DE112018003505T5 - ACCESS CONTROL DEVICE - Google Patents

Abstract

The purpose of the present invention is to prevent the influence of exclusively acquiring shared data by a low priority task on the operation of another task. An access control device is provided with: an application unit containing a first task with a relatively low priority and a second task with a relatively high priority, the tasks being classified on the basis of the priority of execution; an execution unit for executing the first task and the second task; a system state management unit for assigning a slot that is a predetermined duration for each task to each task to be executed and for setting in the slot associated with the first task a first predetermined time at the end of the slot as an access guard time; a shared data unit accessed by the first task and the second task; and a data access control unit for prohibiting access to the shared data unit by the first task in the access monitoring time.

Description

Technical field

The present invention relates to an access control device.

Technical background

Various tasks with different priorities are carried out in a control device. It is necessary that the operational sequence of a task that has a higher priority is not impeded by a task that has a lower priority. PTL 1 discloses a task execution controller that performs task scheduling on the condition that, in a system, the priority of a first task is higher than the priority of a second task, in which a resource is predictable by the first task in which a scheduled execution start time is predictable, and the second task, in which a period of time for which a shared resource is occupied and used is known, is shared. The task execution control means includes time calculation means for obtaining a next scheduled execution start time of the first task and a scheduled release time at which the second task is expected to release the shared resource before the shared resource is occupied by the second task, and resource management means for comparison the next scheduled execution start time and the scheduled release time, which does not allow the second task to occupy the shared resource if the next scheduled execution start time is earlier than the scheduled release time, and the second task allows the shared resource to be occupied if the next scheduled execution start time is not earlier than the scheduled release time.

Reply list

Patent literature

PTL 1: JP 2003-131892 A

Summary of the invention

Technical problem

In the invention described in PTL 1, an influence of the task which has the lower priority on the operation of another task cannot be prevented due to the exclusive acquisition of shared data.

the solution of the problem

According to a first aspect of the present invention, an access control device includes: an application unit that includes a first task that has a relatively lower priority and a second task that has a relatively higher priority, the first task and the second task performed by the execution priority is classified; an execution unit that executes the first task and the second task; a system state manager that assigns a slot of a certain duration to each task to be executed, the predetermined duration being predetermined for each task, and a first predetermined time at one end of the slot assigned to the first task at an access guard time puts;
a shared data unit accessed by the first task and the second task; and a data access controller that prohibits the first task from accessing the shared data unit during the access guard time.

Advantageous effects of the invention

According to the present invention, the influence of the task having the lower priority on the operation of another task can be prevented due to the exclusive acquisition of the shared data.

Figure list

• [ 1 ] 1 is a schematic diagram of a vehicle system 2001 .
• [ 2nd ] 2nd Fig. 3 is an overall block diagram of a vehicle control device 2002 .
• [ 3rd ] 3rd is a diagram of a state transition of a task.
• [ 4th ] 4th Fig. 12 is a view illustrating an embodiment of the object.
• [ 5 ] 5 is a diagram that is an example of a planning table 501 represents.
• [ 6 ] 6 Fig. 12 is a view showing a detailed configuration of a task execution controller 206 represents.
• [ 7 ] 7 is a flow chart that shows the operational sequence of a planning unit 108 represents.
• [ 8th ] 8th is a flowchart that represents a task effect flow.
• [ 9 ] 9 Fig. 11 is a view illustrating a data access monitoring time.
• [ 10th ] 10th is a flow chart showing the operational flow of a system state manager 111 represents.
• [ 11 ] 11 is a flow chart showing the operational flow of a task state manager 107 represents.
• [ 12th ] 12th Figure 3 is a schematic diagram showing an access of a first task 101 to a shared data unit 205 represents.
• [ 13 ] 13 Fig. 12 is a view illustrating an access watch time of an intrusion task.
• [ 14 ] 14 Fig. 14 is a view showing an example of access guard time setting.
• [ 15 ] 15 is a flow chart showing the operational sequence of a data access controller 105 represents.
• [ 16 ] 16 FIG. 11 is a flowchart illustrating a procedure for accessing common shared data.
• [ 17th ] 17th is a flow chart showing the operational sequence of the data access controller 105 in a second embodiment.
• [ 18th ] 18th is a flow chart showing the operational flow of a system state manager 111 in a third embodiment.
• [ 19th ] 19th is a view showing a configuration of a CPU 208 in a fifth embodiment.
• [ 20th ] 20th is a view showing an example of a system state table 1901 represents.
• [ 21 ] 21 is a view that is a rewrite of the system state table 1901 represents.
• [ 22 ] 22 Fig. 14 is a view illustrating a situation in which a request for a second task 102 on the shared data unit 205 to access is reproduced.
• [ 23 ] 23 is a flow chart showing the operational flow of the system state manager 111 in the fifth embodiment.
• [ 24th ] 24th Fig. 10 is a view showing an outline of the operation of a vehicle control device 2002 in a sixth embodiment.
• [ 25th ] 25th Fig. 10 is a block diagram of a vehicle control device 2002 in a seventh embodiment.
• [ 26 ] 26 Fig. 4 is a view showing the operation of a timer flag monitor 2303 represents.
• [ 27 ] 27 is a flow chart showing the operational flow of an operational flow log manager 213 in an eighth embodiment.
• [ 28 ] 28 Fig. 4 is a view showing an example of an impact flow log 1101 represents.

Description of embodiments

First embodiment

Hereinafter, a vehicle control device according to a first embodiment, which is an access control device, with reference to FIG 1 to 16 described.

<Configuration of a vehicle system>

1 is a schematic diagram of a vehicle system 2001 that with a vehicle control device 2002 Is provided. The vehicle system 2001 contains a vehicle control device 2002 , a wireless communicator 2003 , a control device 2004 , a recognition device 2005 , an output device 2006 , an input device 2007 and a notification device 2008 . The vehicle control device 2002 is an electronic control device that controls a vehicle, namely an ECU (electronic control unit). The wireless communicator 2003 captures information such as B. a card. For example, the control device controls 2004 an engine, a wheel, a brake, and a steering device to control movement of the vehicle based on an operational sequence instruction from the vehicle control device 2002 to control. For example, the recognizer 2005 a camera or a sensor that captures information input from an outside world and outputs information for generating outside world recognition information. The output device 2006 shows information such as B. a vehicle speed and a warning. For example, the input device 2007 a pedal and a handle, whereby a driver inputs a vehicle operation sequence instruction. For example, the notification device 2008 a lamp, an LED and a loudspeaker, with which the vehicle system 2001 informs the outside world of a vehicle condition.

