CN113553112B - Vehicle, driving assistance system, and safe operation method for program thereof - Google Patents

Vehicle, driving assistance system, and safe operation method for program thereof Download PDF

Info

Publication number
CN113553112B
CN113553112B CN202010270139.3A CN202010270139A CN113553112B CN 113553112 B CN113553112 B CN 113553112B CN 202010270139 A CN202010270139 A CN 202010270139A CN 113553112 B CN113553112 B CN 113553112B
Authority
CN
China
Prior art keywords
application program
program
storage area
loaded
area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010270139.3A
Other languages
Chinese (zh)
Other versions
CN113553112A (en
Inventor
磨俊生
曾文晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BYD Co Ltd
Original Assignee
BYD Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BYD Co Ltd filed Critical BYD Co Ltd
Priority to CN202010270139.3A priority Critical patent/CN113553112B/en
Publication of CN113553112A publication Critical patent/CN113553112A/en
Application granted granted Critical
Publication of CN113553112B publication Critical patent/CN113553112B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • B60R16/0231Circuits relating to the driving or the functioning of the vehicle
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3612Software analysis for verifying properties of programs by runtime analysis
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Stored Programmes (AREA)

Abstract

The application discloses a vehicle, a driving assistance system and a safe operation method of a program thereof, wherein the method comprises the following steps: when the driving assistance system is powered on, the driving assistance system loads a bootstrap program in the first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine the application program to be loaded; the boot program determines the memory address information which should be occupied by the application program to be loaded; the boot program reads the application program to be loaded from the application program storage area to load according to the memory address information to be occupied by the application program to be loaded; when the application program to be loaded is loaded and operated successfully, self-checking is carried out, and the operation state corresponding to the self-checking result is recorded. The method can effectively monitor the running condition of the application programs, timely and accurately switch the application programs, greatly improve the use flexibility of the application programs, and simultaneously provide safety guarantee for the running of the driving auxiliary system program.

