CN112035290A - Single event upset resistance method for satellite-borne digital signal processor - Google Patents
Single event upset resistance method for satellite-borne digital signal processor Download PDFInfo
- Publication number
- CN112035290A CN112035290A CN202010987369.1A CN202010987369A CN112035290A CN 112035290 A CN112035290 A CN 112035290A CN 202010987369 A CN202010987369 A CN 202010987369A CN 112035290 A CN112035290 A CN 112035290A
- Authority
- CN
- China
- Prior art keywords
- chip
- sram
- code segment
- executable file
- single event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0793—Remedial or corrective actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/44—Encoding
- G06F8/447—Target code generation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
Abstract
The invention provides a single event upset resistance method for a satellite-borne digital signal processor, which comprises the following steps: selecting a code segment needing to be refreshed in an SRAM as a key code segment; adding a refreshing function into a main function of a chip embedded program, wherein the refreshing function is used for refreshing an important code segment of the SRAM according to a code which is solidified in the ROM in a mirror image mode and corresponds to the important code segment; compiling and linking the embedded program to generate a corresponding executable file, and curing the executable file mirror image into a ROM of the chip; powering on a chip, loading the executable file, and storing the executable file into the code segment and the data segment of the SRAM; the chip executes the executable file, and single event upset of the chip is prevented by refreshing key code segments of the SRAM. The invention is realized based on software, has no influence on the original embedded program of the chip, and realizes the single event upset resistance under the condition of not changing system hardware.
Description
Technical Field
The invention relates to the technical field of satellite reliability application, in particular to a method for resisting single event upset of a satellite-borne digital signal processor.
Background
With the development of space technology, the dependence of payload products on large-scale digital integrated circuits is stronger and stronger. The higher the integration of components of a payload (instruments, equipment, personnel, test organisms, test pieces and the like which are loaded on a spacecraft and are used for directly realizing a specific task to be finished when the spacecraft runs in orbit), the greater the influence of single event upset (the phenomenon that single high-energy particles in the universe are shot into a sensitive region of a semiconductor device to overturn the logic state of the device) on the product. Reinforcing measures are taken for single event upset all the time, and single event detection and response are always one of the key points of space technology research.
Generally, whether a single event upset phenomenon occurs or not is judged by observing the functional state of the payload, and if the single event phenomenon occurs, the ground is required to intervene to recover the payload function. However, this will have a great influence on the normal operation of the system, so countermeasures should be taken to correct the error caused by the single event upset by software or hardware methods, thereby reducing the probability of system failure and prolonging the system failure interval.
Currently, a great deal of literature is available to discuss the single event upset effect. In the literature, "a research on single event upset resistance technology suitable for a spatial information Processing platform" adopts a traditional DSP (Digital Signal Processing) Digital Signal processor) + FPGA architecture, adds an antifuse FPGA as a detection and logic decoding unit, and monitors and processes an SRAM FPGA through a readback comparison function. Aiming at the influence of single event upset on each main device in the processing platform, methods such as periodic self-checking, triple modular redundancy, error correction coding and the like are designed to improve the reliability of the processing platform. The literature, namely a test method for evaluating single event upset of an anti-radiation DSP (digital signal processor), comprises three modes of static detection of an SRAM (static random access memory), reading of an internal register through a CPU (central processing unit), functional detection and the like. According to the method, a single event upset detection software system and a hardware detection system of the DSP circuit are designed. Patent document "a register file storage array write cell resistant to single event upset" (CN 201810083064.0) starts with SRAM, and applies circuit strengthening means to strengthen the single event upset resistance of the device in circuit design. Patent document "a space single event upset detection method of satellite-borne chip" (CN 201110244403) proposes a single event upset resistance detection method, which adopts a segmented inspection and triple modular redundancy judgment mode to judge whether the DSP has a single event upset.
Although the above documents adopt certain measures for dealing with the single event upset effect, the measures are also based on hardware measures, and in software, the measures only provide detection capability.
