Xprova: Formal Verification Tool with Built-in Metastability Modeling

This paper presents Xprova, an open-source formal verification tool for multi-clock designs. Xprova is a model checker that can discover property violations caused by the incorrect implementation of clock domain crossing circuits. Unlike existing clock domain crossing verification tools, Xprova does not rely on structural or functional analysis to detect deviations from standard design practices. Instead, it transforms the input circuit to model the onset and propagation of metastability digitally, then conducts a state space exploration to search for property violations. This approach is intrinsically capable of identifying several well-known clock domain crossing problems including missing synchronizers, path reconvergence issues and glitches. It also improves debuggability by generating counter-example waveforms showing the onset and mechanics of metastability-induced design failures. We discuss the features, underlying methodology and implementation of the tool then present use cases to compare it to commercial alternatives.