<Configuration of the automatic driving ECU>

2nd Fig. 3 is an overall block diagram of the vehicle control device 2002 . A detailed block diagram will be presented later. The vehicle control device 2002 contains software 216 and hardware 215 . The software 216 is through a CPU 208 (which will be described later) which implements a program stored in a ROM (not shown) in a data memory 209 makes usable and runs the program.

The hardware 215 contains the CPU 208 , which is a central unit, the data storage 209 , which is a non-volatile memory device, a timer 210 that manages the timing of real-time control, a network adapter 211 that accesses a network and a peripheral device 212 such as B. a sensor and an automatic braking device. The CPU 208 is a so-called single core CPU that contains only one core. However, it is also the case where only one core is used to form an application unit 214 (which will be described later) even though the CPU 208 contains a plurality of cores included in the scope of the first embodiment. The software 216 contains the application unit 214 , a shared data unit 205 , an expense execution controller 206 , an impact flow protocol manager 213 and an OS 207 that is an operating system.

The application unit 214 contains a sensor merge 201 which external information from a peripheral device such. B. a sensor device, a card merge 202 that processes automatic driving map information, an ADAS (Advanced Driver Assistance System) 203 that provides rear collision avoidance, follow-up driving, and lane departure avoidance, and automatic parking 204 which provides automatic parking processes. However, the above configuration of the application unit 214 just an example and it is sufficient that at least one application in the application unit 214 is included. Each application is constructed with multiple tasks and each task is given a priority.

The shared data unit 205 manages data in every application, in the application unit 214 saved is used. For example, the shared data unit backs up 205 a memory area in the data memory 209 and manages reading and writing of data in the memory area. The task execution controller 206 controls the execution of the tasks that make up the application. The exact configuration and the precise operational sequence of the task execution controller 206 will be described later. The knockout protocol manager 213 records the operational sequence of each task. Based on a schedule that is passed through the planning unit 108 is set, the task execution controller manages 206 each of tasks 101 , 102 (to be described later) using a task state manager 107 based on a state transition (to be described later).

<task>

To the application in the application unit 214 is included, the OS performs 207 the application by dividing the application into tasks that are execution units. The OS 207 can perform multiple tasks essentially simultaneously, but strictly speaking it becomes a CPU computing resource 208 used in a time sharing manner. In other words, the OS leads 207 Tasks out one after the other over time. Each task is carried out in a “slot” of a given duration.

Tasks are not equally important for execution, but depending on a processing content there are a task with a higher priority, whereby an execution time is to be guaranteed, and a task with a lower priority, whereby the execution time can be somewhat delayed. In ISO 26262, tasks in QM (quality management), ASIL-A (automotive safety integrity level-A), ASIL-B, ASIL-C and ASIL-D are classified in ascending order from the point of view of functional safety. This means that if the tasks are roughly classified, ASIL corresponds to a task that is supposed to guarantee the execution time from the point of view of the security guarantee, and QM corresponds to a task that is not safety-relevant and can therefore have a slight delay in the execution time. In the first embodiment, the need to ensure execution time is expressed by priority. For example, the task that has the QM classification is also referred to as a “lower priority task” and the task that has the ASIL-D classification is also referred to as a “higher priority task”.

<Task state transition>

3rd is a diagram of a state transition of a task. The state of the task is classified into the following four states. A first state is an execution state (ONGOING) 301 . The execution state 301 is a state in which the task is in progress while the CPU 208 is assigned. A second state is an executable state (READY) 302 . The executable state 302 is a state in which conditions to perform the task are met but another higher priority task is being executed such that the task cannot be executed. A third state is a standby state (WAIT) 303 . The ready state 303 is a State in which execution is suspended until a certain condition is met. A fourth state is an idle state (SLEEPING) 304 . Hibernation is a state in which the task is not yet activated or has ended.

The state transition of the task is described. The newly created task starts in the idle state 304 and goes to the executable state 302 about when it is activated. When the time assigned to the task occurs, the task is sent and goes to the execution state 301 over and the task processing is carried out. When the execution of the task is completed, or when the time of the allocated slot has ended, the task state goes to the executable state 302 about. When the task makes a resource request and when the resource cannot be obtained with exclusive control, the task state goes to the ready state 303 about. Thereafter, when the resource is released and can be obtained by the task, the task state goes from the ready state 303 to the executable state 302 about. When the task receives a forced completion instruction or when the task itself completes, the task state goes to sleep 304 about.

<Scheduled planning>

4th FIG. 12 is a view illustrating an embodiment of the task controlled by the scheduling. Scheduled planning means that the OS 207 executes each task for a predetermined time at a predetermined time according to a predetermined execution order. In 4th the horizontal axis indicates a time course, and SL1 to SL9 are identifiers (hereinafter referred to as “slot identifiers”) assigned to each slot. As in an enlarged view in a lower part of 4th is shown, the task execution controller performs 206 processing immediately after each slot starts and then the task is executed. In 4th is the last slot identifier SL9, however the slot identifier can be continued as SL10, SL11, ... Each task is performed in the time of the assigned slot. In 4th are t_1 to t_3 identifiers (hereinafter referred to as “task identifiers”) that identify the task to be performed. When the last slot in the row is reached, the task returns to the first slot SL1 to continue scheduling.

5 is a diagram that is an example of a planning table 501 used for scheduling. The planning table 501 contains several data records and each data record has fields of the slot identifier, a start time, a completion time, the task identifier and a time error determination flag. The slot identifier of the data record is stored in the slot identifier field. The start time and the end time of the slot of the data record are stored in the fields of the start time and the end time. However, this time is obtained by setting the start time of SL1 to zero. The task identifier of the task that is executed in the data record is stored in the field of the task identifier. A flag on which by the planning unit 108 (which will be described later) is stored in the field of the timing error determination flag. The timing error determination will be described in more detail later.

