JP2001014224A - Method and device for judging memory content destruction - Google Patents

Abstract

PROBLEM TO BE SOLVED: To accurately judge the destruction of memory content using decision by a majority. SOLUTION: A RAM is provided with four memory areas 0 to 3. The same data are successively recorded in the four memory areas. Write progress situation information showing that each area is in the middle of being written in also recorded. When a runaway of a CPU takes place, rest processing is performed. In such a case, memory content is restored by decision by a majority using the data of the areas 0 to 3. However, decision by a majority which uses the stored data of the memory areas is performed while excluding memory areas in the middle of being written on the basis of the write progress situation information. The data are desirably offset among areas when the data are recorded in the areas 0 to 3. At the time of recovery processing, offset is corrected and subsequently decision by a majority processing is performed. Even in case a situation in which all the memory is painted out with the same value takes place, it is possible to decide memory content destruction.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a method and an apparatus for determining the destruction of memory contents, and more particularly to a method and an apparatus for storing the same data in a plurality of memory areas and determining the destruction of the memory contents by majority decision.

[0002]

2. Description of the Related Art As is well known, a computer is provided with a memory for reading and writing data. A majority decision is used as a technique for improving the reliability of a memory device. For example, in JP-A-9-134313, the same data is written in a plurality of memory areas of the same size (for example, three areas). When data is read, error correction is performed by majority decision on storage data in a plurality of memory areas.

[0003]

By the way, a computer device has a function for coping with the occurrence of software runaway caused by noise or the like. For example, a watch dog timer (WDT: Watch Dog Timer) is provided. It is well known. The WDT is a device that monitors the operation of the CPU. WD
To T, a normal signal (a signal indicating a normal state) is periodically sent from the CPU. Then, the reset processing is performed when the normal signal is interrupted. Generally, initialization processing is performed in the reset processing. This is because when a memory destruction runaway (runaway that destroys a memory) occurs, a normal operation cannot be performed unless initialization processing is performed.

[0004] However, the runaway of the computer,
There are cases where the memory contents (storage data) are destroyed and cases where the memory contents are not destroyed. In the former case, it is necessary to initialize the memory. On the other hand, in the latter case, a continuous operation for performing the next process using the memory contents is possible. Nevertheless, conventionally, the initialization process has been uniformly performed.

[0005] Continuing use of the memory contents is typically desired when information accumulated over time is stored. For example, consider a new transportation system in which vehicles travel automatically. Magnetic markers are arranged at equal intervals on the road. The number of magnetic markers that have passed is counted, and the vehicle specifies its own position based on the number of markers. In such a system, it is desirable not to erase the number of markers stored in the memory as much as possible even at the time of resetting the WDT. If the marker number data is held, there is a possibility that the normal traveling control can be resumed after the reset.

If the memory contents are not destroyed, it is desirable to restore the memory contents for use.
For this purpose, it is necessary to determine whether or not the contents of the memory have been destroyed, and it is considered preferable to apply the above-mentioned majority decision to this determination processing.

However, there is a possibility that the destruction of the memory contents cannot be accurately determined even if the majority decision processing is simply applied. A particular problem occurs when a runaway occurs while data is being written to some memory areas. Comparing the data in the memory being written and the data in the memory not being written cannot determine which data is correct.
It is also difficult to determine whether the memory contents have been destroyed. Such a situation is likely to occur when data is sequentially copied to a plurality of memory areas.

Another disadvantage of the conventional majority decision processing is that it is not possible to appropriately cope with an event that the memory is filled with the same value. Since the values of all the memory areas become the same, the destruction of the memory contents cannot be detected by majority vote. Therefore, it is desired to be able to reliably determine the destruction of the memory contents even when the filling occurs.

Here, the processing at the time of runaway occurrence has been described. However, the present invention is not limited to this, and there is a similar problem in other memory content destruction determination.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and an object of the present invention is to provide a method and an apparatus capable of accurately determining the destruction of memory contents by using a majority decision.

[0011]

In order to achieve the above object, a memory content destruction judging method according to the present invention writes the same data in a plurality of memory areas and compares the stored data in the plurality of memory areas with a majority decision. In the method for making a determination, a step of recording write progress information indicating that each of the plurality of memory areas is in the middle of writing; and a step of excluding the memory area in the middle of writing based on the write progress information. Making a majority decision using the data stored in the memory area.

Therefore, according to the present invention, when a runaway or the like occurs, the storage data in the memory area being written is excluded from the majority decision, so that the majority decision is performed using only the storage data that should be originally the same. be able to. Therefore, it is possible to accurately determine the memory destruction. The memory contents that have not been destroyed can be saved, and continuous operation using the memory contents can be performed.