Disclosure of Invention
The invention aims to provide a method for resisting single event upset of a satellite-borne digital signal processor. The invention adds the function for executing the refreshing function into the original embedded program in the satellite-borne DSP chip, and continuously refreshes the key code segments stored in the SRAM of the DSP chip, so that the key code segments with single-event reversal are recovered to a normal state, the error generated during the single-event reversal is corrected, and the reliability of the payload product is improved.
In order to achieve the above object, the present invention provides a method for resisting single event upset of a satellite-borne digital signal processor, wherein a chip comprises a nonvolatile memory ROM and a volatile memory SRAM, the SRAM comprises a plurality of code segments and a plurality of data segments, and the method comprises the steps of:
selecting a code segment needing to be refreshed in an SRAM as a key code segment;
adding a refreshing function into a main function of a chip embedded program, wherein the refreshing function is used for refreshing an important code segment of the SRAM according to a code which is solidified in the ROM in a mirror image mode and corresponds to the important code segment;
compiling and linking the embedded program to generate a corresponding executable file, and curing the executable file mirror image into a ROM of the chip;
powering on a chip, loading the executable file, and storing the executable file into the code segment and the data segment of the SRAM;
the chip executes the executable file, and single event upset of the chip is prevented by refreshing key code segments of the SRAM.
Preferably, a plurality of refresh functions are provided in the main function.
Preferably, the plurality of refresh functions are used to refresh the same section of emphasis code.
Preferably, the plurality of refresh functions are each configured to refresh a different section of emphasis code.
Preferably, the code with the set byte length in the key code segment is refreshed once.
Preferably, the refresh code in the executable file corresponding to the refresh function is not stored in the focus code segment.
Preferably, the embedded program adopts any one of C language and assembly language.
Compared with the prior art, the invention has the beneficial effects that:
1) the invention is realized based on software: firstly, taking a code segment needing to be refreshed in an SRAM as an important code segment; then writing the refresh function into the embedded program of the chip, compiling the embedded program to generate a corresponding executable file, and fixing the executable file in the ROM of the chip in a mirror image manner; then after the chip is powered on, storing the instructions in the executable file into a code segment of the SRAM of the chip, storing the data in the executable file into a data segment of the SRAM, wherein the refreshing code corresponding to the refreshing function in the executable file is not stored in the key code segment; and finally, the chip is electrified to automatically execute the executable program, and codes corresponding to the key code segments in the ROM are copied to the key code segments of the SRAM through the refreshing codes, so that the single event upset resistance is realized.
2) The invention can realize the single event upset resistance of the DSP chip under the condition of not changing system hardware. The method of the invention is easy to realize, has no influence on the functions realized by the original embedded program of the chip, does not influence the complexity and the robustness of the original embedded program, and does not influence the design, the coding and the debugging of the original embedded program.
3) The invention can refresh all or part of key code segments stored in the SRAM according to the practical application condition, and autonomously design the scale of the code segment refreshed each time. The invention is easy to realize and has good practicability.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings used in the description will be briefly introduced, and it is obvious that the drawings in the following description are an embodiment of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts according to the drawings:
FIG. 1 is a schematic diagram of the logical memory addresses of ROM and SRAM in the DSP chip according to the embodiment of the present invention;
FIG. 2 is a flow chart illustrating a refresh function according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an embedded program including a refresh function according to an embodiment of the present invention;
FIG. 4 is a diagram comparing the key code segment VEC _ SEC of SRAM after single event inversion with ROM data in the embodiment of the present invention;
FIG. 5 is a diagram showing the comparison between the key code VEC _ SEC and ROM of the SRAM after the refresh code is run in the embodiment of the present invention;
FIG. 6 is a flowchart of a method for preventing single event upset of a satellite-borne digital signal processor according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The DSP chip includes a nonvolatile Memory ROM and a volatile Memory SRAM (Static Random-Access Memory). The data stored in the SRAM can be constantly maintained as long as the SRAM is kept powered on. However, when the power supply is stopped, the data stored in the SRAM is lost, unlike the ROM or flash memory that can store data after power is turned off. In the present invention, the ROM used is EEPROM (Electrically Erasable Programmable Read-Only Memory). In the embodiment of the invention, the used DSP chip is a TMS320 series DSP chip.