The planning table 501 is based on information such as For example, an execution cycle of each task, an assumed longest execution time, and a security requirement level were previously created. The length of a cycle in the planning table 501 is created in such a way that it meets the execution cycle of all tasks. When an end point of the cycle is reached, the task returns to slot identifier SL1 to continue planning. For example, in the example of 5 the last slot identifier SL12 and the completion time is "5.1 ms", such that the length of a cycle is 5.1 ms. Then the slot identifier SL1 is executed after the slot identifier SL12.

<Configuration of the vehicle control device>

6 Fig. 3 is a view showing the detailed configuration of the task execution controller 206 represents. However, in 6 the application unit 214 described on the assumption that the application unit 214 several first tasks 101 who have a lower level of security requirements and several second tasks 102 that have a higher level of security requirements. The first task 101 and the second task 102 are tasks that make up any application, in the application unit 214 is included. The following is the first task 101 and the second task 102 together simply referred to as a "task".

The task execution controller 206 contains a data access controller 105 , a system state determination unit 106 , a task health manager 107 and a planning unit 108 . The data access controller 105 controls an access request from the task to the shared data unit 205 using an access flag (to be described later). The system health determination unit 106 determines the state of the system below Reference to a health manager 111 (which will be described later) that manages the system state. The task state manager 107 manages the task status. The planning unit 108 carries out a schedule management of the task in cooperation with the data access controller 105 , the system health determination unit 106 and the task state manager 107 by.

The hardware 215 contains an access time monitor 109 , a slot time monitor 110 and a health manager 111 . The access time monitor 109 is through the timer 210 implements and monitors an arrival at a set access monitoring time. The access monitoring time will be described later. The slot time monitor 110 is through the timer 210 implements and monitors an arrival at any slot time. The health manager 111 is implemented by a hardware circuit (which is not shown) and manages the system state in cooperation with the access time monitoring device 109 and the slot time monitor 110 .

In this case, the access time monitor 109 , the slot time monitor 110 and the health manager 111 configured by the hardware. However, the access time monitor 109 , the slot time monitor 110 and the health manager 111 Software included. However, when the software is included, software resources should be independent of the software resources 216 be and effective expiry times of the access time monitoring device 109 , the slot time monitor 110 and the health manager 111 should be the effective time of the software 216 do not affect.

<Action sequence of the planning unit>

7 is a flow chart that shows the operational sequence of the planning unit 108 represents. When the start time of a time slot occurs, the planning unit starts 108 the action sequence in response to an action sequence instruction from the timer 210 . The CPU 208 is an embodiment of each step described below.

The planning unit 108 determines whether the previous slot's task is complete ( S101 ). When the previous slot's task is completed (Yes in S101 ), sets the planning unit 108 the timer 210 to work at the end of the current slot in the planning table 501 to start ( S102 ). The planning unit 108 switches the task assigned to the current slot to the execution state ( S103 ). If no task is assigned to the slot, no task is activated in the slot. The execution time of each task is ensured by executing the task execution processing at the time determined in this way. The processing of the task going to the execution state will be described later with reference to FIG 8th described.

If the task of the previous slot has not been completed (No in S101 ), refers to the planning unit 108 on the slot's time error determination flag in the planning table 501 . If the time error determination is "not to be carried out" (No in S104 ), the planning unit switches 108 abandoning the previous standby slot 303 ( S105 ). The task leading to standby 303 is to be switched, namely the task in which the time error determination is to be "made" is in the schedule table 501 referred to as an "encroachment task". The overreaching task is a task whose processing is not completed in one slot and thus takes a long time and is activated over several slots. If the time error determination flag is "to be carried out" (Yes in S104 ), the error flag of the previous slot is set ( S106 ) and the task of the previous slot becomes idle 304 switched ( S107 ). Because performing the forced termination takes a long time, the task in S107 temporarily to standby 303 can be switched and can go to sleep in an empty slot 304 be switched. If the execution in S105 or S107 processing is closed S102 away.

<Task effect flow>

8th is a flowchart showing the operational flow of each task in the execution state. The task performs the task processing, which gives access to the shared data unit 205 contains, by ( S301 ). When execution is complete, a final flag is set ( S302 ) to the planning unit 108 to indicate that execution is complete. The planning unit 108 refers to the execution completion flag of the task being executed in the immediately preceding slot and switches the task of interest to the executable state 302 if the execution completion flag is set. The task clears the completion flag when the next execution starts ( S303 ). However, the planning unit 108 delete the completion flag.

<Task data access watchdog time>

9 Fig. 11 is a view illustrating a data access monitoring time of the task. 9 represents a situation in which the first task 101 and the second task 102 be carried out. The first task 101 is between allocated slot times T1a and T1d activated. In the slot that the first task 101 is assigned, the access monitoring time for monitoring data access by T1b to T1d provided at the end of the slot. The length of the access monitoring time is longer than the data access time, namely the time it takes for the task to access the shared data unit 205 is needed, e.g. B. T1b to T1c . The length of the access monitoring time is constant regardless of the task. Because the second task 102 has a higher security requirement level, the access monitoring time does not become the slot of the second task 102 is assigned.

In the first embodiment, the time that is the access monitoring time is referred to as an “access monitoring state” and the time that is not the access monitoring time is referred to as an “access non-monitoring state”. A state that assumes the access monitoring state or the access non-monitoring state is referred to as a “system state”. That is, as in a lower section of 9 the system state is in the access unmonitoring state during a normal time and has been for a predetermined time before the completion of the slot which the first task 101 listened to the access monitoring state until the slot's completion time.

<Operating sequence of the system state manager>

10th is a flow chart showing the operational flow of the system state manager 111 represents. The operational sequence of the system state manager 111 is described below with reference to 9 described. The CPU 208 is an execution item of all steps described below.

The health manager 111 determines whether the task performed in each slot at the beginning of the slot e.g. B. currently T1a in 9 to be performed, the first task 101 is ( S400A ). Processing is progressing S401 if it is determined that the task to be performed is the first task 101 is. If the task to be performed is not the first task 101 so if it is determined that the task to be performed is the second task 102 the completion time of the slot becomes the slot time monitor 110 set ( S400B ), the timer 210 begins to count and the processing closes S404 away. In S401 the system state manager sets 111 the start time of the access monitoring time to the slot time monitoring device 110 , sets the slot completion time to the slot time monitor 110 and starts counting.

