Every flip-flop has two ways to be forced into a known state: the synchronous reset, which only takes effect on a clock edge, and the asynchronous reset, which slams the output low (or high) the instant the reset pin asserts, regardless of the clock. Both look identical in a waveform diagram when reset is held long enough. Both are catastrophically different when reset is released.

An async reset is implemented as a direct path into the flip-flop's master and slave latches — it physically yanks the internal nodes. Assertion is glitch-free and works even if the clock is dead. That's why power-on reset circuits and watchdog timers almost always use async assertion: you cannot assume the clock is running when something has gone catastrophically wrong.

A sync reset is just a logic input to the D-input mux: D = reset ? 0 : data. It needs a running clock to take effect, which means it can't rescue a stuck chip. But it folds into normal STA, it doesn't require special recovery/removal checks, and the synthesis tool can share reset logic across thousands of flops cheaply.

The real trap is asynchronous reset release. If reset deasserts too close to a clock edge, the flop sees a race between "I'm coming out of reset" and "capture D" — classic metastability. Hardware engineers fix this with a reset synchronizer: assert async (works without a clock), deassert sync (two-flop chain on the reset signal, so release lines up with a clock edge).

Real-world example: The Xilinx 7-series UG949 explicitly recommends sync reset for the FPGA fabric because each slice's flip-flop has only one async control pin — burning it on reset eliminates async set, async preset, and set/reset priority logic. ARM Cortex-M cores do the opposite: async assert + sync deassert, because the core must reset cleanly even when the PLL hasn't locked and there's no clock yet.

Rule of thumb — recovery/removal timing: Async reset must be deasserted at least t_recovery (~setup) before the clock edge, and held at least t_removal (~hold) after it. For a typical 28nm flop: recovery ≈ 200 ps, removal ≈ 100 ps. Miss either and the flop can come out of reset metastable, just like any other CDC failure.

Decision shortcut: use async assert for safety-critical resets (POR, watchdog, emergency stop), sync everywhere else, and always deassert synchronously through a two-flop synchronizer.