The logic memory address of the DSP chip is shown in FIG. 1, wherein the logic memory address space of SRAM is from 0x00000000 to 0x00050000, and the logic memory address space of EEPROM is from 0x 64000000. The memory space of the SRAM is divided into a plurality of code (text) segments and a plurality of data (code) segments. the attributes of the text section and the data section are essentially different, the text section (namely the code section) only has the read and execution authorities, and after the chip is started and the loaded embedded program is normally executed, the content of the code section cannot be rewritten by the program. In addition to instructions, text segments often include some global constants or strings. The data section (i.e. data section) generally comprises global variables and local variables and has read-write properties, so that along with the execution of the program, the content in the data section can change continuously along with the running of a chip embedded program (program for short in the invention), and the code section cannot be changed easily. Because the program is insensitive to the change of some contents in the data section, even if some variables or some digital signal data in the array send the inversion, the property of the calculation result is not affected, and the variables or the digital signal data in the array can be considered as noise or acceptable errors. For a code segment, a bit error is likely to cause an instruction error, which causes program runaway and even system reset, and the effect thereof is obviously more serious, so the invention is mainly used for preventing the code segment from generating single event upset.
Fig. 1 is a schematic diagram of logical memory addresses of ROM and SRAM in the DSP chip in this embodiment. In fig. 1, the address spaces Boot _ up and VEC _ SEC are pure text segments; the address space TB _ SEC and the ISRAM0 simultaneously comprise a text section and a data section, and the address space ISRAM 1-3 comprises digital signal data and state marks which are pure data sections. After the embedded program is usually written in C language or assembly language, an executable file is generated through compiling and linking, and is loaded into the memory of the chip. The executable file contains machine language code equivalent to the embedded program. The machine language code contains data code and instruction code, which are stored in the text section of the SRAM when the executable file is loaded onto the chip. In the process of writing the embedded program, the text segments can be uniformly distributed to one address space according to actual needs, and a plurality of text segments can be distributed to different address spaces.
The invention provides a method for resisting single event upset of a satellite-borne digital signal processor, which comprises the following steps of:
s1, selecting a code segment needing to be refreshed in the SRAM as an important code segment, wherein the important code segment is usually a pure code segment, namely, the important code segment does not contain a data segment; in the embedded program of the chip, address space is allocated for the key code segment, and the key code segment is placed in the address space. In this embodiment, the address space for naming and storing the key code segment is "VEC _ SEC", the storage location of the VEC _ SEC address space in the SRAM is shown in fig. 1, and the address space is also referred to as VEC _ SEC segment in the SRAM;
s2, adding a refresh function into a main function of the chip embedded program, wherein the refresh function is used for refreshing an important code segment of the SRAM according to a code which is solidified in the ROM in a mirror image mode and corresponds to the important code segment;
as shown in fig. 3, in the embodiment of the present invention, a refresh function is added to a main function of an embedded program, and a C language general expression of the refresh function is shown as:
where dst represents the address of the code section in the ROM that needs to be copied (flushed), src represents the address of the code section solidified in the ROM, and size represents the number of bytes of code that need to be copied. Firstly, dst, src and size are not determined to be 0, then data in src is sequentially assigned to dst, a byte is assigned, and size is updated to be size-1 until size is zero. The flow of the refresh function is shown in fig. 2.
In an embodiment of the present invention, as shown in fig. 3, a refresh function is added to the main function:
sys_memcpy(VEC_BASE,ROM_BASE_ADDR+VEC_BASE,VEC_SIZE);
wherein, VEC _ BASE represents the BASE address 0x00000400 of VEC _ SEC segment, ROM _ BASE _ ADDR represents the BASE address 0x64000000 of EEPROM, VEC _ SIZE represents the byte number of the code to be refreshed, VEC _ SIZE byte beginning from 0x64000400 is copied into VEC _ SIZE bytes beginning from 0x00000400 in sequence through a refresh function.