The health manager 111 monitors a register state of the access time monitoring device 109 and determines from the register state whether the set access monitoring time has been reached ( S402 ). The processing remains in S402 if the access monitoring time has not been reached. When it is determined that the access monitoring time has expired, the health manager switches 111 the system state from the access non-monitoring state to the access monitoring state ( S403 ).

The health manager 111 monitors the register status of the slot time monitoring device 110 and determines from the register state whether the set completion time of the slot has been reached ( S404 ). The processing remains in S404 when the slot completion time has not been reached. When it is determined that the slot completion time is reached, the health manager switches 111 the system state from the access monitoring state to the access non-monitoring state ( S405 ). In S406 determines the health manager 111 whether the system should be closed, e.g. B. whether an ignition key switch of the vehicle in which the vehicle control device 2002 is mounted, is switched off. The health manager 111 returns S400A back if it is determined that the system should not be ended, and ends the knitting sequence in 10th when it is determined that the system should be shut down.

<How the Task State Manager Works>

11 is a flow chart that shows the operational flow of the task state manager 107 represents. If the task state manager 107 is called, it is also determined to which state to switch. That is, the task state manager 107 is called with a specification of the standby state, the idle state and the executable state.

If the transition to the ready state is specified (yes in S501), the state manager switches 107 the standby task ( S502 ). If it is determined that the specified state is not the standby state (No in S501), the state manager determines 107 whether the transition to the idle state is specified (S503). If it is determined that the transition to hibernation is specified, the Condition manager 107 the quiescent task ( S504 ). If it is determined that the transition to hibernation is not specified, the state manager switches 107 the task about the executable state ( S505 ).

<Access to the shared data unit>

12th is a schematic diagram showing the access of the first task 101 to the shared data unit 205 represents. If the first task 101 access to the shared data unit 205 tries to capture the data access controller 105 the system health by the health manager 111 is managed via the system state determination unit 106 . The data access controller 105 allows the first task 101 to the shared data unit 205 to access when it is determined that the system state is in the access unmonitored state. If the system state is determined to be in the access monitor state, the data access controller denies 105 access to the first task 101 to the shared data unit 205 and turns on the first task 101 using the task state manager 107 to the idle state 304 . However, the data access controller can 105 when the system state is in the access monitoring state instead of the task state of the first task 101 to the idle state 304 to switch the task state to the standby state 303 switch or execute an endless loop and carry out the timing error determination.

<Data access control of the intrusion task>

13 Fig. 12 is a view illustrating the access monitoring time of the intrusion task. The example in 13 represents a situation in which the first task 101 and the second task 102 be carried out. The first task 101 is activated via the multiple slots. In particular, the first task 101 in a slit of time T2a to T2d and a slot from time T2e to T2h activated. That is, the first task 101 in the example of 13 is the overreaching task. Even in the slots to which the intrusion task is assigned, the access watchdog time for data access monitoring is provided at the end of all slots assigned to the task which has the lower level of security requirements. In the example of 13 are the times T2b to T2d and the times T2f to T2h the access monitoring time. As in the lower section of 13 is shown, the system state is set to the access monitoring state during the access monitoring time.

If the first task 101 access to the shared data unit 205 tried, the data access controller performs 105 through the following process when the system state is in the access monitor state. That is, the data access controller 105 prohibits the first task 101 to the shared data unit 205 accesses and switches the task status of the first task 101 using the task state manager 107 to standby. However, the data access controller can 107 when the system state is in the access monitoring state instead of the task state of the first task 101 to standby 303 to switch, execute the endless loop and the task state in the time error determination to the standby state 303 switch. Access to the first task 101 to the shared data unit 205 becomes at times other than the access monitoring time of the subsequent time slot of the first task 101 namely at times T2e to T2f started. If the first task 101 access to the shared data unit 205 tried the first task 101 to the shared data unit 205 to when the system state is in the access unmonitoring state.

<Allocation of an access monitoring time based on an assigned slot>

14 Fig. 14 is a view showing an example of access guard time setting. The fact that the access monitoring time is not affected by the activation time of the task that has the higher security requirement level but is determined by the slot time of the task that has the lower security requirement level is described below.

In the example of 14 A third task has a lower level of security requirements, similar to the first task 101 . The first task 101 is at the times T3a to T3d and times T3j to T3l activated. The third task is at the times T3f to T3h activated. The access monitoring time is at times T3b to T3d , the times T3f to T3h and times T3j to T3l allotted which are the end of the slots, each of the first task 101 and assigned to the third task. In this way, by assigning the access guarding time based on the slot time of the task having the lower security requirement level, the influence of task switching during the exclusion can be prevented even if there is no information about the existence or lack of access to the shared data unit 205 or information about the details of the access target.

<Action sequence of the data access controller 105 >

15 is a flow chart showing the operational sequence of the data access controller 105 represents. The CPU 208 is an embodiment of each step described below.

If the data access controller 105 from the task a request to access the shared data unit 205 receives, checks the health determination unit 106 the system state ( S201 ). When it is determined that the system state is in the access unmonitoring state (No in S201 ), the data access controller switches 105 the access flag, the state of access to the shared data unit 205 indicates to "access" (S202) and enables access to the shared data unit 205 ( S203 ). When the task accesses the shared data unit 205 is completed, the data access controller switches 105 the access flag to "do not access" ( S204 ).

If the system state is in the access monitoring state (Yes in S201 ) determines the data access controller 105 a content of the time error determination flag of the current time slot in the planning table 501 ( S205 ). If the time error determination flag is "not to be made" (No in S205 ), the data access controller switches 105 the task state using the task state manager 107 to standby 303 ( S206 ). The data access controller 105 performs data access after the task state in the subsequent slot ( S202 , S203 , S204 ) on the execution status 301 transforms. If the time error determination flag is "to be carried out" (Yes in S205 ), the data access controller switches 105 an margin error flag of the current slot to ON ( S207 ), forces the task to be terminated in the execution state 301 and puts the task to sleep 304 (S208). However, because it takes a long time to perform the forced termination, the task can temporarily go to the standby state in S208 303 go to sleep in an empty slot 304 pass over.