Description

Vehicle, driving assistance system, and safe operation method for program thereof
Technical Field
The present disclosure relates to the field of vehicle technologies, and in particular, to a vehicle, a driving assistance system, and a safe operation method of a program thereof.
Background
The driving assistance system (ADAS for short) is a series of high-safety technology products, the market growth of the driving assistance system is rapid in recent years, the system is limited to a high-end market, the middle-end market is gradually popularized, meanwhile, a plurality of low-technology applications are more common in the field of entrance-level passenger cars, and in addition, the improved novel sensor technology has a certain performance improvement on the driving assistance system, so that the utilization rate of the driving assistance system is improved.
Although the driving assistance system only has an assistance function, the driving assistance system still has a certain influence on the running of the vehicle, and the stability of the function of the driving assistance system is required to be strict, so how to enable the driving assistance system program to run safely is a common concern for all car manufacturers and vehicle consumers.
In the related art, in order to ensure the stability of a certain electric device function in the driving assistance system, two main implementation modes are provided, namely, after the function of the controller serving as the main use fails, the standby controller replaces the main controller to execute the function which the electric device should embody; the other is a program double-backup scheme, namely, two programs are stored in the controller, and when the functions of the main program are invalid, the backup program can replace the main program to execute the functions which the electric device should embody.
However, the above first solution is not very suitable for the vehicle field, because the energy power carried by the vehicle is limited, energy saving needs to be advocated, unnecessary loss of the energy power is reduced, and the endurance mileage is improved, especially the present new energy vehicle type is more focused on the design, so that the vehicle is gradually designed reasonably and lightweight. If the dual controller scheme is implemented on the vehicle, the associated wiring harness is doubled in addition to the corresponding spare controller that is required on the vehicle, which results in increased cost on the one hand and weight on the other hand, and energy power loss on the other hand. The second solution is limited in the prior art, and when the solution is executed, the program used as a standby is simply set to be started when the failure of the main program is detected, and how the main program checks the running condition of the main program is not considered, in addition, the problem about how to schedule the main program and the standby program is not clear in the solution, and the problem is completely based on the fact that the two programs notify each other of the running state, if the main program does not have an effective self-checking strategy, the main program still considers itself to be normal when the error occurs, the operation is not automatically stopped, the standby program is not notified, and further whether the standby program can not perform effective judgment on whether the main program is started or not is not considered, so that the standby program is equivalent to a dummy, and no function is played.
Disclosure of Invention
The object of the present application is to solve at least to some extent one of the above technical problems.
Therefore, a first object of the present application is to provide a method for safely operating a driving assistance system program, in which a new definition is made on a program storage area, a relatively perfect program self-checking system is established, and switching between application programs is scheduled by a bootstrap program, so that the running condition of the application programs can be effectively monitored, and switching between application programs can be timely and accurately performed. The application flexibility is greatly improved, and meanwhile, the safety guarantee is provided for the running of the driving auxiliary system program.
A second object of the present application is to propose a driving assistance system.
A third object of the present application is to propose a vehicle.
To achieve the above object, an embodiment of a first aspect of the present application proposes a method for safe operation of a driving assistance system program, the method comprising: when the driving assistance system is powered on, the driving assistance system loads a bootstrap program in a first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs; the bootstrap program determines the memory address information which should be occupied by the application program to be loaded; the bootstrap program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information to be occupied by the application program to be loaded; wherein each application program storage area stores an application program; and when the application program to be loaded is loaded and operated successfully, performing self-checking, and recording the operation state corresponding to the self-checking result.
According to the safe operation method of the driving assistance system program, when the driving assistance system is powered on, the driving assistance system loads the guide program in the first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs; the boot program determines the memory address information which should be occupied by the application program to be loaded; the boot program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information which is occupied by the application program to be loaded; wherein each application program storage area stores an application program; when the application program to be loaded is loaded and operated successfully, self-checking is carried out, and the operation state corresponding to the self-checking result is recorded. According to the method, a new definition is carried out on a program storage area, a relatively perfect program self-checking system is established, and switching between application programs is scheduled by a guiding program, so that the running condition of the application programs can be effectively monitored, and switching between the application programs can be timely and accurately carried out; the application flexibility is greatly improved, and meanwhile, the safety guarantee is provided for the running of the driving auxiliary system program.
To achieve the above object, an embodiment of a second aspect of the present application proposes a driving assistance system, including: the bootstrap starting module is used for loading a bootstrap program in the first storage area when the driving auxiliary system is powered on; the bootstrap program is used for carrying out self-checking after being successfully loaded and operated so as to determine an application program to be loaded from a plurality of application programs, determining memory address information to be occupied by the application program to be loaded, and reading the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information to be occupied by the application program to be loaded; wherein each application program storage area stores an application program; and the application program to be loaded is used for carrying out self-checking at regular time when being loaded and operated successfully, and recording the operation state corresponding to the self-checking result.
According to the driving assistance system, when the driving assistance system is powered on, the driving assistance system loads the guide program in the first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs; the boot program determines the memory address information which should be occupied by the application program to be loaded; the boot program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information which is occupied by the application program to be loaded; wherein each application program storage area stores an application program; when the application program to be loaded is loaded and operated successfully, self-checking is carried out, and the operation state corresponding to the self-checking result is recorded. The system can realize that the running condition of the application programs can be effectively monitored and the switching between the application programs can be timely and accurately carried out by carrying out new definition on the program storage area and establishing a more perfect program self-checking system and scheduling the switching between the application programs by the guiding program; the application flexibility is greatly improved, and meanwhile, the safety guarantee is provided for the running of the driving auxiliary system program.
To achieve the above object, an embodiment of a third aspect of the present application proposes a vehicle including: the driving assistance system described in the above embodiment.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a flow chart of a method of safe operation of a driving assistance system program according to one embodiment of the present application;
FIG. 2 is a schematic diagram of a program storage architecture according to one embodiment of the present application;
FIG. 3 is a schematic diagram of a bootstrap memory area framework, according to one embodiment of the present application;
FIG. 4 is a schematic diagram of an application storage area framework according to one embodiment of the present application;
FIG. 5 is a schematic diagram of an update file framework according to one embodiment of the present application;
FIG. 6 is a flow chart of a method of safe operation of a driving assistance system program according to another embodiment of the present application;
FIG. 7 is an example storage area 2 architecture definition map of a method of safe operation of a driving assistance system according to one embodiment of the present application;
FIG. 8 is an example storage area 3 architecture definition map of a method of safe operation of a driving assistance system according to one embodiment of the present application;
FIG. 9 is an example update file architecture definition diagram of a method of safe operation of a driving assistance system according to one embodiment of the present application;
fig. 10 is a schematic structural view of a driving assistance system according to an embodiment of the present application.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
Fig. 1 is a flow chart of a method of safe operation of a driving assistance system program according to one embodiment of the present application.
As shown in fig. 1, the safe operation method of the driving assistance system program includes:
step 101, when the driving assistance system is powered on, the driving assistance system loads the bootstrap program in the first storage area.
In the embodiment of the present application, as shown in fig. 2, the program storage area of the driving assistance system may be divided into three areas, for example, a first storage area (abbreviated as a storage area 1) is defined as storing a bootstrap program, a second storage area (abbreviated as a storage area 2) is defined as storing a first application program (abbreviated as an application program 1) which can be regarded as a main program, and a third storage area (abbreviated as a storage area 3) is defined as storing a second application program (abbreviated as an application program 2) which can be regarded as a backup program. It will be appreciated that there are several applications in the driving assistance system, and there are correspondingly several storage areas for storing applications, and each application storage area stores one application.
The storage area 1 may also be referred to as a boot program storage area, where the boot program is mainly used to accept an external device instruction to implement erasing and updating of an application program, and in this embodiment of the present application, when the driving assistance system is powered on, the driving assistance system may read the boot program from the storage area 1 to load the application program.
Optionally, the first storage area is provided with a first information recording area, and the recording information required by the first information recording area includes a last running application program mark, the memory size to be occupied and the memory address to be occupied of the current application program in each application program storage area, the total amount of data segments to be contained in each application program storage area, and version information of the current application program in each application program storage area; each application program storage area has a second information recording area and an execution program area therein; the second information recording area includes version information of the current application program, memory size occupied by the current application program, memory address information occupied by the current application program, total data segment content of the current application program, actual occupied memory size of the current application program, and program state recording information; the execution program area comprises a plurality of program blocks with predefined space size, each program block carries a data segment, and each data segment comprises a data segment serial number and program data content to be carried.
For example, as shown in fig. 3, taking two application programs, one application program is stored in the storage area 2 and the other application program is stored in the storage area 3, for example, a block of information recording area is additionally defined in the storage area 1, that is, the boot program storage area, and the required recording information is: the last time the application program mark was run, the memory size and memory address information should be occupied by the current program of the memory area 2, the memory area 2 should contain the total amount of data segments, the current program version information of the memory area 2, the memory size and memory address information should be occupied by the current program of the memory area 3, the memory area 3 should contain the total amount of data segments, the current program version information of the memory area 3. The last time the application program is run, the marks are 0, 1 and 2, the value of 0 represents that the bootstrap program is run for the first time and no application program is loaded and run, and the state is usually a factory state or the bootstrap program is subjected to over-erasure updating operation; the value 1 represents the last run of application 1; the value of 2 represents the last run of application 2. The memory size occupied by the current program of the memory area 2 and the memory area 3 is respectively given a parameter, namely G1 and G2, which are consistent with the actual occupied memory size of the current application program 1 or 2 when leaving the factory, and the occupied memory size information (Δg, which is defined by the update file below) provided by the corresponding program update file is obtained when the subsequent application program is updated. The total data segment amounts of the storage area 2 and the storage area 3 are respectively used as a parameter, namely M1 and M2, which are consistent with the end sequence number of the data segment of the current application program 1 or 2 when leaving the factory, and are acquired through total data segment amount information (delta M, which is defined by an update file below) provided by the corresponding program update file when the subsequent application program is updated. The memory address information corresponding to the memory area 2 and the memory area 3 is a fixed value, and describes address information corresponding to an area used as the memory area 2 and the memory area 3 in the memory space, and this partial information is mainly for enabling the boot program to specify the area corresponding to the memory area 2 and the memory area 3. The version information of the current program in the storage area 2 and the current program in the storage area 3 are consistent with the version information of the current application program 1 or 2 when leaving the factory, and when the subsequent application program is updated, the version information provided by the corresponding program update file is acquired, and various modes of program version information definition exist, for example, the first version is V1.0, the second version is V1.1, and the like, and the application is not limited specifically.