S3, compiling and linking the embedded program to generate a corresponding executable file, and fixing the executable file mirror image into a ROM of the chip;
in the compiling and linking stage of the embedded program, the memory offset of a text field and a data field in a logic memory of the DSP is determined, namely the address of each function, each variable and the address of data in the program are solidified in a relative or absolute addressing mode.
S4, powering on the chip, loading the executable file, and storing the executable file into a code segment and a data segment of the SRAM;
after the executable file image is stored in a ROM of a nonvolatile memory device, a chip is powered on and starts to work, and DSP firmware copies the bootloader to the address space of the first 1K bytes of the SRAM/CACHE of the volatile memory with higher access speed and executes the bootloader. And further completing the initialization of global variables in the program, the hardware configuration and the initialization of the system running environment through the bootloader, and then starting to jump to the main function execution code of the program. Generally, the copy destination address of each function or variable (array) in the SRAM/CACHE is the address determined when the system is compiled/linked.
In this embodiment, a part of the instruction codes in the executable file are loaded into the VEC _ SEC section of the SRAM as an important code section, and the logic memory address VEC _ BASE + X of the SRAM and the logic memory address ROM _ BASE _ ADDR + VEC _ BASE + X of the EEPROM store the same instruction codes at this time. Where X represents the number of bytes.
And S5, executing the executable file by the chip, and preventing the chip from generating single event upset by refreshing the key code segment of the SRAM.
As shown in fig. 4, at the chip logical memory address 0x00000400, a single event reversal occurs, the code instruction becomes all 0, and the instruction code at 0x00000400 is different from the instruction code 0x0031C02A in the ROM. If the system executes the instruction code up to this point, it may cause the system to exception and even crash. After the instruction code of the refresh function of the invention is executed, before the system executes the instruction code at the address of 0x00000400, as shown in fig. 5, the instruction is refreshed to 0x0031C02A, thereby preventing the error caused by the single event upset and reducing the system failure rate.
In the invention, a refresh function and an embedded program are compiled together and run in time, and the instruction codes in the ROM are continuously copied into the VEC _ SEC section of the SRAM (the offset of the instruction code address in the ROM relative to the instruction code address in the VEC _ SEC section is ROM _ BASE _ ADDR). As shown in FIG. 1, the instruction code in the executable file corresponding to the refresh function is assigned solely to the TB _ SEC segment of the SRAM, and not to the pure code segment. Based on practical application considerations, the running time of the refresh function is not long enough, otherwise, the executable program is executed overtime to cause system failure, and in the embodiment of the present invention, the instruction code refreshed by each copy does not exceed 0x2000 bytes.
In some embodiments of the present invention, a plurality of refresh functions are provided in the main function.
In some embodiments of the invention, the plurality of refresh functions are used to refresh the same section of emphasis code.
In other embodiments of the present invention, the plurality of refresh functions are each configured to refresh a different section of emphasis code.
The invention utilizes the characteristic that the content of the ROM code segment is invariable, and based on a time trigger or event trigger mechanism, the code segment mirror image is rewritten into the corresponding code segment in the SRAM in time so as to cover the single event upset error in the code segment and ensure the correct execution of the executable program. The design method for resisting the single event upset by using the refreshing function does not need to change the hardware of the product, has self-adaptability and is easy to realize.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (7)
1. A satellite-borne digital signal processor single event upset resistant method, a chip comprises a nonvolatile memory ROM and a volatile memory SRAM, the SRAM comprises a plurality of code segments and a plurality of data segments, and the method is characterized by comprising the following steps:
selecting a code segment needing to be refreshed in an SRAM as a key code segment;
adding a refreshing function into a main function of a chip embedded program, wherein the refreshing function is used for refreshing an important code segment of the SRAM according to a code which is solidified in the ROM in a mirror image mode and corresponds to the important code segment;
compiling and linking the embedded program to generate a corresponding executable file, and curing the executable file mirror image into a ROM of the chip;
powering on a chip, loading the executable file, and storing the executable file into the code segment and the data segment of the SRAM;
the chip executes the executable file, and single event upset of the chip is prevented by refreshing key code segments of the SRAM.