According to the first embodiment, the following effects can be achieved.

(1) The vehicle control device 2002 contains the application unit 214 that the first task 101 , which has the relatively lower priority, and the second task 102 health manager, which has the relatively higher priority that was classified by execution priority 111 , which assigns the slot of a certain duration to each task to be executed, the certain duration being predetermined for each task, and the first predetermined time at the end of the slot assigned to the first task at the access monitoring time, sets the shared data unit 205 to which by the first task 101 and the second task 102 is accessed, and the data access controller 105 that prevents the first task 101 during the access monitoring time on the shared data unit 205 accesses.

The vehicle control device 2002 has no information such as B. whether a task on the shared data unit 205 accesses or what data in the shared data unit 205 are included. However, with the access monitoring time that is at the end of the slot that the first task 101 is assigned, the situation is provided in which the access of another task to the shared data unit 205 due to access to the first task 101 that has the lower priority to the shared data unit 205 is blocked, prevented. A common problem is discussed with reference to 16 described.

16 Figure 11 is a flowchart illustrating a general procedure for accessing the shared data. As the general access to the shared data, the task that accesses the shared data obtains an exclusion, namely, an access right to the shared data ( S601 ). The data processing is then carried out ( S602 ). Finally, the exclusion is released; h the right of access to the shared data is released ( S603 ), and the series of processing is ended. If the slot of the task during data processing from 16 processing is switched to another task without releasing the exclusion. In this case, the exclusion will not be released unless processing of the interrupted task is resumed. Until the resumption, no other task can gain the exclusion and access to the shared data.

Usually the above problem is created. On the other hand, the vehicle control device sets 2002 the specified time at the end of the slot, that of the first task 101 is assigned at the access monitoring time and prevents access to the shared data unit 205 during the access monitoring time so that the problems can be avoided. That is, in the vehicle control device 2002 the first task 101 does not reach the end of the slot while holding the access right, so the negative effect of another task on the shared data unit 205 accesses, due to the exclusive acquisition by the first task 101 can be prevented. Furthermore, this advantage is also obtained when the vehicle control device 2002 not access to the shared data unit for each task as in the first embodiment 205 Has. That is, the vehicle control device 2002 the influence on the effectiveness of another task due to the exclusive attainment of the first task 101 that has the lower level of security requirements regardless of the presence or absence of access information about the shared data unit 250 which is used for exclusive control.

(2) The access guard time is longer than the time required to access the first task 101 on the shared data is required. That is why access is the first task 101 to the shared data unit 205 Approved before the start of the access monitoring time when the first task 101 has enough time on the shared data unit 205 to access. Even if the first task 101 immediately before the access monitoring time begins on the shared data unit 205 can access because the access monitoring time is longer than the time required to access the first task 101 on the shared data is required, the impact on the effectiveness of another task can be prevented by completing the release of the exclusion in the slot.

(3) The data access controller 105 switches the first task 101 that have access to the shared data unit 205 tries to exit state during the access monitoring time. For this reason, the operational sequence becomes the first task 101 that are not on the shared data unit 205 can access what the next processing is, and the resource of the CPU 208 can be saved.

(4) If the first task 101 that runs over multiple slots, access to the shared data unit 205 If the data access controller tries to access any slot except a last slot during the access monitoring time 105 that the first task 101 waits until the start time of the next slot. Because of this, the first task 101 that is executed over multiple slots in the slot to be executed next on the shared data unit 205 access.

(5) The priority is determined based on the level of operational safety required for the task. In particular, the task that the higher level of functional safety z. B. ASIL-D, set to higher priority and the task that the lower functional safety level z. B. owns QM is set to the lower priority. Consequently, the task which has a higher level of functional safety is preferably carried out.

(First change)

In the first embodiment, only two priorities are set. However, at least three priorities can be set. In this case, processing is performed by classifying the tasks into the highest priority and other priorities. For example, priorities 1 to 5 are provided and the higher priority should be assigned as the number increases. In this case, the tasks that have the priorities of 1 to 4 correspond to the task that has the lower priority in the first embodiment, namely the first task 101 . Only the task that has priority 5 corresponds to the task that has the higher priority in the first embodiment, namely the second task 102 .

(Second change)

In the first embodiment, the priority is determined based on the level of functional safety required for the task. However, the priority of the task can be determined by another index. For example, the priority of the task can be determined based on the magnitude of the influence on another task, a user preference or the functional safety level and a combination thereof.

Second embodiment

A vehicle control device according to a second embodiment, which is the access control device, is described with reference to FIG 17th described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The second embodiment is mainly different from the first embodiment in that the case where the shared data unit is accessed 205 is not finished in the slot is considered. That is, in the second embodiment, the following task is assumed. That is, one certain task begins accessing the shared data unit 205 before the start of the watchdog time and the access is not completed even when the watchdog time begins. In addition, even when the access monitoring time ends, namely even when the slot completion time is reached, the shared data unit is accessed 205 not finished.

In the second embodiment, the access flag of the data access controller 105 used. For example, the access flag is information stored in the data store 209 is saved. As described in the first embodiment, the data access controller switches 105 to "access" the access flag when the data access controller 105 access to the shared data unit 205 approved in response to the requested task, and the data access controller 105 switches the access flag to "do not access" when the data access has been completed. If it is detected that the access flag is “access” at the end of the access monitoring time, the data access controller starts 105 the vehicle control device 2002 new to reset all exclusive controls.

As a result, the impact on another task due to exclusion can be minimized if the data access is performed while the access monitoring time is exceeded, and early recovery can be achieved. If the task state is in the execution state while the access flag is “accessing” at the beginning of the access monitoring time, the generation of an anomaly is determined and the task state manager 107 can switch the task to standby. The target that is to be restarted is not on the vehicle control device 2002 limited, but can be the entirety of other systems to be assembled.

<Action sequence of the data access controller 105 >

17th is a flow chart showing the operational sequence of the data access controller 105 in the second embodiment. Because the pieces of processing up to S203 same as those of the first embodiment, the description is omitted. If access to the shared data unit 205 in S203 is started, the data access controller determines 105 whether the task's access to the shared data unit 205 ends and processing goes on S204 when the data access controller 105 determines that access ends (yes in S211 ). If it is determined that access will not end (no in S211 ) determines the data access controller 105 whether the access monitoring time ends. The data access controller 105 starts the vehicle control device 2002 New ( S213 ) if it is determined that the access monitoring time ends (yes in S212 ). Processing is reversing S211 back when the data access controller 105 determines that the access monitoring time does not end (no in S212 ).

According to the second embodiment described above, the following effects can be achieved.

(6) The vehicle control device 2002 contains the access flag, which indicates a state of access of the task to the shared data unit 205 specifies, and the data access controller 105 which sets the access flag when the task accesses the shared data unit 205 starts, and clears the access flag when the task accesses the shared data unit 205 completed. The data access controller 105 starts the vehicle control device 2002 new if the access flag is set at the end of the access monitoring time. For this reason, if the data access is performed via the access monitoring time, the influence on another task due to the exclusion can be minimized in order to achieve the early recovery.

Third embodiment

A vehicle control device according to a third embodiment, which is the access control device, is described with reference to FIG 18th described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The third embodiment is mainly different from the first embodiment in that the access guard time in the slot is that of the second task 102 is assigned.

In the third embodiment, the operational sequence of the vehicle control device 2002 described when the second is prohibited task 102 that has the higher level of security requirements affects another task. That is, the access monitoring time for data access monitoring in the third embodiment is even in a last part of the slot that of the previous second task 102 is assigned provided when the slot is next to the slot which is the second task 102 assigned to the second task 102 is assigned. As a result, if the second task 102 that has the higher level of security requirements malfunctions, which affects another second task 102 which has the higher level of security requirements can be prevented.

<Operating sequence of a system state manager 111 >

18th is a flow chart showing the operational flow of the system state manager 111 in the third embodiment. The same pieces of processing as that of the first embodiment are denoted by the same step numbers and the description is omitted. If in S400A if a negative determination is made, the health manager determines 111 whether the second task 102 is assigned to both the current slot and the next slot ( S400C ). The health manager 111 drives to S401 away if in S400C a positive determination is made and the health manager 111 drives to S400B away if in S400C the negative determination is made. Because the following operations are the same as those of the first embodiment, their description is omitted.

According to the third embodiment described above, the influence of the task having the higher security requirement level on another task can be prevented by changing the assignment target of the access monitoring time.

Fourth embodiment

A vehicle control device according to a fourth embodiment, which is the access control device, will be described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The fourth embodiment is mainly different from the first embodiment in that the planning table 501 is created automatically.

A development tool (not shown) creates the planning table 501 automatically. The development tool creates the planning table 501 automatically from design information such as B. the duty cycle of each task, the worst execution time and the level of security requirements. During automatic creation, it is determined based on the security requirement level information whether the access watchdog time for data access monitoring should be provided in the last section of each slot. When the access guard time is provided, the slot time that includes the access guard time is allocated.

According to the fourth embodiment, the planning table 501 Automatically created so that the application design can be done without considering the need for access monitoring time.

Fifth embodiment

A vehicle control device according to a fifth embodiment, which is the access control device, is described with reference to FIG 19th to 23 described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The fifth embodiment is mainly different from the first embodiment in that the CPU 208 the vehicle control device 2002 contains several cores.

The CPU 208 The fifth embodiment is a so-called multi-core CPU, which has a first core 1701 , a second core 1702 and a third core 1703 contains, as in 19th is shown. However, the number of cores that are in the CPU 208 Included are two or more and the number is not limited. Each core performs the first task 101 that has the lower level of security requirements, and the second task 102 , which has the higher level of security requirements, and each task accesses the shared data unit 205 to. In the fifth embodiment, the system state is classified into three states, namely an overall monitoring state, an individual monitoring state and a non-monitoring state.

20th is a view showing an example of a system state table 1901 represents. The system state table 1901 contains information about whether each core is in the single-monitor state or in the non-monitor state, and an "access monitor counter for all cores". The access monitoring counter for all cores increases or decreases between 0 and the number of cores. A state in which a value of the access monitoring counter is greater than or equal to 1 for all cores is referred to as an “overall monitoring state”. That is, the access monitor state and the access non-monitor state of the first embodiment correspond to the individual monitor state and the non-monitor state of FIG fifth embodiment and indicate whether access to the shared data unit 205 can be done in every core. The overall monitoring state affects the entire vehicle control device 2002 namely all the cores. In the overall monitoring state, a new access is the first task 101 to the shared data unit 205 prohibited in all cores.

In the fifth embodiment, the health manager sets 111 the monitoring time not only for the first task 101 , but also for the second task 102 . However, the monitoring time becomes the second task 102 set so that it is at least twice the access time.

Like the system status table 1901 is rewritten with reference to 21 described. At the beginning (T4b) of the access monitoring time in the slot for the first task 101 the system state manager switches 111 the system status of the first core to the individual monitoring status. To finish ( T4c ) the access monitoring time in the slot for the first task 101 the system state manager switches 111 the system status of the first core to the non-monitoring status. As described above, a new access becomes the first task 101 to the shared data unit 205 basically prohibited in individual monitoring status. At the beginning (T4e) of the access monitoring time in the slot for the second task 102 the system state manager switches 111 the system state of the core to the single monitoring state and increments the access monitoring counter for all cores by one to switch the system state of the core to the overall monitoring state. To finish ( T4h ) the access monitoring time in the slot for the second task 102 the system state manager switches 111 the system state of the core to the non-monitoring state and decreases the access monitoring counter for all cores by one. If the decrease in the access monitor counter value for all cores becomes zero, the overall monitor state is released.

As described above, if the access monitor count for all cores is greater than or equal to one, the system state of the core is set to the overall monitor state such that the new data access by the first task 101 to the shared data unit 205 is forbidden in all cores. When the request for data access to the shared data unit 205 through the second task 102 of the multiple cores 1701 , 1702 , 1703 the data access controller issues 105 the priority for data access by the second task 102 that has the shortest time to the completion time of the slot that is currently being executed. However, if the system state of the core is not in the overall monitoring state, that is to say if there is sufficient time, the shared data unit can be terminated in any core before the slot is terminated 205 to access the data access controller 105 cause the second task 102 to the shared data unit 205 accesses in the order in which the request is received. Consequently, even if the first task 101 another core gains access before the access watchdog time, a time for the second task to perform data access 102 be ensured after data access by the first task 101 is completed. Because of this, the influence of data access through the first task 101 to the second nucleus 1702 can be prevented in a multi-core environment. The detailed description will be made with reference to FIG 22 performed.

22 Fig. 12 is a view illustrating a situation in which the request of the second task 102 on the shared data unit 205 to access is reproduced. In 22 time passes from left to right and the states of the first nucleus 1701 , the second core 1702 and the third core 1703 are shown from above. However 22 a schematic diagram and the length of the time axis is not uniform. For example, in 22 the access time of the third core 1703 drawn much longer than others. However, this is due to a drawing problem and all access times are essentially the same. The first core 1701 and the second core 1702 perform the second task 102 out and the third core 1703 performs the first task 101 out. The completion time of the slot in the first core 1701 is t6 and a total monitoring time starts from the time t3 that from the monitoring time of the second task 102 is calculated. The completion time of the slot in the second core 1702 is t7 and the total monitoring time starts from time t5 that from the monitoring time of the second task 102 is calculated. The first task takes effect at time t0 101 to the shared data unit 205 in the third core 1703 to. Access is up to now t4 continued.

As indicated by a downward triangle at time t1, the request of the second task 102 on the shared data unit 205 to access, in the second core 1702 generated. Like through the downward triangle at the following time t2 appears, the request of the second task 102 on the shared data unit 205 to access, in the first core 1703 generated. For now t3 will the Total monitoring time in the first core 1703 started. For now t4 is access to the first task 101 of the third core 1703 to the shared data unit 205 completed, the data access controller 105 determines the time to complete the slot in the first core 1701 shorter than in the second core 1702 is, and causes the second task 102 of the first core 1701 to the shared data unit 205 accesses. It then does so when accessing the first core 1701 to the shared data unit 205 for now t5 is complete, the data access controller 105 that the second core 1702 to the shared data unit 205 accesses.

(Operating sequence of the system state manager 111 )

23 is a flow chart showing the operational flow of the system state manager 111 in the fifth embodiment. In 23 The same operations as those of the first embodiment are denoted by the same step numbers, and the description is omitted. The health manager 111 determines whether the task performed in each slot at the start of the slot is the first task 101 is ( S400A ). Processing is progressing S401A if it is determined that the task to be performed is the first task 101 is (yes in S400A ). If the task to be performed is not the first task 101 is so if the second task 102 is executed (No in S400A ), the following processing in S400B carried out.

That is, the health manager 111 sets the slot completion time to the slot time monitor 110 , calculates the start time of the access monitoring time based on the monitoring time for the second task 102 and sets the start time of the access monitoring time to the access time monitoring device 109 to start counting ( S400B ). If the health manager 111 determines that the monitoring time is present (yes in S420B ), the core system monitor state is switched to the single monitor state, the access monitor counter for all cores is incremented to switch the system state to the overall monitor state (S403B), and processing closes S404 away. However, if the system state is already in the overall monitoring state, only the access monitoring counter for all cores is increased.

In S401A the health manager calculates 111 the start time of the access monitoring time based on the monitoring time for the first task 101 , sets the start time of the access monitoring time to the access time monitoring device 109 and sets the slot completion time to the slot time monitor 110 to start counting and processing closes S402 away. In S402 then when the health manager 111 determines that the monitoring time is present (yes in S402A ), the system monitoring status of the core is switched to the individual monitoring status and the processing closes S404 away ( S403A ). If in S404 if it is determined that the slot time is present, the system monitoring state of the core is switched to the non-monitoring state and the access monitoring counter for all cores is reduced ( S405A ). When the value of the access monitor counter becomes zero for all cores due to the decrease, the overall monitor state is released.

According to the fifth embodiment described above, the following effects are achieved.

(7) The CPU 208 the health manager contains the multiple cores that perform tasks 111 sets the second predetermined time at the end of the slot, that of the second task 102 is assigned to the total access monitoring time and the duration of the total access monitoring time is greater than or equal to the duration of the individual monitoring time. The data access controller 105 determines whether the access guard time in each core of the CPU 208 is present and prohibits the first task 101 , which is executed in all cores during the entire monitoring time, on the shared data unit 205 accesses. For this reason, if the CPU 208 that contains the multiple cores that can perform multiple tasks in parallel, the influence of the task that has the lower security requirement level on the task that has the higher security requirement level can be prevented by providing the access guarding time in each core. If the total monitoring time at the end of the slot of the second task 102 is provided to access the first task 101 to the shared data unit 205 Restricting in all cores can be the second task 102 that runs in any core, access to the shared data unit 205 prioritize to avoid execution delay.

(8) If the second task 102 access to the shared data unit 205 Tried in the multiple cores, the data access controller returns 105 the priority to the second task 102 in which the time to complete the slot that is currently being executed is less than the total watch time to the shared data unit 205 to access. For this reason, when the accesses of the second tasks 102 to the shared data unit 205 overlap with each other, giving priority to access to the task that has the shorter time to complete execution and access to the second task 102 to the shared data unit 205 will be provided as much as possible.

(Modification of the fifth embodiment)

The total monitoring time can be longer than a product of the time it takes the task to access the shared data unit 205 to access and the number of cores. Consequently, the influence of data access through the second task can be 102 that is currently running can be prevented in a further core.

Sixth embodiment

A vehicle control device according to a sixth embodiment, which is the access control device, is described with reference to FIG 24th described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The sixth embodiment is mainly different from the first embodiment in that the vehicle control device of the sixth embodiment does not include the system state manager.

In the sixth embodiment, the health management is performed using multiple modes of a hardware timer and multiple flags corresponding to the modes instead of the health manager 111 carried out. The timer contains a flag that indicates that the set time has been reached.

24th Fig. 12 is a view showing an outline of the operation of the sixth embodiment. The operation of the timer is described with reference to 24th described. In a continuous execution mode, which is a first mode, when the counter reaches the set time ( T5d ) is reached, a flag 1 is switched to a match state, the counter is reset to zero and counting is restarted. When the counting is started, the flag 1 goes to a mismatch state. The task is activated at a predetermined time using the first slot time monitor mode.

In a single execution mode, which is a second mode, when the counter reaches the set time ( T5b ) reached, a flag 2nd switched to the match state and the counter is stopped until the time is set again ( T5d ). The second mode is used to monitor the access monitoring time. The start time of the access monitoring time is when the slot starts ( T5a ) set. When the task tries to access the data, the health determination unit takes 106 on the flag 2nd Reference if the flag 2nd is in the match state, it is determined that the system state is the access monitor state and the data access controller 105 prevents the task from accessing data.

According to the sixth embodiment, the management of the system state can be provided only by the hardware timer using the plurality of timer modes.

Seventh embodiment

A vehicle control device according to a seventh embodiment, which is the access control device, is described with reference to FIG 25th and 26 described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The seventh embodiment is mainly different from the first embodiment in that an FPGA is used.

(Configuration)

25th Fig. 3 is a block diagram showing the vehicle control device 2002 of the seventh embodiment. In the seventh embodiment, the access time monitor 109 , the slot time monitor 110 and the health manager 111 configured in an FPGA (field programmable gate arrangement). In addition to the configuration of the first embodiment, there is also a timer flag monitor 2303 provided in the FPGA.

26 Fig. 14 is a view showing the operation of the timer flag monitor 2303 represents. The timer flag monitor 2303 constantly compares the time of the timer with the access time monitor 109 and the slot time monitor 110 . The timer flag monitor 2303 switches the watchdog flag to the match state when the access time monitor 109 coincides with the timer (time T6b in 26 ), and the timer flag monitor 2303 switches the Slot flag to match state when the slot time monitor matches the timer (time T6d). The health manager 111 monitors the status transitions of the monitoring flag and the slot flag and switches the system status to the access monitoring status when the monitoring flag changes to the matching status (time T6b). When the slot flag is switched to the match state (time T6d), the system state manager switches 111 the system state to the access unmonitoring state.

According to the seventh embodiment, the plural times can be monitored using a timer through the time monitor and the state management using the FPGA.

Eighth embodiment

A vehicle control device according to an eighth embodiment, which is the access control device, is described with reference to FIG 27 and 28 described. The same components as those of the first embodiment are denoted by the same reference numerals, and mainly a point different from the first embodiment is described below. The points that are not specifically described are the same as those of the first embodiment. The eighth embodiment is mainly different from the first embodiment in that the operation flow of the operation flow log manager 213 is made clear.

27 is a flow chart showing the operational flow of an operational flow log manager 213 represents. The knockout protocol manager 213 detects (S701, S702) the start time and the completion time of the slot in each slot, the task ID and the state at the completion of the slot, and records them (S703). In particular, by recording the state at the time of completion, whether the task is normally activated, an intrusion task that has a long expiration time, the forced termination due to the generation of an anomaly, the termination by the data access in the access monitoring time, or an interruption interruption by the data access in the access monitoring time is kept in the action log.

28 Fig. 4 is a view showing an example of the knitting protocol 1101 by the functional flow protocol manager 213 was recorded. The impact protocol 1101 records the start time, the completion time, the task identifier and the state at the completion in each time slot.

According to the eighth embodiment, the status of the task can be checked at any time by recording the operation process log. In addition, the task that is trying to access the data can be found at a point in time that affects another task.

Although various embodiments and changes are described above, the present invention is not limited to this content. Other aspects that are considered to be within the scope of the technical concept of the present invention are also included within the scope of the present invention.

Reference list

101

first task

102

second task

105

Data access controller

106

System health determination unit

107

Task health manager

108

Planning unit

109

Access time monitoring device

110

Slot time monitor

111

Health manager

205

shared data unit

206

Task execution controller

208

CPU

210

Timer

213

Sequence log manager

214

Application unit

215

hardware

216

software

501

Planning table

1101

Action log

1901

System status table

2001

Vehicle system

2002

Vehicle control device

2303

Timer flag monitor

QUOTES INCLUDE IN THE DESCRIPTION

This list of documents listed by the applicant has been generated automatically and is only included for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent literature cited

• JP 2003131892 A [0003]

Claims (8)

Access control device comprising: an application unit that includes a first task that has a relatively lower priority and a second task that has a relatively higher priority, the first task and the second task being classified by the priority of execution; an execution unit that executes the first task and the second task; a system state manager that assigns a slot of a certain duration to each task to be executed, the predetermined duration being predetermined for each task, and a first predetermined time at one end of the slot assigned to the first task at an access guard time puts; a shared data unit accessed by the first task and the second task; and a data access controller that prohibits the first task from accessing the shared data unit during the access monitoring time. Access control device after Claim 1 , wherein the access monitoring time is longer than a time that the first task needs to access the shared data unit. Access control device after Claim 1 wherein the data access controller switches the first task, which attempts to access the shared data unit, to a termination state during the access monitoring time. Access control device after Claim 1 , and when the first multi-slot task attempts to access the shared data unit in any slot other than a last slot during the access guard time, the data access controller causes the first task to start up another slot is waiting. Access control device after Claim 1 further comprising: an access flag indicating a state of the task's access to the shared data unit; and a flag manager that sets the access flag when the task starts accessing the shared data unit and clears the access flag when the task ends access to the shared data unit, the data access controller restarting the access controller when the Access flag is set at the end of the access monitoring time. Access control device after Claim 1 wherein the execution unit performing the task includes multiple execution units, the health manager further sets a second predetermined time at the end of the slot assigned to the second task at a total access monitoring time, the second predetermined time greater than or equal to the first predetermined time and the data access controller determines whether each execution unit is during the access guard time and prevents the first task performed by all execution units in the total access guard time from accessing the shared data unit. Access control device after Claim 6 wherein when the second task attempts to access the shared data unit in the plurality of execution units, the data access controller prioritizes access of the second task, which has a shorter time to an end of the slot, to the shared data unit. Access control device after Claim 1 The priority is determined based on a level of functional safety required for the task.

Images