In addition, as shown in fig. 4, taking two application programs as an example, one application program is stored in the storage area 2, and the other application program is stored in the storage area 3, the storage areas 2 and 3 may also be called application program storage areas, the storage area 2 corresponds to the application program 1 storage area, the storage area 3 corresponds to the application program 2 storage area, and the application programs implement various functions, in this embodiment, an information recording area and an execution program area are defined for the application program storage area, and the information recording area needs to record information: the current program version information, the memory size occupied by the current program and the memory address information, the total data segment quantity contained in the current program, the actual occupied memory size of the current program and the program state record information. The current program version information records the actual version of the application program, namely, the part of information is bound with the application program, and the part of information also changes along with the update of the application program. The memory size information that the current program should occupy is provided by the boot program, i.e. the memory size information that the current program should occupy is consistent with the memory size information that the memory area 2/3 in the boot program should occupy. The memory address information that the current program should occupy is also provided by the boot program, i.e. it is consistent with the corresponding memory address information of the memory area 2 or 3 in the boot program. The total amount of data segments that should be included in the current program is also provided by the boot program, i.e., is consistent with the total amount of data segments that should be included in either memory area 2 or memory area 3 in the boot program. The actual occupied memory size of the current program is obtained by automatic monitoring after the application program is operated, and the actual situation of the current application program is described. The flag bits included (but not limited to) in the program state record information are: program data complete state flag, program data storage address state flag, program data storage sequence state flag, all state flags have two states: 0=error, 1=normal. The execution program area is formed by a plurality of program blocks with predefined space size, each program block carries a data segment, the data segment includes a data segment serial number and each program data content to be carried, and the data segment serial numbers of the storage area 2 and the storage area 3 respectively use a parameter, namely N1 and N2 in the embodiment of the present application. The block numbers of the memory area 2 and the memory area 3 use one parameter, i.e., n1, n2, respectively in the embodiment of the present application. When the program block is filled, the program blocks 2 and 3 … n are started one by one, and the total amount of the program blocks is not a fixed value and is determined by the actual situation but cannot exceed the limit size of the divided execution program area.
It should be noted that, the driving assistance system is imported into a set of complete boot program and application program when leaving the factory, where the application program 1 in the storage area 2 is consistent with the application program 2 in the storage area 3, and includes information such as version information, memory size, data size, and the like, and functions implemented correspondingly are consistent.
Step 102, after the bootstrap program is successfully loaded and executed, a self-check is performed to determine the application program to be loaded from the plurality of application programs.
In this embodiment of the present application, the bootstrap program may determine, according to the last running application flag, the application to be loaded in the last running, and determine, according to the program state record information, the application to be loaded from among the multiple application programs. See the description of the embodiments that follow.
Step 103, the bootstrap program determines the memory address information to be occupied by the application program to be loaded.
Step 104, the bootstrap program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information to be occupied by the application program to be loaded; wherein each application storage area stores an application.
In this embodiment, the boot program may first determine the memory address information to be occupied by the application program to be loaded, for example, the memory address information to be occupied by the current program in the storage area 2 is 0x500000-0x8FFFFF. And then, the bootstrap program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information which is required to occupy by the application program to be loaded. It should be noted that, the address information is understood to refer to the memory space region number, which is generally expressed in hexadecimal. In addition, each application storage area stores one application.
And 105, when the application program to be loaded is loaded and operated successfully, performing self-checking, and recording the operation state corresponding to the self-checking result.
In order to effectively monitor the running condition of the application programs, the application programs are switched timely and accurately, and in the embodiment of the application program to be loaded is subjected to self-checking when being loaded and run successfully, and the running state corresponding to the self-checking result is recorded.
Optionally, when the application program to be loaded is loaded and operated successfully, detecting whether the program data is complete according to the memory size occupied by the current application program recorded in the second information recording area of the application program storage area to be loaded, the memory size actually occupied by the current application program recorded in the second information recording area of the application program storage area to be loaded, the total data segment quantity contained in the current application program recorded in the second information recording area of the application program storage area to be loaded, and the maximum sequence number of the actual data segment of the current application program in the execution program area of the application program storage area to be loaded; detecting whether the program storage address is correct according to the memory address information which is required to be occupied by the front application program and recorded in the second information recording area of the application program storage area to be loaded and the application program occupation area in the execution program area of the application program storage area to be loaded; detecting whether the sequence of program storage data is correct according to the sequence number of a program block in an execution program area of an application program storage area to be loaded and the sequence number of a data segment in the execution program area of the application program storage area to be loaded; and when the integrity of the program data is detected, the program storage address is correct, and the sequence of the program storage data is correct, determining that the self-checking is finished.
For example, taking two application programs, one application program is stored in the storage area 2 and the other application program is stored in the storage area 3, the self-checking of the application program is mainly to check whether an error occurs in the storage area 2 or the application program of the storage area 3 in the running process, and automatically execute the software self-reset or the hardware restart when the error occurs, the application program 1 and the application program 2 will periodically execute the self-checking after running, and the specific period time can be predefined according to the actual function requirement of the driving assistance system. The self-checking of the application program is to sequentially check the memory size G which the current program in the information recording area should occupy, the memory size G which the current program in the information recording area actually occupies, the total data segment M in the information recording area and the maximum serial number N of the current program actual data segment in the executing program area max Program occupying area in executing program area, memory address information to be occupied recorded in information recording area, program block number N in executing program area, and data segment number N in executing program area (checking block by block)Check) are compared in pairs, if G=g and M=N max The program data integrity state flag in the program state record is set to 1; if G is not equal to G or N max And if the two are not equal to M, the program data is completely marked with 0 in the program state record as long as the two meet one of the two. If the occupied area of the program is consistent with the recorded memory address information to be occupied, the program storage address is correct, and a program data storage address state flag in the program state record is set to 1; if all the program blocks are the program block serial number n=the data segment serial number N, the program data storage sequence is correct, and a program data storage sequence state flag in the program state record is set to 1; if the block number N in any block is not equal to the data segment number N, for example, the block number n=10 in the 10 th block, and the data segment number N is not equal to 10, it indicates that the program storage data sequence is disordered, and the program data storage sequence status flag in the program status record is set to 0. Only when the complete state mark of the program data, the state mark of the program data storage address and the state mark of the program data storage sequence are all 1 (normal), the self-checking is normally finished, and the current application program keeps running.
When any one of the program data complete state flag, the program data storage address state flag and the program data storage sequence state flag is 0 (error), the application program automatically executes the program software self-reset, and re-performs self-checking after self-recovery is attempted, in addition, the application program counts the recovery process, when the number of times of software self-reset operation is continuously executed, when the number of times is greater than the preset number of times, the application program error cannot be automatically recovered, the application program automatically executes hardware restart, namely, power-off re-power-on operation is executed, the application program is firstly operated after re-power-on, the bootstrap program finds that the last operated application program has errors through self-checking, and finally selects another application program in a normal state for loading operation. And when the number of times is less than or equal to the preset number of times, the bootstrap program re-executes the self-checking.
In addition, in the embodiment of the application, when the function update needs to update the program, the driving assistance system may define and require to provide the update file with the corresponding format according to the embodiment of the application, and execute the update operation in cooperation with the corresponding program update device and software. After starting to execute program update, the bootstrap program receives a program update command sent by corresponding program update equipment and software, and the bootstrap program firstly checks according to a check code of an update file to determine whether the update file is suitable for a driving auxiliary system; if the update file is suitable for the driving assistance system, the guiding program determines an application program to be updated according to the version information of the current application program in each application program storage area recorded in the first information recording area of the first storage area, and introduces the content of the data section area in the update file into the application program storage area corresponding to the application program to be updated; after the content of the data segment area in the update file is imported, the bootstrap program checks the application program storage area corresponding to the application program to be updated to judge whether the application program to be updated is updated successfully, if so, the bootstrap program detects whether the last running application program mark in the first information recording area of the first storage area points to the application program to be updated, if so, the bootstrap program keeps the last running application program mark pointing to the application program to be updated continuously, and if so, the bootstrap program changes the last running application program mark to point to the application program to be updated.
For example, taking two applications as an example, one application is stored in the storage area 2 and the other application is stored in the storage area 3, if the bootstrap program detects that the update file is suitable for the driving assistance system, the bootstrap program can compare the current program version of the storage area 2 with the current program version of the storage area 3 in the own information recording area, and the gist is to select to update the application program with a lower version, for example, the current program version of the storage area 2 is V1.2, the current program version V1.1 of the storage area 3 is V1.1, and V1.2 is higher than V1.1, and then update the application program of the storage area 3.
It should be noted that, in this embodiment, two areas of an information segment and a data segment are defined for the update file, as shown in fig. 5, the information required to record in the information segment area is: the information segment identification, the current program version information, the memory size occupied by the current program, and the total data segment amount and check code contained in the current program. The information segment identification mainly indexes the bootstrap program, so that the bootstrap program can correctly identify the information segment areas and search corresponding information one by one. The current program version information is version information corresponding to the program contained in the current update file, and the partial information can be matched and integrated with the application program or can be manually imported in a later period. The memory size occupied by the current program is used for describing how much space the memory is occupied by the program contained in the current update file, and the partial information can be integrated with the application program in a matched manner or can be imported in a later period manually, and in the embodiment of the application, the partial information is respectively represented by a parameter delta G. The current program should include a total amount of data segments to describe how many data segments are carried by the program included in the current update file, and this partial information may be integrated with the application program in a matching manner, or may be imported manually in a later period, and in this embodiment, each of these data segments is represented by a parameter Δm. The check code is mainly used for preventing the occurrence of false updating among different products, wherein the check modes are various, and the application is not particularly limited. The data segment area is divided by a plurality of data segments, the front part of each data segment is provided with a serial number identification, the program data content carried by each data segment is different, and all the program data content forms an application execution program really realizing the function.
In the embodiment of the application, the bootstrap program compares the current program version of the storage area 2 with the current program version of the storage area 3 in the own information recording area, and the gist is to select to update the application program with a lower version. As an example, when the current program version of the storage area 2 is higher than the current program version of the storage area 3, the bootstrap program will first detect whether the last running application program mark points to the application program 2 of the storage area 3, if the last running application program mark points to the application program 2 of the storage area 3, the bootstrap program will still point to the application program of the storage area 3 after the program update is successfulStep 2, changing the final program update failure into an application program 1 pointing to the storage area 2; if the last running application program marks the application program 1 pointing to the storage area 2, the application program 2 pointing to the storage area 3 is automatically changed after the program update is successful, and if the final program update fails, the application program 1 pointing to the storage area 2 is maintained. The bootstrap program will import the content of the data segment area in the update file into the storage area 3 regardless of the indication of the last running application program, and after the data content is imported, the bootstrap program will check the storage area 3, and the bootstrap program will first compare the memory size Δg that the current program of the storage area 3 obtained from the update file should occupy with the memory size G2 that the current program of the information recording area of the storage area 3 actually occupies, and then compare the total data segment Δm of the current program of the storage area 3 obtained from the update file with the maximum serial number N2 of the current program actual data segment of the storage area 3 max In contrast, if Δg=g2 and Δm=n2 max The data of the updated program of the storage area 3 is complete, the related information is consistent with the updated file record information, the current program is successfully updated, the application program information record area of the storage area 3 is updated to the latest version in relation to the version information of the current program, and the application program information record area of the guide program is synchronously updated to the latest version in relation to the version information of the current program of the storage area 3; if ΔG is not equal to G2 or ΔM is not equal to N2 max If the two information are not equal, as long as the two information satisfy one of them, which indicates that the program update fails, the bootstrap program retries to import the content of the data segment area in the update file into the storage area 3 within a certain number of times (predefined), and when the number of times of updating attempts is exceeded, the current application program of the storage area 3 cannot be updated, the current program version information of the storage area 3 and the current program version information of the bootstrap program information recording area are kept unchanged with respect to the original version of the storage area 3, and in addition, the application program 1 of the bootstrap program and the application program 1 of the storage area 2 can record the failure that the application program 2 of the current storage area 3 cannot update the program.
As another example, when the current program version of memory area 2 is lower than the current program version of memory area 3, the boot program will first detect the last run of the application program mark If the flag points to the application program 1 in the storage area 2, if the flag points to the application program 1 in the storage area 2 when the application program is operated last time, the flag still points to the application program 1 in the storage area 2 after the program is updated successfully, and if the final program is updated successfully, the flag points to the application program 2 in the storage area 3 instead; if the last running application program marks the application program 2 pointing to the storage area 3, the application program 1 pointing to the storage area 2 is automatically changed after the program update is successful, and if the final program update fails, the application program 2 pointing to the storage area 3 is maintained. The bootstrap program will import the content of the data segment area in the update file into the storage area 2 regardless of the indication of the last running application program, and after the data content is imported, the bootstrap program will check the storage area 2, and the bootstrap program will first compare the memory size Δg occupied by the current program of the storage area 2 obtained from the update file with the memory size G1 actually occupied by the current program of the information recording area of the storage area 2, and then compare the total data segment amount Δm of the current program of the storage area 2 obtained from the update file with the maximum serial number N1 of the actual data segment of the current program of the storage area 2 max In contrast, if Δg=g1 and Δm=n1 max The data after the program update of the storage area 2 is illustrated to be complete, the related information is consistent with the updated file record information, the current program update is successful, the application program information record area of the storage area 2 is updated to the latest version in relation to the current program version information, and the current program version information of the guide program information record area is synchronously updated to the latest version in relation to the storage area 2; if ΔG is not equal to G1 or ΔM is not equal to N1 max If the two information are not equal, as long as the two information satisfy one of them, which indicates that the program update fails, the bootstrap program retries to import the content of the data segment area in the update file into the storage area 2 within a certain number of times (predefined), and when the number of times of updating attempts is exceeded, the current application program of the storage area 2 cannot be updated, the current program version information of the storage area 2 and the current program version information of the bootstrap program information recording area are kept unchanged with respect to the original version of the storage area 2, and in addition, the bootstrap program and the application program 2 of the storage area 3 both record the failure that the application program 1 of the current storage area 2 cannot update the program.
As yet another example, when the current program version of the memory area 2 coincides with the current program version of the memory area 3, the processing is still performed as in the case where the current program version of the memory area 2 is lower than the current program version of the memory area 3.
In summary, new definitions are provided on the architecture of the program storage area and the program update file, a relatively perfect program self-checking system is established, and the switching between application programs is scheduled by the bootstrap program, so that the running condition of the main application program and the standby application program can be effectively monitored, and the switching between the application programs can be timely and accurately carried out. In addition, when the program is updated, the guiding program plays a leading role, one of the application programs is selected for updating, and the other program is kept in a lower version state, so that the guiding program can be controlled to call the application program in the lower version state but with stable functions under the condition that the latest version program has certain defects due to the guiding program, the flexibility of the program use is greatly improved, and meanwhile, a safety guarantee is provided for the running of the system program.
Optionally, as shown in fig. 6, the bootstrap program determines the application program loaded in the last run according to the mark of the application program in the last run, and determines the application program to be loaded from a plurality of application programs according to the program state record information, and the specific implementation process is as follows:
at step 601, after the boot program is successfully loaded and executed, the last-executed application flag is acquired from the first information recording area of the first storage area.
It can be understood that the first storage area is provided with a first information recording area, and the recording information required by the first information recording area includes a last running application program mark, the memory size and memory address information to be occupied by the current application program in each application program storage area, the total data segment amount to be contained in each application program storage area, and the version information of the current application program in each application program storage area. Thus, after the boot program is successfully loaded and executed, the last-executed application flag can be acquired in the first information recording area of the first storage area.
In step 602, the bootstrap program determines the application program loaded in the last run according to the mark of the application program in the last run.
In this embodiment of the present application, the number of application programs is two, where application program 1 is stored in storage area 2, application program 2 is stored in storage area 3, and the last running application program mark may be divided into three states, i.e. 0, 1, and 2, where if the last running application program mark is 0, it indicates that the driving assistance system is first powered on and running, and no application program is loaded; if the last running application mark is 1, the last running application 1 is indicated; if the last running application flag is 2, the last running application 2 is indicated.
Step 603, the bootstrap program obtains the program status record information from the second information record area of the first application program storage area; the first application program storage area is an application program storage area used for storing the application program loaded by the last operation.
In this embodiment of the present application, the record information in the second information recording area of the first application storage area includes version information of the current application, memory size and address information that should be occupied by the current application, total amount of data segments that should be included by the current application, actual occupied memory size of the current application, and program status record information, so that the boot program may obtain the program status record information from the second information recording area of the first application storage area. The first application program storage area is an application program storage area for storing the application program loaded by the last operation.
In step 604, the bootstrap program determines the application program to be loaded from the plurality of application programs according to the program status record information.
In this embodiment of the present application, when the number of application programs is two, the specific implementation process of determining, by the bootstrap program, the application program to be loaded from the plurality of application programs according to the program state record information may be as follows: detecting whether all states of the application program loaded by the last operation are normal or not according to the program state record information; if all the states of the application program loaded in the last running are detected to be normal, the bootstrap program determines that the application program loaded in the last running is the application program to be loaded; if detecting that abnormal states exist in all states of the application program loaded in the last operation, the bootstrap program detects whether the memory size occupied by the current application program recorded in a second information recording area of a second application program storage area is consistent with the memory size actually occupied by the current application program; the second application program storage area is a storage area for storing a second application program, and the second application program is another application program except for the application program loaded in the last running; the bootstrap program detects whether the total amount of data segments which are contained in the current application program recorded in the second information recording area of the second application program storage area is consistent with the maximum sequence number of the actual data segments of the current application program in the execution program area of the second application program storage area; if the memory size occupied by the current application program recorded in the second information recording area of the second application program storage area is consistent with the memory size actually occupied by the current application program, and the total data segment quantity of the current application program recorded in the second information recording area of the second application program storage area is consistent with the maximum serial number of the actual data segment of the current application program in the execution program area of the second application program storage area, the bootstrap program determines the application program stored in the second application program storage area as the application program to be loaded.
In addition, if the memory size occupied by the current application program recorded in the second information recording area of the second application program storage area is inconsistent with the memory size actually occupied by the current application program, and/or the total data segment quantity of the current application program recorded in the second information recording area of the second application program storage area is inconsistent with the maximum serial number of the actual data segment of the current application program in the execution program area of the second application program storage area, determining that the plurality of application programs cannot execute the corresponding functions, and sending fault information to external equipment.
For example, the number of applications is two, where the application 1 is stored in the storage area 2 and the application 2 is stored in the storage areaFor example, when the flag of the application program is 1 in the last running, the application program 1 in the last running is indicated, the bootstrap program checks whether all the status flags recorded in the status record of the program in the storage area 2 are 1 (indicating that all the status is normal), and the status flags are marked by self-checking when the application program runs. If all the state marks are 1, the bootstrap program can continue to load and run the current program of the storage area 2, and the last time the application program mark is still 1; if any status flag is 0 (0=error), it indicates that the current program in the memory area 2 has a problem, the boot program will give up loading the application program 1, and since the last running application program 1, application program 2, is in the disabled state, all status flags may be in the initial state, the boot program will check whether the memory size G2 occupied by the current program in the memory area 3 is equal to the memory size G2 actually occupied by the current program in the memory area 3, and whether the total number M2 of the current program data segments in the memory area 3 is equal to the maximum number N2 of the current program data segments in the memory area 3 max Equal. If g2=g2 and m2=n2 max The actual memory size and the total data segment amount of the current program of the storage area 3 are identical with the information recorded by the bootstrap program, the bootstrap program loads and runs the current program of the storage area 3, namely the application program 2, and the mark of the last running application program is set as 2; if G2 and G2 are not equal or N2 max If the two applications are not equal to M2, the current program of the storage area 3 is not available, the corresponding function cannot be executed by the current two applications, the guiding program notifies fault information to the outside, namely, other external products or monitoring modules are notified, and the current driving assistance system cannot execute the due function.
When the last time the application flag was 2, indicating the last time the application was running 2, the boot program will check if all the status flags of the storage area 3 program status record are 1 (indicating that all the status is normal), which are marked by means of self-checking when the application is running. If all the state marks are 1, the bootstrap program can continue to load and run the current program of the storage area 3, and the last time the application program mark is still 2; if any status flag is 0 (0=error), it indicates that The current program in the storage area 3 has problems that the current program cannot execute the function, the boot program will give up loading the application program 2, the application program 1 is in the disabled state due to the last running application program 2, and all the state flags thereof may be in the initial state, so the boot program will check whether the memory size G1 occupied by the current program in the storage area 2 is equal to the memory size G1 actually occupied by the current program in the storage area 2, and whether the total amount M1 of the current program data segments in the storage area 2 is the maximum number N1 of the current program actual data segments in the storage area 2 max Equal. If g1=g1 and m1=n1 max The actual memory size and the total data segment amount of the current program of the storage area 2 are identical to the information recorded by the bootstrap program, the bootstrap program loads and runs the current program of the storage area 2, namely the application program 1, and the last time the application program is run is marked as 1; if G1 and G1 are not equal or N1 max If the two applications are not equal to M1, the current program of the storage area 2 is not available, the corresponding function cannot be executed by the current two applications, the guiding program notifies fault information to the outside, namely, other external products or monitoring modules are notified, and the current driving assistance system cannot execute the due function.
In addition, it should also be noted that, when the bootstrap program determines that any application program is not loaded according to the last running application program mark, it detects whether the application program in each application program storage area is complete one by one according to the memory address information to be occupied of the current application program in each application program storage area in the first information recording area of the first storage area; when the application program in the current application program storage area is detected to be complete, the bootstrap program determines the application program in the current detected application program storage area as the application program to be loaded.
In the embodiment of the application, detecting the occupied memory size of the current application program in each application program storage area recorded in a first information recording area of a first storage area, and whether the occupied memory size of the current application program recorded in a second information recording area of each application program storage area is consistent with the actual occupied memory size of the current application program; detecting whether each application program storage area recorded in a first information recording area of the first storage area contains the total data segment and is consistent with the maximum sequence number of the actual data segment of the current application program in an execution program area of each application program storage area; if the occupied memory size of the current application program in each application program storage area recorded in the first information recording area of the first storage area is consistent with the actual occupied memory size of the current application program recorded in the second information recording area of each application program storage area, and each application program storage area recorded in the first information recording area of the first storage area should contain the total data segment quantity, and is consistent with the maximum serial number of the actual data segment of the current application program in the execution program area of each application program storage area, judging that the application program in each application program storage area is complete; and if the occupied memory size of the current application program in each application program storage area recorded in the first information recording area of the first storage area is inconsistent with the actual occupied memory size of the current application program recorded in the second information recording area of each application program storage area, and/or each application program storage area recorded in the first information recording area of the first storage area contains the total data segment quantity and is inconsistent with the maximum serial number of the actual data segment of the current application program in the execution program area of each application program storage area, judging that the application program in each application program storage area is incomplete.
For example, taking the number of application programs as two, in which the application program 1 is stored in the storage area 2, the application program 2 is stored in the storage area 3, and when the application program flag is 0 in the last running, that is, the driving assistance system is first powered on and running, no application program is loaded, at this time, the bootstrap program checks the integrity of the application programs in the storage area 2 and the storage area 3 one by one according to the recorded memory address information, by default, starting from the storage area 2, first, the bootstrap program compares the memory size G1 occupied by the current program of the storage area 2 in the own information recording area with the memory size G1 occupied by the current program actually in the storage area 2 information recording area, if g1=g1, the bootstrap program further compares the total data segment amount M1 of the current program in the own information recording area with the actual data of the current program actually occupied by the current program in the storage area 2 executing programSegment maximum sequence number N1 max Comparing, if N1 max M1, which is to say that the actual memory size and the total data segment amount of the current program in the storage area 2 are consistent with the information recorded by the bootstrap program, the bootstrap program loads and runs the current program in the storage area 2-application program 1, and sets the last running application program flag to 1; if G1 and G1 are not equal or N1 max If they are not equal to M1, it is indicated that the current program of the memory area 2 is not available, the boot program will give up loading the application program 1 and check the memory area 3 instead, and similarly, the boot program will check whether the memory size G2 occupied by the current program of the memory area 3 is equal to the memory size G2 actually occupied by the current program of the memory area 3, and whether the total number M2 of data segments of the current program of the memory area 3 is the maximum number N2 of actual data segments of the current program of the memory area 3 max Equal. If g2=g2 and m2=n2 max The actual memory size and the total data segment amount of the current program of the storage area 3 are identical with the information recorded by the bootstrap program, the bootstrap program loads and runs the current program of the storage area 3, namely the application program 2, and the mark of the last running application program is set as 2; if G2 and G2 are not equal or N2 max If the two applications are not equal to M2, the current program of the storage area 3 is not available, the corresponding function cannot be executed by the current two applications, the guiding program notifies fault information to the outside, namely, other external products or monitoring modules are notified, and the current driving assistance system cannot execute the due function.
In summary, new definitions are provided on the architecture of the program storage area and the program update file, a relatively perfect program self-checking system is established, and the switching between application programs is scheduled by the bootstrap program, so that the running condition of the main application program and the standby application program can be effectively monitored, and the switching between the application programs can be timely and accurately carried out. In addition, when the program is updated, the guiding program plays a leading role, one of the application programs is selected for updating, and the other program is kept in a lower version state, so that the guiding program can be controlled to call the application program in the lower version state but with stable functions under the condition that the latest version program has certain defects due to the guiding program, the flexibility of the program use is greatly improved, and meanwhile, a safety guarantee is provided for the running of the system program.
In order to better illustrate the above embodiments, the present application is further described below in connection with specific embodiments. In this embodiment of the present application, a complete set of boot program and application program is already introduced when the driving assistance system leaves the factory, wherein all information records in the information recording area of the boot program in the storage area 1 are shown in table 1, the whole situation of the storage area 2 is shown in fig. 7, and the whole situation of the storage area 3 is shown in fig. 8. According to market demands, the functions of the driving assistance system are updated, and the whole situation of the update file corresponding to the new version of function application program is shown in fig. 9.
TABLE 1
Figure BDA0002442867160000141
Figure BDA0002442867160000151
Self-test of the driving assistance system at the first power-on operation. The system firstly executes the boot program every time the system is powered on, when the boot program is powered on and runs, the self-checking is started, firstly, the last running application program mark value is checked, and because the driving assistance system is the first running from the factory, the boot program detects that the last running application program mark is 0, i.e. no application program is loaded, at the moment, the boot program can check the integrity of the application programs in the storage area 2 and the storage area 3 one by one according to the recorded memory address information, and the default is started from the storage area 2, firstly, the boot program compares the memory size G1 occupied by the current program of the storage area 2 in the information recording area of the boot program with the memory size G1 occupied by the current program in the information recording area of the storage area 2 actually, when the system is shipped from the factory, the verification is performed, the program cannot have problems, so that the values of G1 and G1 are necessarily equal, and the values are 64K as shown in table 1 and fig. 7. The bootstrap program further adds the total amount M1 of current program data segments of the memory area 2 in the own information recording area to the memory area 2 maximum sequence number N1 of actual data segment of current program in execution program area max For comparison, N1 is shown in Table 1 and FIG. 7 max The value of the boot loader is 300 with that of M1, which indicates that the actual memory size and the total data segment amount of the current program of the storage area 2 are consistent with the information recorded by the boot loader, the boot loader loads and runs the current program of the storage area 2, namely the application program 1, and the last time the application program is run is marked as 1.