In the present invention, preferably, a start counter indicating the start of writing, an actual data portion, and an end counter indicating the end of writing are set in each of the plurality of memory areas, and the writing progress information includes the start counter and the writing counter. It is recorded in the end counter. According to this aspect, the writing progress is recorded in each memory area. Therefore, when a runaway or the like occurs, the destruction of the memory contents can be easily and reliably determined by using the data read from the memory.

Preferably, the method of the present invention includes a step of restoring data in the memory area based on a result of the majority decision. Data determined to be appropriate from the result of the majority decision is treated as data before the occurrence of runaway or the like.

According to another aspect of the present invention, when data is recorded in the plurality of memory areas, a step of offsetting a data value between the memory areas and a step of determining a majority decision after correcting the offset between the memory areas. Performing the steps.

This aspect can suitably cope with an event such as filling a memory. That is, according to the present invention, an offset is given to data at the time of data recording, and the offset is corrected at a later determination time. If the same value is painted, the data between the memory areas is different due to the offset correction at the time of the determination. Therefore, the destruction of the memory contents is detected by the majority decision. Filling with the same value can be reliably detected and erroneous determination can be prevented.

Further, the present invention may be realized in the form of a memory content destruction judging device. In addition, the present invention may be realized in the form of a memory device, a memory control device, a memory control method, a data storage method, and the like. It may be implemented in any suitable manner.

[0018]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Preferred embodiments of the present invention (hereinafter, referred to as embodiments) will be described below with reference to the drawings.

FIG. 1 shows an example of a computer control system in which the memory content destruction judging device of the present invention is suitably provided. The system shown in FIG. 1 is an automatic vehicle traveling system, and is mounted on a vehicle traveling on the traffic system shown in FIG.

In FIG. 2, magnetic markers (magnetic nails) are installed at equal intervals on the road. The position of the vehicle is calculated from the number of passed magnetic markers. The vehicle stores data indicating the road shape. The presence of a curve ahead of the vehicle can be known from the position information and the road shape information. Therefore, the traveling direction and the vehicle speed are controlled so that the vehicle travels along the curve.

In FIG. 1, the main ECU 10 is connected to the sensor 14 via the sensor ECU 12 or directly to the sensor 14. The sensor is, for example, a magnetic sensor for detecting a magnetic marker, for example, a wheel speed sensor for detecting a vehicle speed. The main ECU 10 is connected to the actuator 18 via the actuator ECU 16 or directly connected to the actuator 18. The actuator is, for example, an engine (throttle), a brake, and a steering device.

The main ECU 10 controls the actuator 18 based on an input signal from the sensor 14, causes the vehicle to travel at an appropriate speed along the road, and performs other processing such as stopping at a station and opening and closing a door. .

The main ECU 10 includes a CPU 20, an RO
An M22, a RAM 24, and a WDT 26 (Watch Dog Timer) are provided. CPU2
0 controls the running of the vehicle according to the control program read from the ROM 22. The WDT 26 monitors a normal signal (a signal indicating a normal operation state, a pulse signal) periodically generated by the CPU 20. When a runaway occurs in the CPU 20, the normal signal is interrupted. At this time, a reset process is performed according to the instruction of the WDT 26.

In the reset process, erasing the data stored in the RAM 24 may be considered. However, if the stored contents of the RAM 24 are not destroyed, it is desirable to use the stored contents as much as possible. For example, in the systems of FIGS. 1 and 2, the vehicle position is obtained from the cumulative count number of the magnetic marker. If you delete the contents of the memory, you will not be able to determine the vehicle position. In addition, it is desirable to continue using the information accumulated over time unless the contents of the memory are destroyed.

In order to meet such a demand, according to the present invention, a memory content destruction judging method described below is provided.

FIGS. 3A to 3F show a memory content destruction judging method according to the present invention. As shown in FIG. 3A, four memory areas are set in the RAM 24 of the main ECU 10. Area 0 is a common variable area, and is a work area for control processing. Areas 1, 2, and 3 are WDT storage areas. The data in the area 0 is copied to the areas 1, 2, and 3. At the time of runaway, a majority decision is made using the data in these areas.

As shown in FIG. 3A, first, the data in the area 0 is rewritten through normal control processing. next,
The data in the area 0 is sequentially copied to the areas 1, 2, and 3. That is, the copy from the area 0 to the area 1 is performed, and then the copy from the area 0 to the area 2 is performed.
Further, copying from the area 0 to the area 3 is performed. In each copy process, block transfer is preferably performed.

FIG. 3B shows a specific example of the above processing. The top row is the end point of section N-1, and data P is recorded in all memory areas. In section N, data P is rewritten to data Q in order from area 0 to area 3. Next, in the (N + 1) th section, data Q is rewritten to data R (the same applies hereinafter).

Here, as a feature of the present invention, when writing data to each memory area, information (writing progress information) indicating that writing is in progress is recorded according to a method described later. If a runaway occurs, a majority decision is made based on this situation information using the storage data of a plurality of memory areas excluding the memory area in the middle of writing, and the destruction of the memory contents is determined.

FIG. 3C shows a case where a runaway occurs during the writing to the area 0 (the memory being written is indicated by an X mark). In the areas 1 to 3, the data P of the previous section (section N-1) is stored. In this case, the area 0 in the middle of writing is excluded, and the destruction of the memory contents is determined using the data of the areas 1 to 3. Here, a majority decision is made using data read from the three areas. If the data in the two or more areas match, it is determined that no memory corruption has occurred. Then, the memory contents are restored using the matched data. That is, the appropriate data is copied to the area 0, and the control process of the CPU is restarted using the data.

FIG. 3D shows a case where a runaway occurs during the writing to the area 1, that is, during the preservation copy from the area 0 to the area 1. Data Q is recorded in area 0. In areas 2 and 3, data P of section N-1 is recorded. The area 1 in the middle of writing is excluded, and the majority decision is made using the areas 2 and 3 where the same data is recorded.

However, here, since there are only two data to be compared, an irregular majority decision (binary comparison, here, this binary comparison is also considered to be included in the majority processing) is performed. If the data in the areas 2 and 3 match, no memory destruction has occurred, and the restoration processing is performed using the data. If the data in the areas 2 and 3 are different, the restoration processing is not performed.

FIG. 3E shows a case where a runaway occurs during the writing to the area 2, that is, during the storage processing from the area 0 to the area 2. Data Q is recorded in area 0 and area 1. In the area 3, data P is recorded.
Therefore, a majority decision is made using the areas 0 and 1 where the same data is recorded. Here, a comparison process (irregular majority decision process) using only the data of the two regions is performed.

FIG. 3F shows a case where a runaway occurs during writing to the area 3. In the area 0 to the area 2, the data Q of the Nth section is already stored. So area 0
Is determined using the data in the area 2 to determine whether the memory contents are destroyed. Specifically, if the data in the three areas match, the data in the area 0 is used as it is. When only the region 0 and the region 1 match, and when only the region 0 and the region 2 match, the data of the region 0 is used. When only the area 1 and the area 2 match, the matching data is copied to the area 0. If the data in all the areas is different, there is a possibility of memory destruction, so that the restoration processing is not performed and the normal initialization processing is performed.

As described above, in this embodiment,
The same data is recorded in four memory areas. Progress information indicating that data is being written is recorded in each memory area. When runaway occurs, data in the remaining memory area excluding the memory area in the middle of writing is subjected to majority processing to determine the destruction of the memory contents.

More specifically, data to be compared is selected in consideration of data being sequentially copied to the memory areas 1 to 3. For example, in FIG. 3B, the data Q is written in the area 0, and the data Q is being written in the area 1. On the other hand, the data P of the previous section remains in the areas 2 and 3. In this case, the data P in the areas 2 and 3 are selected as comparison targets. That is, only data that should be identical is compared.

As described above, according to the present embodiment, the majority decision is made by using only the storage data that should be essentially the same, excluding the memory area in the middle of writing. Therefore, it can be accurately determined whether or not the memory has been destroyed. Since the determination / save operation is performed using only the memory area in which the consistency is ensured in terms of timing, the consistency is assured. When the reset process is performed in response to the runaway, the memory content that has not been destroyed is saved, and the return process using the memory content can be performed.

In the present embodiment, four memory areas (variable storage areas) are set in the RAM, but the number of memory areas may be other than four. For example, the number of memory areas may be increased, and more reliable memory destruction determination and recovery processing can be performed. In particular, when there are four memory areas, it was necessary to perform binary comparison instead of majority decision (see FIG. 3).
In contrast to (d) and (e)), if the memory area is increased, it is always possible to make a majority decision using three or more data.

On the other hand, the number of memory areas can be reduced. It is assumed that three memory areas are set. In this case, it is impossible to cope with runaway during copying to the storage area. That is, it is assumed that the storage area 3 is abolished in FIG. Since the area 1 is being written, the data of the area 0 and the data of the area 1 are to be compared. However, regions 0, 1
Stores different data. Therefore, it is impossible to determine the destruction of the memory area. If the number of memory areas is reduced in this way, it is not possible to recover from runaway during storage copy. However, generally, the probability of runaway occurring during archival copying is low. Therefore, the effect of the present invention can be obtained also in this mode.

Next, the <offset processing> which is another characteristic of the present invention will be described with reference to FIGS. Referring to FIG. 4A, when data is copied from the common variable area 0 to the WDT storage areas 1, 2, and 3, offsets 1, 2, and 3 are respectively added (subtraction may be performed, and the same applies hereinafter). The offsets 1, 2, and 3 have different values and are arbitrarily and appropriately set. For example, offset 1 = 0x22 (= 34), offset 2 = 0x
44 (= 68), offset 3 = 0x88 (= 136)
It is.

As shown in FIG. 4A, when the WDT operates to perform the reset processing, the offset is corrected. A majority decision is made using the corrected data. Of course, as described with reference to FIG. 3, data in the memory area in the middle of writing is not used.

On the other hand, FIG. 4B shows the processing when a memory destruction occurs in which all memories are painted with the same value. That is, it is assumed that after the data P is written with the offset, all the memories are filled with the data X due to runaway. Also in this case, when the WDT operates, the offset of the data in the memory is corrected. As a result, data that should be the same will be different as a result of the offset correction.
Therefore, it is determined that the memory contents have been destroyed, and a return process for continuously using the memory contents is not performed.

Here, it is assumed that the offset processing and the offset correction processing of the present invention have not been performed. FIG.
In (b), the majority decision is made using the incorrect data X as it is. Since the data in all memories is the same, the majority decision results in an erroneous determination that the memory contents are normal. On the other hand, according to the present embodiment, by performing the offset processing and the offset correction processing, the occurrence of the filling can be reliably detected by the majority decision, and the erroneous return can be avoided.

Next, a method of recording progress information indicating that the memory area is in the middle of writing will be described with reference to FIGS. In FIG. 5, common variable area 0 and WDT
Storage areas 1, 2, and 3 have the same size. A start counter (counter0begin;
C-0begin) is set, then the actual data part is set, and the end counter (counter0end; C-0end) is set.
Is set. Similarly, start counters (counter1begin, counter2begin, counter3begi)
n), actual data part, end counter (counter1end, count
er2end, counter3end) are set. In the present embodiment, the size of the start counter and the end counter is 1 byte, and the size of the actual data portion is 50 bytes.

FIG. 6 shows the rewriting process of the area 0. In the initialization state, the start counter and the end counter are 0. First, the start counter is incremented (1 is added), and then actual data is written.
When the writing of the actual data is completed, the value of the start counter is copied to the end counter.

As described above, the value of the start counter becomes larger than the value of the end counter by 1 when the writing of the area 0 is started.
At the end of writing, the values of both counters match. That is, if the values of the start counter and the end counter are different, area 0 is being written.

Next, a storage copy process for the areas 1 to 3 is performed. As shown in FIG. 5, first, block transfer from area 0 to area 1 is performed. The value of the start address of area 0 is mapped to area 1. The data of the address next to the area 0 is copied. In this way, the values of all addresses in area 0 are copied to area 1. However, offset 1 is added to each value at the time of copying (including the value of the counter).

In this case as well, when the writing of the area 1 is started, the value of the start counter becomes larger than that of the end counter by one. At the end of writing, the values of both counters match. That is, if the values of the start counter and the end counter are different, area 1 is being written.

Next, the storage processing of the area 2 and the storage processing of the area 3 are sequentially performed in the same manner. Here also, block transfer is performed. Therefore, when the area 2 or the area 3 is being written, the values of the start counter and the end counter are different.

Referring back to FIG. 6, when the preservation copy is completed, the process using the area 0 is performed again. First, the start counter is incremented, and the value of the counter becomes 2. Then, the actual data is rewritten. When the rewriting is completed, the value of the start counter is copied to the end counter.

The above processing is repeatedly performed. Considering that the size of the counter is one byte, the value of the counter is returned to 0 before the counter becomes full. In the present embodiment, as shown in FIG. 6, when the value of the counter reaches 250, the counter is reset.

When a runaway or the like occurs and the WDT operates, the values of the start counter and end counter of each memory area are read and compared. If the start counter and end counter of a certain area match, it is determined that the area is not in the middle of writing. On the other hand, if the value of the start counter and the value of the end counter of an area are different, it is determined that the area is being written.

FIG. 7 specifically shows a method of judging the writing progress at the time of the WDT operation. Each counter shows the state after offset correction. In FIG. 7A, the start / end counters of the areas 1 to 3 are all equal, and data is being written to the area 0 in this state. In FIG. 7B, the four values of the start / end counters in the areas 2 and 3 are equal,
In this state, the data is being stored and copied in the area 1. FIG. 7 (c)
In this case, the four values of the start / end counters of the areas 0 and 1 are equal. In this state, the copy is being stored in the area 2. FIG.
In (d), the six values of the start / end counters of the areas 0, 1, and 2 are equal. In other words, the combination of the areas where the counter values match is the combination of the memory areas to be subjected to the majority decision in FIGS. 3 (c) to 3 (f) described above. It's easy to tell if you're in progress.

As described above, according to the present embodiment, using the start counter and the end counter of each memory area,
The writing progress information is recorded. A place for recording the progress is assigned to each memory area. At the time of the WDT operation, it is known from the data of each memory area that the area is being written. Therefore, it is possible to reliably and easily determine the writing progress state, and to reliably determine the destruction of the memory contents.

The method of recording and judging the writing progress is not limited to the above. For example, a flag indicating the progress of writing in each area may be provided. When the writing of a certain area is started, a flag is set, and when the writing is completed, the flag is set down.

Next, FIG. 8 to FIG. 12 are flowcharts showing the processing of the present invention described above. FIG. 8 shows the overall processing.
When the system is powered on and the watchdog timer (W
At the time of DT) operation, the process of FIG. 8 starts. First, it is determined whether or not power is turned on (power is turned on) (S10). In the case of power-on, power-on initialization processing is performed (S12).

As shown in FIG. 9, in the power-on initialization processing, the start counter C-0begin (counter0beg
in) and the value of the end counter C-0end (conter0end) are set to 0 (S30). Further, the start counter C−
The values of all addresses from 1 begin to the end counter C-3end of the area 3 are set to 0 (S32). That is, 0 is written in all of the storage areas 1 to 3 shown in FIG. Further, normal initialization processing of the entire system is performed by the CPU (S34).

Returning to FIG. 8, when the power-on initialization in S12 is completed, the process proceeds to S14 to S20 to perform normal processing. The processing here has been described with reference to FIGS. First, the start counter C-0begin of the area 0 is incremented (S14), and normal processing is performed (S1).
6). The normal process is a control process of the vehicle traveling control system shown in FIG. The detection signal of the sensor is taken in, the arithmetic processing according to the control program is performed, and the actuator control signal is generated and output. In the normal processing, the area 0 is used as a work area, and the value of the area 0 is rewritten.

When one cycle of the normal processing is completed, the area 0
End counter C-0end, start counter C-0begin
Is copied (S18). As described above, a match between the start counter and the end counter indicates that the writing of the area 0 has been completed.

Next, copy processing for memory storage is performed (S20). That is, the value of the area 0 is copied to the areas 1 to 3. As shown in FIG. 10, the offset 1 is added to the values of all addresses from the start counter C-0 begin to the end counter C-0 end of the area 0. The value after the addition is written to the corresponding address of the area 1 (S40). Similarly,
The offset 2 is added to the data of the area 0, and the value is written to the area 2 (S42). Further, the offset 3 is added to the data of the area 0, and the value is written to the area 3 (S44). The archival copy is made sequentially. In each copy process, block transfer is performed.

Returning to FIG. 8, when S20 ends, the process returns to S14, and the same processing is repeated. That is, the rewriting of the data in the area 0 and the storage copy of the rewritten data are repeated.

Next, the processing at the time of the WDT operation will be described. FIG.
WDT 26 (watchdog timer) is hardware independent of the CPU 20. As mentioned above, WDT
26 monitors a predetermined signal sent from the CPU 20. When the signal stops, the WDT 26 issues a reset processing instruction to the CPU 20. That is, if a software runaway occurs somewhere in the overall processing of FIG. 8, the WDT 26 operates after a predetermined time has elapsed. Then, the CPU 20 starts the process of FIG. 8 from the start. Power-on determination (S
10) is NO, the watchdog reset return process is performed in S22.

Referring to FIG. 11, in the restoration process, first, the offsets of the storage areas 1 to 3 are corrected (S5).
0). That is, the data in the area 1 is read, the offset 1 is subtracted, and the data is returned to the area 1. The same applies to regions 2 and 3.

Next, it is determined whether or not the start / end counter of the area 1, the start / end counter of the area 2, and the start / end counter of the area 3 match (S52). S52
If the answer is YES, it can be understood that the areas 1 to 3 were not in the middle of writing when the runaway occurred. That is, the area 0 is being written, or the data is not stored in the RAM. Then, majority processing using the data of the areas 1, 2, and 3 is performed in S54 (see FIG. 3C).

As shown in FIG. 12, in the majority decision processing, it is determined whether or not the same pair exists for all variables in the storage area (S70). That is, all variables of the actual data in the memory area in FIG. 5 are compared. Then, for each variable, it is determined whether or not the data of at least two areas match. If S70 is YES, it is considered that the memory contents have not been destroyed. Therefore, the value in which the same pair is found is substituted into the area 0 (S72).

More specifically, if the values of the area 1 and the area 2 match for each variable in S70, the value of the area 1 is assigned to the area 0 in S72. There is no need to compare region 2 with region 3. If the areas 1 and 2 do not match, the areas 1 and 3
Are compared, and if the variables in both areas match, the value of area 1 is assigned to area 0. If the areas 1 and 3 do not match, the areas 2 and 3 are compared. If the variables of both areas match, the data of the area 2 is assigned to the area 0. If the areas 2 and 3 do not match, the determination in S70 is NO.

If the determination in S70 is NO, the memory contents may have been destroyed due to runaway. Therefore, the memory return process is abandoned, and a power-on initialization process is performed in S74. This process is the same as S12 in FIG.

Returning to FIG. 8, when the return process of S22 is completed, the process proceeds to S14. Therefore, when the data in the area 0 has returned to the state before the runaway (S72 in FIG. 12), the normal traveling control is restarted using the data. On the other hand, area 0
Is initialized (S74 in FIG. 12), the data before the runaway is lost. Therefore, the vehicle is stopped. The vehicle may be driven in an appropriate emergency driving mode and moved to an appropriate place.

On the other hand, if S52 is NO in FIG. 11, the process proceeds to S56, and it is determined whether or not the start / end counter of the area 0, the start / end counter of the area 1, and the start / end counter of the area 2 match. You. If S56 is YES, it is considered that the reset process has occurred during the storage of the area 3. Then, majority processing using the data of the areas 0, 1, and 2 is performed in S58 (see FIG. 3F). Here also, the processing of FIG. 12 is performed. However, areas 0, 1, and 2 are used instead of areas 1, 2, and 3. Then, after the majority decision, if the contents of the memory are not destroyed, the normal traveling control is resumed.

If S56 in FIG. 11 is NO, S6
Then, it is determined whether or not the start / end counter of the area 0 and the start / end counter of the area 1 match. S60
Is YES, it is considered that the reset process has occurred during the storage of the area 2. Therefore, majority processing using the data of the areas 0 and 1 is performed in S62 (see FIG. 3E). Here also, the processing of FIG. 12 is performed. However, only two areas 0 and 1 are used. If the variables in the areas 0 and 1 match, the memory is restored (S72 in FIG. 12), and the normal traveling control is resumed. If the variables in the areas 0 and 1 do not match, power-on initialization is performed (FIG. 12, S7).
4).

Further, if NO in S60 of FIG.
Proceeding to 64, it is determined whether or not the start / end counter of the area 2 and the start / end counter of the area 3 match. S6
If YES at 4, it is considered that a reset process has occurred during storage of the area 1. Therefore, majority processing using the data of the areas 2 and 3 is performed in S66 (see FIG. 3D). Here also, the processing of FIG. 12 is performed. However, only two regions 2, 3 are used, and a binary comparison is performed. If the variables in the regions 2 and 3 match, the memory is restored, and if they do not match, power-on initialization is performed.

If S64 of FIG. 11 is also NO, S68
Proceed to. Also in this case, power-on initialization is performed because there is a possibility of memory destruction.

The operation of the memory contents destruction judging device according to the present embodiment has been described above with reference to FIGS.

In the WDT return processing of FIG. 11, offset subtraction (correction) was first performed. However, the offset subtraction may be performed immediately before the comparison of each data. This modification is preferable in the following points.

The reset of the WDT may occur two or more times in succession. In that case, the second reset
Process 1 is interrupted and returns to the beginning. Then, the offset subtraction is performed again. That is, two overlapping offset subtractions are performed on each data. On the other hand, according to the present modification, offset subtraction is performed at the time of comparing data, so that duplicate offset subtraction is avoided.

Next, the vehicle running control after returning from the memory will be described. As described with reference to FIGS. 1 and 2, the present system detects a magnetic marker on a road and specifies a vehicle position from the number of accumulated markers. Here, the processing of the number of magnetic markers as an example will be described.

Before describing the processing after the return, the outline of the normal control will be described again. The system identifies the vehicle position by counting the magnetic markers. The road shape is stored in advance. The vehicle is driven along the road based on the road shape and the vehicle position. For example, in the example of FIG. 2, the vehicle knows in advance the existence of the curve ahead and its shape. Therefore, the deceleration is completed before entering the curve, and the steering control of the wheels is started.

In the WDT reset process, the memory contents are restored as described above. However, the vehicle has advanced to some extent between the occurrence of the runaway and the completion of the return. Therefore, the vehicle position obtained from the memory contents,
There is a deviation from the actual vehicle position.

Therefore, in the present embodiment, when the control is resumed after returning from the memory, the position error stored in the memory is appropriately corrected. For example, the number of markers that have passed after the runaway has occurred is estimated and added to the cumulative number of markers.

In this embodiment, it is also preferable to handle position data as follows. (i) The control system does not particularly perform position correction after WDT return. (ii)
Only when the vehicle passes the absolute position marker, the position is corrected. The absolute position markers are provided at appropriate intervals as shown in FIG. 13, and the vehicle grasps its absolute position when passing through the absolute position markers.

The reason why the position correction may be delayed as described above will be described. Referring to FIG. 14, when the vehicle passes through a gentle curve, the vehicle can travel along the road even if there is some error in the position information (FIG. 14A).
On the other hand, a sharp curve requires accurate position information (see FIG. 1).
4 (b)). Therefore, in the traffic system of FIG. 13, an absolute position marker is set before a sharp curve having a radius smaller than a predetermined value. An absolute position marker is also set in front of the corner. Further, an absolute position marker is set before a predetermined important point such as a stop station or a junction. Important points are points that require precise position control of the vehicle (including sharp curves and corners). With such a configuration, there is no problem even if the position error is not corrected immediately after the WDT operation. When accurate position information is needed when approaching a sharp curve or the like, the position information is corrected.

Further, when the memory cannot be restored, that is, when the memory contents are destroyed, it is also preferable to perform the following processing. If the cumulative count value of the magnetic marker is lost, the vehicle position cannot be determined. The vehicle position on the stored road shape data (map) is not known, and as a result, the road shape data cannot be used for traveling control. However, low-speed traveling without using the road shape data is possible. That is, based on the detection signal of the magnetic sensor, it is possible to run the vehicle at a low speed while tracing the magnetic marker directly under the vehicle (foot). Therefore, the vehicle is driven to the next absolute position marker in the low-speed traveling mode. The vehicle position is obtained when passing through the absolute position marker. Then, it returns to the normal traveling control mode.

As described above, in relation to the data on the number of magnetic markers,
The control processing after memory return according to the present embodiment has been described.

As described above, the data of the number of magnetic markers is a typical example of data that is not desired to be initialized at the time of resetting the WDT. As described above, it is desirable to perform a save process (not initialized) at the time of resetting the WDT for variables that are accumulated with the passage of time and other variables that require values immediately before runaway. On the other hand, variables that do not require a value immediately before runaway may not be saved and may be erased by power-on initialization. Such a variable is, for example, vehicle speed data. The vehicle speed data may be obtained again from the vehicle speed sensor after the return processing.

In view of the above, in the present embodiment, preferably, the information stored in the memory area is divided into information necessary for control after resetting the value immediately before the runaway and other information. Only the former information WDT storage areas 1 to 3
And restore the information on reset. The latter information is handled only in the area 0 and is not copied to the storage areas 1 to 3.
According to this aspect, the memory capacity can be reduced. Further, the saving process and the restoring process can be speeded up by reducing the data amount.

The preferred embodiment of the present invention has been described above. Needless to say, the present embodiment can be arbitrarily and appropriately modified within the scope of the present invention. For example, in this embodiment, the automatic vehicle driving device has been described, but the present invention can be applied to any other computer device. Also, RA
The present invention is applicable to control of any type of readable / writable storage means other than M.

[0087]

According to the present invention as described above,
It is possible to accurately determine the destruction of the memory contents using the majority decision. Furthermore, even when a situation occurs in which all memories are painted with the same value, destruction of memory contents can be reliably determined.

In particular, in a control system such as an automatic vehicle driving system, even when a runaway occurs, the memory contents are rarely destroyed, and in many cases, the memory contents can be used continuously. However, when the contents of the memory are destroyed, it is necessary to reliably detect the corruption and to perform appropriate processing such as stopping driving. In such a system, the effect of the present invention in which the memory destruction can be accurately and reliably determined can be remarkably obtained.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of a vehicle traveling control device provided with a memory content destruction determination device according to an embodiment of the present invention.

FIG. 2 is a diagram partially showing a traffic system in which a vehicle equipped with the device shown in FIG. 1 travels.

FIG. 3 is a diagram showing an outline of a memory content destruction determination method of the present invention.

FIG. 4 is a diagram showing offset processing which is one feature of the present invention.

FIG. 5 is a diagram showing a storage copy process of a memory area in FIG. 3;

FIG. 6 is a diagram showing a writing process of a common variable area which is one of the four memory areas in FIG. 3;

FIG. 7 is a diagram illustrating a method of determining a writing progress state according to the embodiment;

FIG. 8 is a flowchart showing the operation of the memory content destruction determination device of the present invention.

FIG. 9 is a flowchart showing a power-on initialization process of FIG. 8;

FIG. 10 is a flowchart showing a memory storage copy process of FIG. 8;

FIG. 11 is a flowchart showing a watchdog reset return process of FIG. 8;

FIG. 12 is a flowchart showing a majority decision process of FIG. 11;

FIG. 13 is a diagram showing an installation position of an absolute position marker on a road in a traffic system.

FIG. 14 is a diagram showing an influence of a position information error on vehicle running according to a curve shape of a road.

[Explanation of symbols]

0 common variable area, 1, 2, 3 WDT storage area,
10 Main ECU, 14 sensors, 18 actuators, 20 CPU, 22 ROM, 24 RAM, 2
6 WDT.

Claims (12)

[Claims] 1. A memory content destruction determination method in which the same data is written in a plurality of memory areas and a majority decision is made by comparing storage data in the plurality of memory areas. Recording the write progress information indicating that there is, and, based on the write progress information, performing a majority decision using storage data of a plurality of memory areas excluding the memory area in the middle of writing. A memory content destruction determination method characterized by including: 2. The memory content destruction determination method according to claim 1, wherein a start counter indicating a start of writing, an actual data portion, and an end counter indicating an end of writing are set in each of the plurality of memory areas. And a memory content destruction determination method, wherein the write progress information is recorded in the start counter and the end counter. 3. The memory contents destruction determination method according to claim 1, further comprising the step of restoring data in a memory area based on a result of the majority decision. 4. The memory content destruction determination method according to claim 1, further comprising: when recording data in the plurality of memory areas, offsetting a value of the data between the memory areas, A memory content destruction determination method, wherein an offset is corrected when a majority decision is made. 5. A memory content destruction determination method for writing the same data in a plurality of memory areas and comparing the stored data of the plurality of memory areas with a majority decision, wherein data is recorded in the plurality of memory areas. A method of offsetting the value of data between memory areas, and a step of correcting the offset between memory areas before performing a majority decision. 6. A memory content destruction judging device for writing the same data in a plurality of memory areas and making a majority judgment comparing the stored data in the plurality of memory areas, wherein each of the plurality of memory areas is in the middle of writing. Progress recording means for recording write progress information indicating that there is, based on the write progress information, a determination to make a majority decision using storage data of a plurality of memory areas excluding a memory area being written Means, and a memory content destruction determination device, characterized by comprising: 7. The memory content destruction determination device according to claim 6, wherein a start counter indicating a start of writing, an actual data portion, and an end counter indicating an end of writing are set in each of the plurality of memory areas. A memory content destruction determination device, wherein the status recording means records the write progress information in the start counter and the end counter. 8. The memory contents destruction judging device according to claim 6, further comprising restoring means for restoring data in a memory area based on a result of the majority decision. 9. The memory content destruction determination device according to claim 6, further comprising: an offset unit for offsetting a data value between the memory areas when recording the data in the plurality of memory areas. A memory content destruction judging device, wherein the judging means corrects an offset when making a majority judgment. 10. A memory content destruction determining apparatus for writing the same data in a plurality of memory areas and performing a majority decision comparing the stored data in the plurality of memory areas, wherein the data is recorded in the plurality of memory areas. A memory content destruction determining apparatus, comprising: offset means for offsetting a data value between memory areas; and determining means for performing a majority decision after correcting an offset between memory areas. 11. The memory content destruction judging device according to claim 6, further comprising a runaway detecting means for detecting that a runaway of computer processing has occurred, wherein said judging means makes a judgment when a runaway occurs. A memory content destruction judging device characterized by the above-mentioned. 12. The memory contents destruction judging device according to claim 11, wherein said runaway detection means is a watchdog timer.