The use of 2DFF or, more generally, NDFF synchronizer circuits is a generally accepted technique for transferring a single-bit signal, usually a control pulse, between two asynchronous clock domains. It is a relatively simple and well-recognized preventative measure against metastability issues at clock domain crossings (CDCs). However, it should be applied with special care when the interaction involves multiple signals. One of the typical dangers is a re-convergence of multiple independently synchronized signals in the target domain, which could happen directly after the synchronizers or deeper into the circuit:
The issue with the example above is a potential incoherence between the two sampled control signals in the target domain. Depending on the time window available for metastable signals to settle to a known value, there is a chance that the interacting branches will capture values that represent different clock cycles in the source domain, thus making the control state incoherent, leading to subsequent functional errors.
The re-convergence issue can be caught at RTL level before it makes any harm by running advanced structural CDC checks using a modern Design Rule Checking software tool like Aldec ALINT-PRO. The tool will provide cross-probing to all related parts in the HDL code.
ALINT-PRO will also demonstrate the affected elements of the synthesized netlist in a filtered schematic form:
The underlying re-convergence rule checker can be configured to handle circuits with different degrees of pessimism regarding the number of subsequent sequential levels being analyzed; between the synchronizers and the actual point of interaction. The default settings provide a satisfactory level of protection for most typical designs. Increasing the number of analyzed levels is possible. For example, you might be having to meet high safety and security requirements. Significantly increasing the number of levels could have a noticeable impact on analysis performance.
A simple way to avoid the re-convergence issue is to push the interaction logic back to the sending clock domain, and transfer a single combined control signal, thus eliminating the possibility of data incoherence.
The acceptable exception to the re-convergence avoidance rule is when the source signals are Grey-encoded, because only one bit can change per clock cycle.