The application 1 is run and then self-checked at a timing of 5 s. The self-checking of the application program is to compare the memory size G1 occupied by the current program in the information recording area with the memory size G1 actually occupied by the current program in the information recording area, as shown in FIG. 7, wherein G1 and G1 are both 64K, and then the application program compares the total data segment amount M1 in the information recording area with the maximum serial number N1 of the current program actual data segment in the execution program area max As shown in fig. 7, m1=n1 max =300, thus indicating that the program storage data is complete, the program data complete status flag in the program status record is still 1 (normal); then the application program will self-identify the memory space occupied by the current execution program area, then compare with the memory address information to be occupied recorded in the information recording area, when leaving the factory, the system is verified, the program will not have problems, the program memory address must be correct, so the program data memory address status flag in the program status record is set to 1. Finally, the application program checks each program block in the execution program area, compares the sequence number N of each program block with the corresponding data segment sequence number N, as shown in fig. 7, wherein the program data storage sequence number n=data segment sequence number N is adopted in all the program blocks, the program storage data sequence is correct, and the program data storage sequence status flag in the program status record is still set to 1.
When the driving auxiliary system has the function upgrading and needs to update the program, the corresponding program updating equipment and software are matched to start to execute the program updating, the guiding program receives the program updating command sent by the corresponding program updating equipment and software, the guiding program firstly checks according to the check code of the updating file, and after the check is successful, the updating file is indicated to be suitable for the driving auxiliary system, and then the next step can be carried out.The bootstrap program compares the current program version of the storage area 2 with the current program version of the storage area 3 in the self information recording area, and because the two storage area application programs are the first version program in the factory state, namely V1.0, the bootstrap program defaults to select the application program of the storage area 2, before the update application program is executed, the bootstrap program can also detect whether the last running application program mark points to the application program 1 of the storage area 2, and according to the result of the bootstrap program self-checking after the first power-on running of the driving assistance system, the last running application program mark does point to the application program 1 of the storage area 2. Regardless of the indication of the last running application program, the bootstrap program will import the content of the data segment area in the update file into the storage area 2, and after the data content is imported, the bootstrap program checks the storage area 2, and the bootstrap program will first compare the memory size Δg occupied by the current program in the storage area 2 obtained from the update file with the memory size G1 actually occupied by the current program in the information recording area in the storage area 2, as shown in fig. 9, where Δg=128K, where if the data content is imported successfully, the memory size G1 actually occupied by the current program in the information recording area in the storage area 2 will be changed from the original 64K to 128K, and Δg=g1. Then the bootstrap program again compares the total quantity delta M of the current program data segment of the storage area 2 obtained from the updated file with the maximum sequence number N1 of the actual data segment of the current program of the storage area 2 max In contrast, as shown in fig. 9, the current program of the updated file information section area should include the total data section amount (total current program data section amount of storage area 2) Δm=600, and the data content is successfully imported at this time, the maximum sequence number N1 of the actual data section of the current program of the storage area 2 max To be changed from 300 to 600, Δm=n1 max . Δg=g1 and Δm=n1 max Indicating successful update of the current program, the application program information recording area of the memory area 2 is updated to the latest version, V1.1, with respect to the version information of the current program, and the bootstrap program information recording area is also updated to the latest version, V1.1, with respect to the version information of the current program of the memory area 2.
According to the safe operation method of the driving assistance system program, when the driving assistance system is powered on, the driving assistance system loads the guide program in the first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs; the boot program determines the memory address information which should be occupied by the application program to be loaded; the boot program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information which is occupied by the application program to be loaded; wherein each application program storage area stores an application program; when the application program to be loaded is loaded and operated successfully, self-checking is carried out, and the operation state corresponding to the self-checking result is recorded. The method establishes a perfect program self-checking system by providing new definition on the program storage area and the architecture of the program update file, and the switching between the application programs is scheduled by the bootstrap program, so that the running condition of the main application program and the standby application program can be effectively monitored, and the switching between the application programs can be timely and accurately carried out. In addition, when the program is updated, the guiding program plays a leading role, one of the application programs is selected for updating, and the other program is kept in a lower version state, so that the guiding program can be controlled to call the application program in the lower version state but with stable functions under the condition that the latest version program has certain defects due to the guiding program, the flexibility of the program use is greatly improved, and meanwhile, a safety guarantee is provided for the running of the system program.
In correspondence with the safe operation method of the driving assistance system program provided in the above-described several embodiments, an embodiment of the present application further provides a driving assistance system, and since the driving assistance system provided in the embodiment of the present application corresponds to the safe operation method of the driving assistance system program provided in the above-described several embodiments, implementation of the safe operation method of the driving assistance system program described above is also applicable to the driving assistance system provided in the embodiment, and will not be described in detail in the embodiment. Fig. 10 is a schematic structural view of a driving assistance system according to an embodiment of the present application. As shown in fig. 10, the driving assistance system includes: a boot initiation module 1010, a boot 1020, and an application 1030 to be loaded.
The bootstrap starting module 1010 is configured to load a bootstrap program in the first storage area when the driving assistance system is powered on; the bootstrap 1020 is configured to perform self-checking after being successfully loaded and running, to determine an application to be loaded from a plurality of application programs, determine memory address information to be occupied by the application to be loaded, and read the application to be loaded from an application program storage area for storing the application to be loaded according to the memory address information to be occupied by the application to be loaded; wherein each application program storage area stores an application program; the application 1030 to be loaded is configured to perform self-checking at regular time when being loaded and running successfully, and record the running state corresponding to the self-checking result.
As a possible implementation manner of the embodiment of the present application, the first storage area has a first information recording area, where the recording information required by the first information recording area includes a last running application program flag, a memory size to be occupied and memory address to be occupied of a current application program in each application program storage area, a total amount of data segments to be contained in each application program storage area, and version information of the current application program in each application program storage area; each application program storage area has a second information recording area and an execution program area therein; the second information recording area includes version information of the current application program, memory size occupied by the current application program, memory address information occupied by the current application program, total data segment content of the current application program, actual occupied memory size of the current application program, and program state recording information; the execution program area comprises a plurality of program blocks with predefined space size, each program block carries a data segment, and each data segment comprises a data segment serial number and program data content to be carried.
As one possible implementation of the embodiments of the present application, the bootstrap 1020 is specifically configured to: after being loaded and run successfully, acquiring a last run application mark from a first information recording area of a first storage area; determining the application program loaded by the last operation according to the mark of the application program operated by the last operation; acquiring program state record information from a second information record area of the first application program storage area; the first application program storage area is an application program storage area for storing the application program loaded by the last operation; and determining the application program to be loaded from the plurality of application programs according to the program state record information.
As one possible implementation of an embodiment of the present application, the bootstrap 1020 is further configured to: when a program update command is received, acquiring an update file; checking according to the check code in the update file to determine whether the update file is suitable for the driving assistance system; if the update file is suitable for the driving assistance system, determining an application program to be updated according to version information of the current application program in each application program storage area recorded in a first information recording area of the first storage area; importing the content of a data segment area in the update file into an application program storage area corresponding to an application program to be updated; after the content of the data section area in the update file is imported, checking an application program storage area corresponding to the application program to be updated to judge whether the application program to be updated is updated successfully or not; if the application program to be updated is updated successfully, detecting whether a last running application program mark in a first information recording area of the first storage area points to the application program to be updated; if the application program to be updated is pointed, the last running application program mark is kept to be pointed continuously to the application program to be updated; if the application program is pointed to other application programs, the last running application program mark is changed to point to the application program to be updated.
According to the driving assistance system, when the driving assistance system is powered on, the driving assistance system loads the guide program in the first storage area; after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs; the boot program determines the memory address information which should be occupied by the application program to be loaded; the boot program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information which is occupied by the application program to be loaded; wherein each application program storage area stores an application program; when the application program to be loaded is loaded and operated successfully, self-checking is carried out, and the operation state corresponding to the self-checking result is recorded. The system can realize that a relatively perfect program self-checking system is established by providing new definition on the architecture of a program storage area and a program update file, and the switching between application programs is scheduled by a bootstrap program, so that the running condition of the main and standby application programs can be effectively monitored, and the switching between the application programs can be timely and accurately carried out. In addition, when the program is updated, the guiding program plays a leading role, one of the application programs is selected for updating, and the other program is kept in a lower version state, so that the guiding program can be controlled to call the application program in the lower version state but with stable functions under the condition that the latest version program has certain defects due to the guiding program, the flexibility of the program use is greatly improved, and meanwhile, a safety guarantee is provided for the running of the system program.
In order to achieve the above embodiments, the present application also proposes a vehicle including the driving assistance system described in the above embodiments.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "plurality" is at least two, such as two, three, etc., unless explicitly defined otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present application.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. Although embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (11)