2. The single event upset resistant method for the satellite-borne digital signal processor as claimed in claim 1, wherein a plurality of refreshing functions are arranged in the main function.
3. The method according to claim 1, wherein the plurality of refresh functions are used to refresh the same key code segment.
4. The on-board digital signal processor anti-single event upset method of claim 1, wherein the plurality of refresh functions are each configured to refresh a different highlight code segment.
5. The method according to claim 1, wherein the code with the set byte length in the key code segment is refreshed once.
6. The method according to claim 1, wherein the refresh code in the executable file corresponding to the refresh function is not stored in the key code segment.
7. The method for resisting the single event upset of the satellite-borne digital signal processor as claimed in claim 1, wherein the embedded program adopts any one of C language and assembly language.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010987369.1A CN112035290A (en) | 2020-09-18 | 2020-09-18 | Single event upset resistance method for satellite-borne digital signal processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010987369.1A CN112035290A (en) | 2020-09-18 | 2020-09-18 | Single event upset resistance method for satellite-borne digital signal processor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112035290A true CN112035290A (en) | 2020-12-04 |
Family
ID=73573965
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010987369.1A Pending CN112035290A (en) | 2020-09-18 | 2020-09-18 | Single event upset resistance method for satellite-borne digital signal processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112035290A (en) |
-
2020
- 2020-09-18 CN CN202010987369.1A patent/CN112035290A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP3982639B2 (en) | Method for reading data from a memory having multi-level cells | |
| US9323602B2 (en) | Error correction with extended CAM | |
| KR101374455B1 (en) | Memory errors and redundancy | |
| US20090031169A1 (en) | Self-Repairing Of Microprocessor Array Structures | |
| JP2010165251A (en) | Information processing device, processor, and information processing method | |
| EP2770507B1 (en) | Memory circuits, method for accessing a memory and method for repairing a memory | |
| US20100037097A1 (en) | Virtual computer system, error recovery method in virtual computer system, and virtual computer control program | |
| US7302619B1 (en) | Error correction in a cache memory | |
| CN111176890A (en) | Data storage and exception recovery method for satellite-borne software | |
| US8650437B2 (en) | Computer system and method of protection for the system's marking store | |
| US20180004616A1 (en) | Fast write mechanism for emulated electrically eraseble (eee) system | |
| JPS59117800A (en) | One-bit error processing system of buffer storage | |
| US9396064B2 (en) | Error correction with secondary memory | |
| US20030131307A1 (en) | System and method of recovering from soft memory errors | |
| US20030217325A1 (en) | Method and apparatus for providing error correction within a register file of a CPU | |
| US8219860B2 (en) | Microprocessor system for controlling at least partly safety-critical processes | |
| US7240272B2 (en) | Method and system for correcting errors in a memory device | |
| US6898738B2 (en) | High integrity cache directory | |
| CN112035290A (en) | Single event upset resistance method for satellite-borne digital signal processor | |
| US20100235680A1 (en) | Microprocessor System for Controlling or Regulating at least partly Safety-Critical Processes | |
| US20090158089A1 (en) | Method for recognizing a power failure in a data memory and recovering the data memory | |
| CN111158660A (en) | Multi-mode satellite-borne software EEPROM on-orbit programming method | |
| US10452309B2 (en) | Method and device operating a memory device | |
| US7831889B2 (en) | Method and device for error detection for a cache memory and corresponding cache memory | |
| US7451270B1 (en) | System and method for detecting and correcting errors in a control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |