JP2010198183A - Program execution device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program execution device for continuing the whole operation even when any error is occurred during execution of a program. <P>SOLUTION: In the program execution device, an error detection corresponding call instruction/return instruction execution function part 5 executes an ECALL instruction corresponding to a function call invalidating function due to error occurrence, and an error detection instruction execution function part 6 detects an error during program execution by the ECALL instruction according to an error detection instruction. When the error is detected by the error detection instruction execution function part 6, the error detection corresponding call instruction/return instruction execution function part 5 invalidates the ECALL instruction. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  According to the present invention, when an error is detected during execution of a program by a branch instruction, the program operation itself is continued by stopping the program execution of the branch instruction portion in which the error is detected without stopping the entire program operation. The present invention relates to a program execution device having a function.

Conventionally, in a system that executes a program, when an abnormality occurs during system operation, it should be selected between a mode in which the system is stopped and a mode in which the apparatus in which the abnormality has occurred is disconnected from the system and the operation is continued. There was a device to decide.
For example, in the apparatus described in Patent Document 1, when an error of the apparatus is detected during system operation by the error detection mechanism, a system down mode in which the system is urgently stopped to prevent malfunction, and an apparatus in which an abnormality has occurred The system is configured to determine which of the dynamic degeneration modes in which the (part) is disconnected from the system and continues to operate is selected.
In this dynamic degeneration mode, the device control unit such as a driver that controls the device to be disconnected supports the operation when the device is disconnected, and the system continues to operate even if the device is disconnected. It can be done.

Japanese Patent Application Laid-Open No. 2001-175489

For example, when processing such as motor control is implemented by software on a processor or controller, the contents of arithmetic processing as basic control processing are routine processing such as a PID (proportional / integral / derivative) control method. In many cases, the fixed amount processing is realized by adding or subtracting a correction amount to a control amount or target value generated or used.
When updating the software processing content in such a controller product, the validity of the basic control processing content is often already verified by the software that is already used as the product at that time. A malfunction of a function realized by software often occurs in a difference function part added as software with respect to basic control processing contents.

Although the added differential function has been verified before shipping the product, a fatal error that makes it difficult to continue processing may occur due to an unexpected situation that occurs in the actual use environment of the product. is there. For example, as a fatal error that makes it difficult to continue processing,
・ The correction amount calculated by the difference function is a negative value although it should be a positive value. ・ The correction amount calculated by the difference function should be within the range of a certain value, but the range is exceeded. Etc. exist.

When such an error occurs, it is difficult to calculate an appropriate control amount, which makes it difficult to continue execution of the controller, and the operation of the controller itself must be stopped. There was a problem of stopping.
Also, even when trying to fully verify when developing a controller so that such defects do not occur, it is difficult to detect and respond to all defects before shipping because there are many combinations of states to be verified. There was a problem that.

  The present invention has been made to solve the above problems, and an object of the present invention is to provide a program execution device capable of continuing the entire operation even if an error occurs during the execution of the program.

A program execution device according to the present invention includes an error detection unit that detects an error during program execution by a branch instruction, and an instruction execution unit that invalidates the branch instruction when an error is detected by the error detection unit It is.
Here, “program execution by branch instruction” indicates a state in which a branch destination instruction is fetched and executed after a branch instruction is issued.

  When an error is detected during program execution by a branch instruction, the program execution apparatus according to the present invention invalidates the branch instruction, so that the program execution can be continued without stopping the operation of the entire program.

It is a block diagram which shows the program execution apparatus by Embodiment 1 of this invention. It is explanatory drawing which shows the program execution operation | movement in the program execution apparatus by Embodiment 1 of this invention. It is explanatory drawing which shows the process pattern in the program execution apparatus by Embodiment 1 of this invention.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a program execution device according to Embodiment 1 of the present invention.
A program execution device 1 shown in FIG. 1 includes an instruction execution function unit 2, an instruction fetch function unit 3, and a NOP instruction switching function unit 4. The instruction execution function section 2 includes an error detection corresponding call instruction / return instruction execution function section (instruction execution section) 5 and an error detection instruction execution function section (error detection section) 6. When the error detection corresponding call instruction / return instruction execution function unit 5 is executing a predetermined error generation invalidation branch instruction and the error detection instruction execution function unit 6 detects an error during execution of the branch instruction, the branch being executed is executed. It has a function of invalidating an instruction. The error detection instruction execution function unit 6 is a function unit that detects whether an error has occurred during program execution by an error generation invalidation branch instruction.

  The error detection support call instruction / return instruction execution function section 5 includes an error detection support return process execution function section 7, an error flag setting function section 8, a return address setting function section 9, and an error detection support call instruction invalidation function section 10. ing. The error flag setting function unit 8 includes an ERRST register (error occurrence state holding unit) 81 and an ECALLFLG register 82. Further, the return address setting function unit 9 has an ERETADR register 91, and the error detection corresponding call instruction invalidation function unit 10 has an EADR register (address holding unit) 101.

  The error detection instruction execution function unit 6 includes an error state identification function unit 11 and an error occurrence call instruction address identification function unit 12, and the error state identification function unit 11 includes an ERRSIG register 111. The instruction fetch function unit 3 has a program counter 31.

  The error detection corresponding return process execution function unit 7 performs normal return processing, and if an error is detected (the ECALLFLG register 82 of the error flag setting function unit 8 is 1 and the ERRST register 81 is 1) ) Is a functional unit that performs return processing based on the address of the ERETADR register 91 of the return address setting function unit 9. The error flag setting function unit 8 sets the flag of the ECALLFLG register 82 to 1 when executing an error generation invalidation branch instruction, and error detection is performed from the error state identification function unit 11 of the error detection instruction execution function unit 6. When notified, the flag of the ERRRST register 81 is set to 1. The return address setting function unit 9 is a function unit that sets a return address (return destination program address when returning from a function call) in the ERETADR register 91. When an error occurrence call instruction address is notified from the error occurrence call instruction address identification function section 12, the error detection corresponding call instruction invalidation function section 10 sets this address in the EADR register 101 and invalidates the error occurrence. When the branch instruction is executed, if the value in the ERRST register 81 is 1, the value in the EADR register 101 is compared with the current program address, and if they are the same, the error generation invalidation branch instruction is invalidated and the branch process is performed. It is configured to notify that there is no.

  The error state identification function unit 11 in the error detection command execution function unit 6 has a function of detecting an error when executing an error detection command. When an error is detected, the error state identification function unit 11 is configured to set 1 in the ERRRSIG register 111. Yes. The error detection command will be described later. The error occurrence call instruction address identification function unit 12 is a program that has issued a function call when an error occurs based on the value of the ERETADR register 91 of the return address setting function unit 9 when the error state identification function unit 11 detects an error. An address is calculated, and this address is notified to the error detection handling call instruction invalidation function unit 10.

  The instruction fetch function unit 3 is a function unit that fetches an instruction from the instruction memory 13 based on the value of the program counter 31. The NOP instruction switching function unit 4 invalidates the error instruction invalidation branch instruction from the error detection corresponding call instruction invalidation function unit 10 and invalidates the branch instruction, and the NOP instruction (No Operation instruction) ). The instruction memory 13 is a memory that stores a program executed by the program execution device 1.

  The program execution apparatus 1 is assumed to have an instruction fetch function, an instruction decode function, and an instruction execution function in a normal program execution apparatus, for example, generally called a processor or a controller. In FIG. 1, although the instruction decode function unit is not described, it is assumed that the instruction execution function unit 2 executes an instruction based on the instruction decode result. It is assumed that the instruction fetch function unit 3 fetches an instruction from the instruction memory 13 based on the program counter 31.

In order to explain what functions the program execution device 1 according to the present embodiment has with respect to a normal configuration in a program execution device generally called a processor or a controller, for example, in the present invention, The instructions held by the program execution device 1 and their operations will be described below.
The program execution apparatus 1 according to the present embodiment has arithmetic operation instructions, logical operation instructions, data load / store instructions, and branch instructions that are held by a normal program execution apparatus. As a normal branch instruction, there are a CALL instruction (call instruction) for realizing a function call and a RET instruction (return instruction) for returning to the function call source after the function call.
For such a normal branch instruction, a CALL instruction (error generation invalidation branch instruction: hereinafter referred to as an ECALL instruction for explanation) corresponding to a function call invalidation function upon occurrence of an error, which is a feature of the present invention. ) And a RET instruction corresponding to this special CALL instruction (hereinafter, this instruction is referred to as an ERET instruction for the sake of explanation), and an error detection corresponding call instruction / return instruction execution function unit 5 on the program execution device 1 Are provided with the execution function.

  The ECALL instruction takes the function call destination address (program execution address changed by the function call) as an argument (operand) and is executed by the error detection corresponding call instruction / return instruction execution function unit 5. That is, when the ECALL instruction is executed, the return address setting function unit 9 holds the return address (return destination program address when returning from the function call) in a dedicated register (ERETADR register 91) held by the program execution device 1. Then, the error flag setting function unit 8 sets the ECALLFLG register 82, which is a flag register indicating that a function call based on the ECALL instruction is being executed, to a value of 1.

  The ERET instruction is executed by the error detection corresponding call instruction / return instruction execution function unit 5. That is, when the instruction is executed, the error flag setting function unit 8 checks the value of the ECALLFLG register 82. If the value is 1, the error flag setting function unit 8 sets the value to 0, and the error detection corresponding return process execution function unit 7 performs the above-described ERETADR. Return to the program address held in the register 91 and continue execution.

Each time the ECALL instruction is executed, information on which program address is executed is held in the processor. Since the issue address of the ECALL instruction can be normally identified by simple subtraction from the return destination program address held in the ERETADR register 91, the program address as the call source can be derived from the ERETADR register 91. In the embodiment, the error occurrence call instruction address identification function unit 12 derives.
Specifically, if the delay slot after the call instruction is issued is 0, the address immediately before the address held in the ERETADR register 91 is 1 and if the delay slot is 1, the address 2 before the address held in the ERETADR register 91 is The program address that issued the function call. Here, the delay slot is a general term and indicates the position of an instruction executed before the immediately preceding instruction takes effect.

In addition, there are two dedicated registers related to the ECALL instruction issue function (error detection handling call instruction / return instruction execution function unit 5) in the processor. One is an ERRST register 81 existing in the error flag setting function unit 8, and the other is an EADR register 101 existing in the error detection handling call instruction invalidation function unit 10.
The ERRST register 81 holds information when an error is detected by execution of an error detection instruction to be described later. The error flag setting function unit 8 sets a value of 1 when an error occurs and thereafter. The value 0 is held when no error has occurred.
The EASR register 101 is a register that holds a program address that issued a function call when an error occurs, and holds an address notified by the error occurrence call instruction address identification function unit 12.

  The ECALL instruction issue function checks the ERRST register 81 when issuing an instruction. If the value is 0, the ECALL instruction is issued as it is. If the value is 1, the error detection corresponding call instruction invalidation function unit 10 The value on the EADR register 101 is compared with the current program address. If they are the same, the ECALL instruction is invalidated and the branch process is not performed. In this case, the ECP instruction is handled as a so-called NOP instruction by the NOP instruction switching function unit 4.

Further, as described above, the program execution apparatus 1 is equipped with an error detection instruction for performing an error check on the operation result. An error detection instruction is an instruction that performs a range check on a value on a general-purpose register that holds an operation result. For example, whether or not a value on a register is greater than or less than a specified value, or a value Is a range check command such as whether the sign of is positive or negative, or whether the absolute value is within a specified range. In particular,
“Instruction to test whether the absolute value of the value is smaller than a certain positive value (hereinafter referred to as ERANGE instruction)”
“Instruction for testing whether it is positive (hereinafter referred to as EPOS instruction)”
“Instruction to test for negative value (hereinafter referred to as ENEG instruction)”
Etc. These instructions are executed by the error detection instruction execution function unit 6.

  In the ERANGE instruction, a number indicating a general register (not shown) in which the operation result is held and a general register number holding a value to be compared with the operation result in the general register or an address in the data memory are designated as operands. . The EPOS instruction and the ENEG instruction specify a general-purpose register number that holds the operation result as an operand.

The error detection instruction issue function (error detection instruction execution function unit 6) checks the value defined for each instruction by the error state identification function unit 11, and if an error is determined, The value of the ERRRSIG register 111 indicating an error occurrence signal is set to 1. If no error is determined, this register remains at the value 0.
When the value of the ERRSIG register 111 becomes 1, the error flag setting function unit 8 sets the ERRST register 81 to the value 1 if the value of the ECALLFLG register 82 is 1. The error occurrence call instruction address identification function unit 12 obtains the program address that issued the function call from the value set in the ERETADR register 91 and notifies the error detection corresponding call instruction invalidation function unit 10. The error detection corresponding call instruction invalidation function unit 10 holds an address notified from the error occurrence call instruction address identification function unit 12 in the EADR register 101 and also indicates information indicating that the ECALL instruction is invalid as an instruction fetch function unit 3 and the return address setting function unit 9 are notified. As a result, the error detection return process execution function unit 7 immediately returns to the return address set in the ERETADR register 91.

The operation will be described below based on the program code. As a specific example, a program code considered as a base is BASE (see FIG. 2).
A process is considered in which a new command value is derived by calculating a difference amount by an additional program and adding the command value derived by the program BASE. Specifically, assuming that the command value is held in the general-purpose register R1, and the correction amount is held in the general-purpose register R2, the correction amount R2 is always added to the command value R1:
R1 + R2 → R1
The command value R1 is updated by

Assuming that the correction processing program A is implemented as a function as an additional function as a difference code in the program processing description, the program address is also A for ease of understanding.
It is assumed that the ECALL instruction has one delay slot like a general RISC processor. The program description in this case is as shown in FIG.
When the ECALL instruction is issued, it is assumed that the return address is held in the ERETADR register 91 in the processor (the address indicating ADD R1, R2 → R1 in FIG. 2). Also, it is assumed that the instruction address that issued the ECALL instruction can be identified from the return address (the delay slot is 1 and the address indicating ADD R1, R2 → R1 minus 2 is the address that issued the ECALL instruction). This address identification is performed by the error occurrence call instruction address identification function unit 12.

In the correction process A, the correction amount is calculated in the general-purpose register R3 by the time when the entire process is completed. Further, it is assumed that a range of values that the correction amount should satisfy is held in a data memory specified by an address addr on the data memory not shown in the figure.
The ERANGE instruction in the error state identification function unit 11 loads the value from the address addr, compares the value of the general-purpose register R3, and if the absolute value of R3 is smaller than the value loaded from the address addr, an error occurs. It is determined that there is no error, and the error detection corresponding return process execution function unit 7 performs a return by a normal ERET instruction.
Thereby, the transition of the value of the correction amount R2 is
MOV 0 → R2
MOV R3 → R2 (R3: Correction amount)
ADD R1, R2 → R1 (R1: Control amount)
The correction amount R3 is added to the control amount R1.

On the other hand, if it is determined that an error is detected by the ERAANG instruction (indicating that the value is out of range), the error detection corresponding return processing execution function unit 7 immediately returns to the return address and the address that issued the ECALL A instruction is It is held in the ERRST register 81 and EADR register 101 inside the processor that it is invalid.
Thus, after this processing, the error detection corresponding call instruction invalidation function unit 10 identifies that the instruction issuing the corresponding ECALL A instruction is an invalid ECALL instruction, and ignores the ECALL instruction (NOP instruction switching function unit). 4 is a NOP instruction).
As a result, the register transition of the correction amount is MOV 0 → R2.
ADD R1, R2 → R1 (R1: Control amount)
Thus, the control amount R1 is derived as a result of the state in which the correction amount by the additional function is not added.

  The movements of the processing described above are summarized as shown in FIG. Normally, the program is executed by “processing pattern (1)”. Execution of the ECALL A instruction by the error detection corresponding call instruction / return instruction execution function unit 5 branches to the process A, and after executing the processing body, the error detection instruction execution function unit 6 performs error detection by the error detection instruction. . If no error is detected, the error detection corresponding call instruction / return instruction execution function unit 5 executes the ERET instruction as it is, returns to the original processing unit, and continues the processing.

Similarly, when processing is repeated, if an error is detected when an error is detected by an error detection command after executing the processing body of processing A as in “Processing pattern (2)”, error detection is supported. The call instruction / return instruction execution function unit 5 stops the subsequent instruction execution (does not execute the ERET instruction), immediately returns to the original processing unit, continues the instruction execution, but retains information that an error has occurred. Therefore, the processing is executed with “processing pattern (3)” from the next processing.
In the “processing pattern (3)”, since the ECALL instruction is handled as a NOP instruction, the call process to the process A is not performed, and the process is always executed while ignoring the ECALL instruction.

As described above, since the program execution device 1 is realized, when an error that is difficult to continue processing occurs in a program code portion that is created as a difference and executed as a function call, the code portion is executed from the next time onward. Thus, the execution of the processing main body can be continued without stopping the program, and the program processing can be continued without stopping the execution of the program.
Further, since this function is realized as a function possessed by the program execution device 1, the program code to be operated on the function can be realized by adding a few instructions.
Furthermore, the function call invalidation function based on error detection described in the present embodiment is not a function realized by the program code but a function realized on the program execution device 1, so that even if an error occurs, the program The processing can be executed without greatly extending the execution time of the code, and the real time property of the software processing can be secured. Further, it is not necessary to set the number of defect detection program codes to be detected. Therefore, the amount of memory used to store this program can be reduced, and the product cost can be reduced.

  In the above embodiment, when the ECALL instruction is given in addition to the normal branch instruction, the error detection instruction execution function unit 6 detects the error by the error detection instruction. However, the normal branch instruction is given. Even in such a case, error detection may be performed for this branch instruction.

  Although the execution time of the program code is required to some extent, the functions of the error detection support call instruction / return instruction execution function unit 5 and the error detection instruction execution function unit 6 in the program execution device 1 may be configured by software.

  As described above, according to the program execution device of the first embodiment, when an error is detected during execution of a program due to a branch instruction, and when the error is detected by the error detection section, branching is performed in subsequent instruction execution. Since the instruction execution unit for invalidating the instruction is provided, the program execution can be continued without stopping the operation of the entire program.

  Further, according to the program execution device of the first embodiment, the error detection unit determines whether the value obtained by executing the program with the branch instruction is greater than or less than the specified value, or whether the sign of the value is positive or negative. Because the error is detected based on whether or not the absolute value of the value is within the specified range, it is possible for the program creator to arbitrarily set what kind of situation the error will occur, and finely Determination processing can be performed.

  Further, according to the program execution device of the first embodiment, when an error is detected by the error detection unit, an error occurrence state holding unit in which an error occurrence flag indicating an error occurrence is turned on, and a branch instruction in which the error has occurred And an address holding unit that holds an address on the program memory where the error is stored, the error occurrence flag is turned on in the error occurrence state holding unit, and the branch instruction of the address held in the address holding unit is executed In this case, since the branch instruction is replaced with an invalid instruction, it is possible to separate the function called process without modifying the program code executed on the program execution device, thereby improving the maintainability of the program. be able to.

  In addition, according to the program execution device of the first embodiment, the error detection unit is a program executed by an error generation invalidation branch instruction when an error generation invalidation branch instruction different from a normal branch instruction is given. Error can be detected, so it is easy to switch between functions that are subject to error detection and normal functions that are not subject to error detection, while maintaining the same program implementation, which improves program maintainability. it can.

  1 program execution device, 2 instruction execution function section, 3 instruction fetch function section, 4 NOP instruction switching function section, 5 error detection support call instruction / return instruction execution function section, 6 error detection instruction execution function section, 7 error detection support return Processing execution function section, 8 error flag setting function section, 9 return address setting function section, 10 error detection corresponding call instruction invalidation function section, 11 error status identification function section, 12 error occurrence call instruction address identification function section, and 13 instruction memory , 31 program counter, 81 ERRST register, 82 ECALLFLG register, 91 ERETADR register, 101 EADR register, 111 ERRSIG register.

Claims (4)

An error detection unit for detecting an error during program execution by a branch instruction;
A program execution device comprising: an instruction execution unit that invalidates the branch instruction in subsequent instruction execution when an error is detected by the error detection unit.   The error detection unit checks whether the value obtained by executing the program using the branch instruction is greater than or less than the specified value, whether the sign of the value is positive or negative, or whether the absolute value of the value is within the specified range. 2. The program execution device according to claim 1, wherein an error is detected based on whether or not. When an error is detected by the error detection unit, an error occurrence state holding unit in which an error occurrence flag indicating the occurrence of the error is turned on; and
An address holding unit holding an address on a program memory in which the branch instruction in which the error has occurred is placed,
When the error occurrence flag is on in the error occurrence state holding unit and a branch instruction at an address held in the address holding unit is executed, the branch instruction is replaced with an invalid instruction. The program execution device according to claim 1 or 2.   The error detection unit detects an error in a program executed by the error generation invalidation branch instruction when an error generation invalidation branch instruction different from a normal branch instruction is given. The program execution device according to claim 1.

Images