single clock domain as illustrated below.