1. A method of safely operating a driving assistance system program, comprising:
when the driving assistance system is powered on, the driving assistance system loads a bootstrap program in a first storage area;
after the bootstrap program is loaded and operated successfully, self-checking is carried out to determine an application program to be loaded from a plurality of application programs;
the bootstrap program determines the memory address information which should be occupied by the application program to be loaded;
the bootstrap program reads the application program to be loaded from an application program storage area for storing the application program to be loaded according to the memory address information of the application program to be loaded, wherein each application program storage area stores an application program;
when the application program to be loaded is loaded and operated successfully, performing self-checking, and recording the operation state corresponding to the self-checking result;
The first storage area is provided with a first information recording area, and the recording information required by the first information recording area comprises a last running application program mark, the memory size to be occupied by the current application program in each application program storage area, memory address information to be occupied by the current application program, the total amount of data segments to be contained in each application program storage area and version information of the current application program in each application program storage area;
the system comprises an application program storage area, an execution program area and a storage area, wherein the second information storage area is internally provided with a second information recording area and an execution program area, the required recording information of the second information recording area comprises current application program version information, memory size occupied by a current application program, memory address occupied by the current application program, total data section quantity contained by the current application program, actual memory size occupied by the current application program and program state recording information;
after the bootstrap program is successfully loaded and operated, self-checking is performed to determine an application program to be loaded from a plurality of application programs, and the method comprises the following steps:
After the bootstrap program is successfully loaded and operated, acquiring the last operation application program mark from a first information recording area of the first storage area;
the method comprises the steps of executing a last-time running application program, determining a last-time running loaded application program by a bootstrap program according to a last-time running application program mark, and acquiring program state record information from a second information record area of a first application program storage area, wherein the first application program storage area is an application program storage area for storing the last-time running loaded application program;
and the bootstrap program determines an application program to be loaded from the plurality of application programs according to the program state record information.
2. The method of claim 1, wherein the number of applications is 2, wherein the bootstrap program determines an application to be loaded from the plurality of applications based on the program state record information, and wherein the determining comprises:
the bootstrap program detects whether all states of the application program loaded by the last time are normal or not according to the program state record information;
if all the states of the application program loaded in the last operation are detected to be normal, the bootstrap program determines that the application program loaded in the last operation is the application program to be loaded;
If detecting that abnormal states exist in all states of the application program loaded in the last operation, the bootstrap program detects whether the memory size occupied by the current application program recorded in a second information recording area of a second application program storage area is consistent with the memory size actually occupied by the current application program;
the bootstrap program detects whether the total amount of data segments which are contained in the current application program recorded in the second information recording area of the second application program storage area is consistent with the maximum sequence number of the actual data segments of the current application program in the execution program area of the second application program storage area;
and if the memory size occupied by the current application program recorded in the second information recording area of the second application program storage area is consistent with the memory size actually occupied by the current application program, and the total data segment quantity of the current application program recorded in the second information recording area of the second application program storage area is consistent with the maximum serial number of the actual data segment of the current application program in the execution program area of the second application program storage area, the bootstrap program determines the application program stored in the second application program storage area as the application program to be loaded.
3. The method as recited in claim 2, further comprising:
and if the memory size occupied by the current application program recorded in the second information recording area of the second application program storage area is inconsistent with the memory size actually occupied by the current application program, and/or the total data segment quantity of the current application program recorded in the second information recording area of the second application program storage area is inconsistent with the maximum serial number of the actual data segment of the current application program in the execution program area of the second application program storage area, determining that the plurality of application programs cannot execute corresponding functions, and sending fault information to external equipment.
4. The method of claim 1, wherein when the bootstrap program determines that no application has been loaded based on the last run application flag, the method further comprises:
detecting whether the application programs in each application program storage area are complete one by one according to the memory address information which is required to occupy by the current application program in each application program storage area in the first information recording area of the first storage area;
and when the application program in the current application program storage area is detected to be complete, the bootstrap program determines the application program in the current detected application program storage area as the application program to be loaded.
5. The method of claim 4, wherein detecting whether the application in each application storage area is complete comprises:
detecting whether the occupied memory size of the current application program in each application program storage area recorded in a first information recording area of the first storage area is consistent with the actual occupied memory size of the current application program recorded in a second information recording area of each application program storage area;
detecting whether each application program storage area recorded in a first information recording area of the first storage area contains total data segments and is consistent with the maximum sequence number of the actual data segment of the current application program in an execution program area of each application program storage area;
if the memory size of the current application program in each application program storage area recorded in the first information recording area of the first storage area is consistent with the memory size of the current application program actually occupied in the second information recording area of each application program storage area, and each application program storage area recorded in the first information recording area of the first storage area should contain the total data segment, and is consistent with the maximum serial number of the current application program actual data segment in the execution program area of each application program storage area, judging that the application program in each application program storage area is complete;
And if the occupied memory size of the current application program in each application program storage area recorded in the first information recording area of the first storage area is inconsistent with the actual occupied memory size of the current application program recorded in the second information recording area of each application program storage area, and/or each application program storage area recorded in the first information recording area of the first storage area is inconsistent with the maximum serial number of the actual data segment of the current application program in the execution program area of each application program storage area, judging that the application program in each application program storage area is incomplete.
6. The method of claim 1, wherein the application to be loaded, when successfully loaded and running, performs a self-test comprising:
when the application program to be loaded is loaded and operated successfully, detecting whether program data are complete according to the memory size occupied by the current application program recorded in a second information recording area of an application program storage area to be loaded, the actual occupied memory size of the current application program recorded in the second information recording area of the application program storage area to be loaded, the total quantity of data segments contained in the current application program recorded in the second information recording area of the application program storage area to be loaded and the maximum sequence number of the actual data segments of the current application program in an execution program area of the application program storage area to be loaded;
Detecting whether a program storage address is correct according to the memory address information which is recorded in the second information recording area of the application program storage area to be loaded and is occupied by a front application program and the application program occupied area in the execution program area of the application program storage area to be loaded;
detecting whether the sequence of program storage data is correct according to the program block sequence number in the execution program area of the application program storage area to be loaded and the data segment sequence number in the execution program area of the application program storage area to be loaded;
and when the program data are detected to be complete, the program storage addresses are correct, and the program storage data sequence is correct, determining that the self-checking is finished.
7. The method as recited in claim 6, further comprising:
when the incomplete program data is detected, and/or the program storage address is incorrect, and/or the program storage data sequence is incorrect, the application program to be loaded executes program software self-reset;
judging whether the operation times of continuously executing the self-reset of the program software exceeds the preset times or not, and if not, executing the self-check again by the application program to be loaded;
if yes, the application program to be loaded executes the hard piece restarting operation.
8. The method according to any one of claims 1 to 7, further comprising the bootstrap program acquiring an update file upon receiving a program update command;
the bootstrap program checks according to the check code in the update file to determine whether the update file is suitable for the driving assistance system;
if the update file is suitable for the driving assistance system, the guiding program determines an application program to be updated according to version information of the current application program in each application program storage area recorded in a first information recording area of the first storage area;
the bootstrap program imports the content of the data segment area in the update file into the application program storage area corresponding to the application program to be updated;
after the content of the data segment area in the update file is imported, the bootstrap program checks the application program storage area corresponding to the application program to be updated to judge whether the application program to be updated is updated successfully or not;
if the application program to be updated is updated successfully, the bootstrap program detects whether a last running application program mark in a first information recording area of the first storage area points to the application program to be updated or not;
If the application program to be updated is pointed, the bootstrap program keeps the last running application program mark pointing to the application program to be updated continuously;
if the application program is pointed to other application programs, the guiding program changes the last running application program mark to point to the application program to be updated.
9. A driving assistance system, characterized by comprising:
the system comprises a driving assistance system, a boot program starting module, a boot program loading module and a boot program loading module, wherein the driving assistance system is used for loading a boot program in a first storage area when the driving assistance system is electrified;
the application program to be loaded is used for carrying out self-checking at regular time when being loaded and operated successfully, and recording the operation state corresponding to the self-checking result;
The first storage area is provided with a first information recording area, the required recording information of the first information recording area comprises a last running application program mark, the memory size to be occupied and memory address information to be occupied of a current application program in each application program storage area, the total data section to be contained in each application program storage area and the version information of the current application program in each application program storage area, the second information recording area and an executing program area are arranged in each application program storage area, wherein the required recording information of the second information recording area comprises the version information of the current application program, the memory size to be occupied and memory address information to be occupied of the current application program, the total data section to be contained in the current application program, the actual occupied memory size of the current application program and program state recording information, the executing program area comprises a plurality of program blocks with predefined space size, each program block carries one data section, and each data section comprises a data section sequence number and program data content to be carried;
the bootstrap program is specifically used for acquiring the last-time running application program mark from a first information recording area of the first storage area after being loaded and running successfully, determining the last-time running loaded application program according to the last-time running application program mark, acquiring program state recording information from a second information recording area of the first application program storage area, wherein the first application program storage area is an application program storage area used for storing the last-time running loaded application program, and determining the application program to be loaded from the plurality of application programs according to the program state recording information.
10. The driving assistance system as set forth in claim 9, wherein the boot program is further configured to acquire an update file upon receiving a program update command;
checking according to the check code in the update file to determine whether the update file is suitable for the driving assistance system;
if the update file is suitable for the driving assistance system, determining an application program to be updated according to version information of the current application program in each application program storage area recorded in a first information recording area of the first storage area;
importing the content of a data segment area in the update file into an application program storage area corresponding to the application program to be updated;
after the content of the data segment area in the update file is imported, checking an application program storage area corresponding to the application program to be updated to judge whether the application program to be updated is updated successfully or not;
if the application program to be updated is updated successfully, detecting whether a last running application program mark in a first information recording area of the first storage area points to the application program to be updated or not;
if the application program to be updated is pointed, the last-time running application program mark is kept to be pointed to the application program to be updated, and if the application program to be updated is pointed to other application programs, the last-time running application program mark is changed to be pointed to the application program to be updated.
11. A vehicle comprising a driving assistance system according to claim 9 to 10.
CN202010270139.3A 2020-04-08 2020-04-08 Vehicle, driving assistance system, and safe operation method for program thereof Active CN113553112B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010270139.3A CN113553112B (en) 2020-04-08 2020-04-08 Vehicle, driving assistance system, and safe operation method for program thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010270139.3A CN113553112B (en) 2020-04-08 2020-04-08 Vehicle, driving assistance system, and safe operation method for program thereof

Publications (2)

Publication Number Publication Date
CN113553112A CN113553112A (en) 2021-10-26
CN113553112B true CN113553112B (en) 2023-07-14

Family

ID=78129285

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010270139.3A Active CN113553112B (en) 2020-04-08 2020-04-08 Vehicle, driving assistance system, and safe operation method for program thereof

Country Status (1)

Country Link
CN (1) CN113553112B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102364891A (en) * 2011-09-13 2012-02-29 杭州华三通信技术有限公司 Method for upgrading software of embedded Ethernet equipment and embedded Ethernet equipment
CN106840242A (en) * 2017-01-23 2017-06-13 驭势科技(北京)有限公司 The sensor self-checking system and multi-sensor fusion system of a kind of intelligent driving automobile
CN107704730A (en) * 2017-09-15 2018-02-16 成都驰通数码系统有限公司 A kind of electronic equipment embedded software is from encryption method
DE102017209468A1 (en) * 2017-06-06 2018-12-06 Robert Bosch Gmbh A method for resetting software of a vehicle control device of a vehicle to an original state

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102364891A (en) * 2011-09-13 2012-02-29 杭州华三通信技术有限公司 Method for upgrading software of embedded Ethernet equipment and embedded Ethernet equipment
CN106840242A (en) * 2017-01-23 2017-06-13 驭势科技(北京)有限公司 The sensor self-checking system and multi-sensor fusion system of a kind of intelligent driving automobile
DE102017209468A1 (en) * 2017-06-06 2018-12-06 Robert Bosch Gmbh A method for resetting software of a vehicle control device of a vehicle to an original state
CN107704730A (en) * 2017-09-15 2018-02-16 成都驰通数码系统有限公司 A kind of electronic equipment embedded software is from encryption method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
可信嵌入式龙芯启动加载程序tPMON的设计;吴少刚;计算机工程与设计;第29卷(第01期);第5-8页 *

Also Published As

Publication number Publication date
CN113553112A (en) 2021-10-26

Similar Documents

Publication Publication Date Title
US5495572A (en) Data reconstruction method and system wherein timing of data reconstruction is controlled in accordance with conditions when a failure occurs
CN110659038B (en) Vehicle-mounted millimeter wave radar upgrading method and device, computer equipment and storage medium
WO2022022215A1 (en) Method for controlling charging of vehicle, and device, program, medium, and vehicle
CN112328358A (en) Dual-system starting method based on virtual machine and storage medium
CN111061500A (en) bootloader program updating method and bootloader program updating device
CN112397128A (en) Control method and device for Flash memory
WO2023098124A1 (en) Parking air conditioner and control method and apparatus therefor, and computer readable storage medium
CN113553112B (en) Vehicle, driving assistance system, and safe operation method for program thereof
CN112526329A (en) Relay adhesion diagnosis method and battery management system
CN110825067A (en) Abnormal power failure detection method and device
JP2003002132A (en) Vehicle control device
CN116302005B (en) Chip, chip upgrading method and device, electronic equipment and readable storage medium
US10969425B2 (en) Semiconductor integrated circuit and rotation detection device
CN111966071A (en) Data classification, storage and verification method for vehicle-mounted controller
US7498765B2 (en) Method of controlling charging secondary battery based on type of secondary battery and apparatus
CN112256285A (en) OTA (over the air) upgrading method of vehicle, computer-readable storage medium and electronic equipment
US9773562B2 (en) Storage apparatus, flash memory control apparatus, and program
EP2045779B1 (en) Vehicular control apparatus and program storage medium
CN113377421B (en) Method, device, equipment and medium for detecting software and hardware version information
JP2000035923A (en) Abnormality detecting method and abnormality detecting device
US11231871B2 (en) Electronic control device with non-volatile memory
US20230092493A1 (en) Apparatus for controlling to cope with failure in autonomous driving system and method thereof
CN114684163A (en) Vehicle controller, program starting and flashing method thereof and storage medium
EP2916232A1 (en) Electronic control device for vehicle
CN117656840A (en) Method, device, system, automobile and medium for processing daisy chain communication faults

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant