JP2008040964A - Operating system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that it is difficult to protect a memory from an application thread because many small-scale microcomputers do not have hardware for achieving memory protection called a memory management unit. <P>SOLUTION: When this operating system transfers execution authority to an operation thread by using a specific area access break function mounted as a debug function of a microcomputer, the execution authority is transferred to the application thread after a memory area desired to be protected is previously set from the application thread. Consequently, when accessing the protected area by the application thread, an interrupt generated by the specific area access break function brings the execution authority back to the operating system to process a thread subjected to unauthorized memory access. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an operating system, and more particularly to detection of illegal memory access by an application and operation after detection.

  In recent years, embedded software installed in microcomputers has become increasingly complex due to the increase in size and the diversification of processing. Under such circumstances, an operating system is increasingly installed even in a relatively small embedded system. The reason for installing an operating system is that many benefits can be expected, such as improved software portability and improved utilization for the processing power of microcomputers. Some operating systems achieve high robustness by providing a memory protection function for protecting areas other than memory areas accessible from application programs.

  The memory protection function is realized by hardware called a memory management unit mounted on the microcomputer. The memory protection function functions between programs divided into execution units called processes. The operating system allocates a virtual address space to each process, and each process can freely read and write the virtual address space. The access to the virtual address space is converted by the memory management unit into access to the real address space that does not overlap with the real address space occupied by other processes. As a result, even in the virtual address space, the same address is converted into access to a completely different memory area in the real address space, and the processes can operate without interfering with each other.

  However, unlike a microcomputer for a personal computer or a microcomputer for a large-scale embedded device, a small-scale microcomputer does not have a memory management unit. In such a small microcomputer system, the application program and the operating system cannot be divided into separate processes, and threads that share the same address space between the operating system and the application program (smaller execution units constituting the process) The memory space of the operating system cannot be protected from the application program.

On the other hand, even if the memory space cannot be protected, if the occurrence of illegal memory access can be detected at an early stage, a sudden exception can be prevented, which contributes to the improvement of stability. In the method disclosed in Patent Document 1, unauthorized switching can be detected by comparing inspection codes (check sums) of memory areas allocated to threads when switching threads. That is, record the inspection code of the thread that loses execution right just before moving from the thread with execution right to another thread, and calculate the inspection code again when the execution right returns to the original thread again And compare with the recorded inspection code. In this way, illegal memory access is detected in advance.
JP 2004-326331 A

  However, the conventional technique for detecting illegal memory access disclosed in Patent Document 1 requires an inspection code to be calculated every time a thread is switched, which increases overhead and impairs responsiveness. In particular, in a system that requires real-time performance such as an embedded device, there is a demand for detecting an illegal memory access by a lightweight method.

  In order to solve the above problem, an operating system according to the present invention is provided on a microcomputer having a specific area access break function that generates an interrupt when a read or write access is performed to a specific address area designated in advance in a memory. An operating system that operates on the microcomputer, and the operating system grants the execution right to any one of a plurality of application threads that manage the execution right by the operating system. When the specified area is accessed, the specified area access break function is interrupted. When the application thread accesses the specified area, this access is regarded as an access violation, and the specified area is Area Aqua The interrupt Subureku function regained execution right to the operating system, with respect to an application thread that performs access violation, it is characterized in that it comprises the illegal access detecting function of performing scheduling based on a predetermined rule.

  The control device of the present invention is an operating system that operates on a microcomputer having a specific area access break function that generates an interrupt when a read or write access is made to a specific address area designated in advance in a memory. And when the operating system gives the execution right to any one of a plurality of application threads that operate on the microcomputer and the operating system manages the execution right, the specific area Set to generate an interrupt for the specific area access break function when accessed, and when the application thread accesses the specific area, this access is regarded as an access violation, and the interrupt for the specific area access break function is By A control device equipped with an operating system having an unauthorized access detection function for performing scheduling based on a predetermined rule with respect to an application thread that has regained an execution right to the operating system and has made an access violation. If the execution of the control device is not hindered even if the application thread that has made an access violation is stopped, the application thread is forcibly terminated.

  Furthermore, the electric brake controller of the present invention is characterized in that the control device is a control device for an electric brake for a vehicle.

In addition, the electric brake controller of the present invention is characterized by comprising means for notifying the driver when it is detected that there has been unauthorized access.
(Note that “application thread” refers to an application program.)

  Since the operating system of the present invention detects illegal memory access from an application thread and enables processing such as rescheduling according to the detected memory access, the stability of the control system equipped with this operating system is improved. There is an effect.

  In addition, since the control device according to the present invention can control the scheduling of a thread according to the importance of a thread that has performed unauthorized access, the rescheduling of the thread is canceled if it is an unauthorized access from a thread of low importance. As a result, it becomes possible to eliminate the cause of unauthorized memory access. The present invention is particularly useful for an embedded system to which software can be dynamically added. However, even in an embedded system to which software cannot be dynamically added, it is easy to detect unauthorized access to application threads. Can be easily eliminated, and can contribute to improving the quality of embedded systems.

  FIG. 1 shows a schematic view of a vehicle equipped with an electric brake controller equipped with an embodiment of the present invention. In the vehicle 1201, the integrated control device 1202 is a control device for appropriately instructing the braking force to each of the electric brake actuators 1203, 1204, 1205, and 1206. The integrated control device 1202 acquires the operation amount and operation force of the driver as an electrical signal by the brake operation amount sensor 1210 attached to the brake operation element 1209 connected via the electric wire 1211. The integrated control device 1202 calculates the target pressing force for the four wheels based on the detected values, converts the target pressing force into an electric signal, and transmits the electric signal to the electric brake actuators 1203, 1204, 1205, and 1206 via the communication path.

  The electric brake actuators 1203, 1204, 1205, and 1206 are configured to generate a braking force by pushing out the brake pad 1301 shown in FIG. 2 by the piston 1303 and pressing the brake pad 1302 as in the conventional hydraulic disc brake. Thus, it has an electromechanical integrated structure incorporating a control circuit (not shown), an electric motor (not shown), and a piston mechanism (not shown). Further, the electric brake actuators 1203, 1204, 1205, and 1206 are equipped with an electric parking brake function that can mechanically hold the piston 1303 by controlling a latch mechanism (not shown). The braking force can be maintained even in a situation where the motor does not operate. This electric parking brake function can be applied and released by an electrical signal from the integrated control device 1202 via a communication path.

  The electric brake actuators 1203, 1204, 1205, 1206 rotate the brake rotor 1302 by controlling the operation of the piston 1303 so as to generate a target pressing force given by an electric signal from the integrated controller 1202. And the force is transmitted to tires 1212, 1213, 1214, and 1215 attached to the same shaft, and the vehicle is decelerated.

  The microcomputer installed in the electric brake controller incorporates an electrically programmable flash ROM (address A to B in FIG. 3) and RAM (address D to E in FIG. 3), and is connected to an external memory. Not working in so-called single-chip mode. The microcomputer has built-in peripheral hardware such as a serial communication interface, an AD converter, and PWM, and the access method to the register group related to the setting is the same address space as the ROM, the RAM, etc. This is a memory mapped I / O method that can be accessed at (address C to address D in FIG. 3).

  As shown in FIG. 4, the software operating on the microcomputer using this embodiment is “hardware” representing a register group of microcomputer peripheral hardware, and “application” representing a processing group of electric brake control software. It is composed of three layers called “operating system” that mediates hardware and applications.

  The operating system of this embodiment includes a special process called “system call”, and at least the system call shown in FIG. 5 is prepared. The system call is an interface for an application to use the function of the operating system.

  The operating system has two functions, a device manager and a thread manager. The device manager manages software called a device driver for setting peripheral hardware. The thread manager manages the allocation of execution rights for a plurality of small processes constituting the application. These small processes are associated with management information called a thread management block shown in FIG. 6 by an “generation” system call in FIG. 5 to become an object called an application thread. When a thread management block is newly allocated to an application thread, a dynamically allocated thread management block is allocated, or a free thread management block having a predetermined number of thread management blocks allocated is allocated. To do. The application thread generated in this way is registered in the application thread queue held by the thread manager, and waits for the execution right of the microcomputer to be assigned. A general embedded operating system has a function of assigning the execution right of a microcomputer at least in a time-sharing manner to application threads in a “waiting” state, and each application thread is apparently executed in parallel. It becomes possible to do.

  The thread management block shown in FIG. 6 holds the address of the stack area assigned to the application thread, the microcomputer general-purpose register, the program counter, the state of the application thread, and the like. As the state of the application thread, at least one of the “states” illustrated in FIG. 7 is set. General-purpose registers and program counters may be stored in the stack instead of the thread management block. In addition to these pieces of information, the thread management block of the operating system of this embodiment holds the address of the exception handling routine when this thread makes an illegal memory access.

  In the brake controller, first, when the electric brake controller is activated, a boot loader for activating the operating system is executed by a power-on reset interrupt. As shown in FIG. 8, the boot loader initializes the microcomputer in S101, reads the initial state of the operating system from the ROM into the RAM in S102, and calls the operating system initialization process in S103. Note that the processing does not return to the boot loader again after the processing moves to the operating system in S103.

  FIG. 9 shows the procedure of the initialization process of the operating system. When the initialization of the operating system starts in S200, the device driver, which is a program for exchanging data with peripheral hardware, is initialized in S201, and the thread manager that manages the scheduling of application threads is initialized in S202. Then, in S203, the process moves to scheduling of application threads by the thread manager of the operating system.

  When the initialization of the operating system is completed, the thread manager selects an application thread to be executed according to a predetermined scheduling algorithm, and grants execution rights to the application thread. Note that once the processing shifts to the scheduling of the thread manager, the processing does not end unless the brake controller is turned off.

  The microcomputer using this embodiment has a specific area access break function that generates an interrupt after the access is completed when a specific address area preset in the memory is accessed. The operating system of this embodiment uses this function to detect unauthorized memory access. The function will be described below.

  In FIG. 4, an application originally performs data exchange with peripheral hardware via a device driver via a system call. However, the microcomputer of the electric brake controller using one embodiment of the present invention does not have a memory management unit, which is peripheral hardware providing a virtual address space, and has the same operating system and application. It is something that shares space. Therefore, access to a register group for setting peripheral hardware that should not be accessed from an application cannot be prohibited, which may impair stability as an electric brake controller. For example, consider a case where the execution right is transferred to an application thread called another thread B by a thread manager while an application thread called a thread A is accessing the hardware via a system call. When thread B accesses the register group for setting the peripheral hardware used by thread A and rewrites the value of the register in the process, then when the execution right is transferred to thread A again, It may happen that the hardware does not operate as expected by thread A.

  The operating system of the present embodiment detects an illegal memory access of an application thread by the procedure of the system call shown in FIG. 10 and the procedure of the scheduling process in the thread manager shown in FIG.

  In FIG. 10, when a system call is invoked, first, the specific area access break function is invalidated in S801. Next, original processing corresponding to the system call is performed in S802, the specific area access break function is re-enabled in S803, the system call is terminated in S804, and the process returns to the caller. For example, access to a hardware setting register via a device driver via a system call is not regarded as unauthorized access.

  Next, scheduling processing in the thread manager will be described. In FIG. 11, first, S900 is called, and a specific area access break function is initialized so that an interrupt is generated for access to the peripheral hardware area shown in FIG. 3 in S901. Next, in S902, the specific area access break function is disabled. In step S903, the next thread management block is read from the application thread queue. In S904, it is determined whether or not the application thread read in S903 is “waiting”. If it is in the “waiting” state, the process moves to S905. If it is not in the “waiting” state, the process returns to S903, and the thread is managed again from the queue. Read the block. In step S905, the specific area access break function is enabled, the process moves to step S906, and the execution right is passed to the application thread. In this way, an interrupt by the specific area access break function occurs only when an illegal access to the hardware setting register is performed by the application thread.

  In the interrupt by the specific area access break function, as shown in FIG. 12, the specific area access break function is disabled in S1001, and the exception processing when an illegal memory access occurs is stored in the thread management block when the application thread is generated in S1002. ”Is executed, and the state of the thread management block is set to“ violate ”in S1003. After that, scheduling processing is performed by the “transfer” system call in S1004. Note that the exception processing at the time of illegal memory access in S1002 and the subsequent “violation” setting in S1003 may be in the reverse order.

  FIG. 13 shows a state in which the driver first performs the basic brake operation and changes the operation to the electric parking brake from time t1500. Here, the basic brake thread is a thread for generating braking force according to the driver's brake pedal operation, the event logger thread is a thread for monitoring and recording events generated in the system, and the electric parking brake thread is the driver's electric This thread activates the parking brake in accordance with the operation of the parking brake operator. When each application thread finishes the predetermined process, the execution right is transferred to the thread waiting for execution after the scheduling process. Scheduling is performed so that the execution right is not transferred to the thread in the dormant state, but the execution right is transferred only to the waiting thread.

  In the electric brake system according to the present invention, the application threads for realizing the electric brake are ranked in importance as shown in FIG. 14, and “exception processing when illegal memory access occurs” described in FIG. Select from. For example, when an application thread called “event logger” classified as an unimportant rank makes an illegal memory access, the “event logger” thread is forcibly terminated, and an upper system is notified of an abnormality. . Subsequent scheduling for “event logger” threads classified as unimportant will no longer be performed, but other threads will be scheduled as usual, so other functions such as basic braking will function normally.

  On the other hand, when an application thread called “electric parking brake” that controls the operation of the electric parking brake classified into the important rank makes an illegal memory access, it is not forcibly terminated. The host system is notified that the “electric parking brake” thread has made an illegal memory access, but the subsequent scheduling is performed as usual. The driver is appropriately notified to the driver through a warning light or the like from the host system.

  By doing this, it is possible to extend the operation of the electric brake system as much as possible for unauthorized memory access of important processing, and to terminate the application thread for unauthorized memory access of minor processing that is not so, As a result, side effects can be prevented and the electric brake system can be operated stably.

  It can be used for embedded devices equipped with microcomputers.

It is the schematic of the vehicle equipped with the electric brake controller carrying one Example of this invention. It is the schematic of the part which generate | occur | produces the braking force of the electric brake of the vehicle provided with the electric brake controller which concerns on a present Example. It is an address arrangement diagram on the memory of the microcomputer according to the present embodiment. It is a figure explaining the structure of the software mounted in the electric brake controller which concerns on a present Example. It is a chart explaining the kind and function of "system call" concerning a present Example. It is a figure explaining the structure of the "thread management block" concerning a present Example. It is a table | surface which shows "Description" of "State" of the application thread concerning a present Example. It is a figure which shows the procedure of the "boot loader" concerning a present Example. It is a figure which shows the procedure of the initialization process of the operating system which concerns on a present Example. It is a figure which shows the procedure of the "system call" concerning a present Example. It is a figure which shows the procedure of the "scheduling process" concerning a present Example. It is a figure which shows the procedure of the "specific area access break interruption handler" concerning a present Example. It is a figure which shows the time flow of a basic brake thread | sled, a parking brake thread | sled, an event logger thread | sled, and a scheduling process concerning a present Example. It is a chart which shows the relationship of "application thread", "rank", "notification to a high-order system", and "reschedule after unauthorized access" concerning a present Example. It is a table explaining the contents of “rank” and “exception processing when illegal memory access occurs” according to the present embodiment.

Explanation of symbols

1201: vehicle,
1202: Integrated controller,
1203, 1204, 1205, 1206: Electric brake actuator,
1209: Brake operator
1210: Brake operation amount sensor,
1211: Electric wire,
1212,1213,1214,1215: tires,
1301: Brake pad,
1302: Brake rotor,
1303: Piston

Claims (4)

An operating system that operates on a microcomputer having a specific area access break function that generates an interrupt when a read or write access is performed to a specific address area designated in advance in a memory,
When the operating system accesses the specific area when the operating system gives an execution right to any one of a plurality of application threads that operate on the microcomputer and the execution system manages the execution right To generate an interrupt for the specific area access break function,
When the application thread accesses the specific area, this access is regarded as an access violation, and the execution right is regained to the operating system by interruption of the specific area access break function. An operating system having an unauthorized access detection function of performing scheduling based on a predetermined rule. An operating system that operates on a microcomputer having a specific area access break function that generates an interrupt when a read or write access is performed to a specific address area designated in advance in a memory,
When the operating system accesses the specific area when the operating system gives an execution right to any one of a plurality of application threads that operate on the microcomputer and the execution system manages the execution right To generate an interrupt for the specific area access break function,
When the application thread accesses the specific area, this access is regarded as an access violation, and the execution right is regained to the operating system by interruption of the specific area access break function. A control device equipped with an operating system characterized by having an unauthorized access detection function of performing scheduling based on a predetermined rule,
A control apparatus characterized by forcibly terminating an application thread when the execution of the control apparatus is not hindered even when the application thread that has made an access violation is stopped.   An electric brake controller, wherein the control device according to claim 2 is a control device for an electric brake for a vehicle.   An electric brake controller, comprising: means for notifying a driver when the controller according to claim 3 detects that there has been unauthorized access.

Images