JP2012068788A - Information processing device and failure detection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing device that performs proper fail-safe processing even if an abnormal CPU core cannot be identified.SOLUTION: The information processing device 100 includes program storage means 12 and mode changing means 30 for changing a mode from a lock step mode to an asynchronous mode. The device further includes comparing means 32 for comparing the calculation results of first calculation means and second calculation means in the lock step mode, and software control means 31 that causes, when the calculation results do not match each other, the first calculation means and the second calculation means to execute self diagnosis software respectively after the mode changing means changes the mode from the lock step mode to the asynchronous mode. Both results of the self diagnosis of the two calculation means show normal, the mode changing means changes the mode from the asynchronous mode to the lock step mode, and software control means causes the first calculation means and the second calculation means to respectively execute fail-safe software whose operation has been guaranteed by execution of the self diagnosis software.

Description

  The present invention relates to an information processing apparatus that can detect an abnormality of a CPU or a CPU core, and in particular, an information processing apparatus that can detect an abnormality of a CPU or a CPU core such as a dual core that operates in a lockstep mode. The present invention relates to an anomaly detection method.

  A lot of computers (ECU: electronic control unit) are mounted on the vehicle, and various controls are executed by the computer. Although a computer is equipped with a CPU, an abnormality may occur because the CPU is a kind of machine. In the vehicle, it is necessary to design the CPU so that the avoidance action by the driver is ensured even if an abnormality occurs in the CPU from the viewpoint of ensuring safety (hereinafter referred to as fail-safe processing).

  For this reason, a method of mounting a plurality of CPUs in a computer and verifying the outputs mutually is adopted. However, when the outputs of the plurality of CPUs do not match, it is necessary to identify the CPU in which an abnormality has occurred.

  For example, in a triple-core CPU equipped with three CPU cores, the computer can identify an abnormal CPU core relatively easily. In other words, if the same processing is executed by three CPU cores and the outputs are compared by a comparison circuit, etc., and a mismatch occurs in the output of any of the three CPU cores, the computer must identify the abnormal CPU core by majority vote. Can do.

  However, since adopting a triple core increases the cost, it is desired to identify an abnormal CPU core even in a CPU equipped with a dual core. For example, in a CPU equipped with a lockstep dual core, the same processing is always executed by two CPU cores, and the output of each CPU core is compared. If a mismatch occurs in output in one CPU core, the process is continued only in the other CPU core.

  Thus, if an abnormal CPU core can be identified by some method, the CPU core is disconnected and fail-safe processing is possible (for example, refer to Patent Document 1). Patent Document 1 discloses a fault-tolerant system that, when a mismatch error is detected in both of them in a synchronized state, temporarily becomes asynchronous and separates the faulty part if the faulty part is explicit.

JP 2006-178616 A

  However, in the case of a dual core having only two CPU cores, it is difficult to determine which one is correct when the output does not match. There is a problem that is not disclosed. If an abnormal CPU core cannot be identified as described above, appropriate fail-safe processing is difficult.

  The present invention has been made in view of the above problems, and an object thereof is to provide an information processing apparatus and an abnormality detection method that are equipped with dual cores or two CPUs and are capable of appropriate fail-safe processing even when an abnormal CPU core cannot be identified. And

  The present invention provides a program storage means for storing a program, a first operation means, a second operation means, and a lock in which the first operation means and the second operation means execute the same instruction at the same timing. An information processing apparatus comprising: a mode switching means for switching from a step mode to an asynchronous mode in which the first computing means and the second computing means independently execute instructions, wherein the first in lock step mode If the calculation result does not match the comparison means for comparing the calculation results of the second calculation means and the second calculation means, the mode switching means switches from the lock step mode to the asynchronous mode, and then the first calculation means And software control means for causing the second calculation means to execute self-diagnosis software, respectively, the first calculation means and the second calculation means When all the self-diagnosis results are normal, after the mode switching unit switches from the asynchronous mode to the lockstep mode, the software control unit executes the fail-safe software whose operation is guaranteed by the execution of the self-diagnosis software. The first calculation means and the second calculation means are respectively executed.

  Even if a dual core or two CPUs are mounted, an information processing apparatus and an abnormality detection method capable of appropriate fail-safe processing even when an abnormal CPU core cannot be identified can be provided.

It is an example of the figure explaining the outline of an information processor. It is an example of the schematic block diagram of information processing apparatus. It is an example of a functional block diagram of a CPU. It is a figure explaining the validity / invalidity of the line between blocks, or a block in each mode in lock step mode and asynchronous mode. It is an example of the flowchart figure which shows the procedure in which a lockstep management part switches a lockstep mode and an asynchronous mode. It is an example of the figure which illustrates typically the relation between fail safe software and self-diagnosis software. It is an example of the figure which illustrates typically the procedure at the time of producing | generating self-diagnosis software from fail safe software. It is an example of the flowchart figure which deform | transformed the flowchart figure of FIG. It is an example of the figure which illustrates fail safe software in normal software typically.

Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.
FIG. 1 is an example of a diagram illustrating an outline of the information processing apparatus according to the present embodiment. The information processing apparatus has a lock-step dual core mounted on the CPU, and the comparison means always compares the outputs of the two CPU cores (lock-step mode).
(1) When the comparison device detects a mismatch between the two outputs, the information processing device changes from the lockstep mode to the asynchronous mode.
(2) Each CPU core in the asynchronous mode executes self-diagnosis software. The self-diagnosis software describes a process and an expected value for determining whether or not a typical function of the CPU core is normal, and whether the CPU core is normal or not is determined by whether or not the process result matches the expected value. It is determined whether or not.
(3) The self-diagnosis software describes a process for diagnosing whether or not a typical function of the CPU core is normal. Therefore, it is known that the abnormality detection accuracy is less than 100%. For this reason, even if there is an abnormality in one of the CPU cores, the self-diagnostic software can obtain a result that there is no problem with either of the CPU cores, and the CPU core with the abnormality may not be identified.
(4) In this case, the two CPU cores return to the lockstep mode, and the two CPU cores both execute fail-safe software.

  One feature of the information processing apparatus according to this embodiment is that the fail-safe software is configured only by processing guaranteed by the self-diagnosis software.

  By doing so, while the fail-safe software is executed, the vehicle performs only an operation in which no abnormality is caused by the self-diagnosis software, so that the driver can surely retreat.

  The simplest configuration of such fail-safe software is to make the self-diagnostic software and fail-safe software the same. If no abnormality is detected by the self-diagnostic software, no problem occurs in the fail-safe processing. It is guaranteed.

  Alternatively, the process of the self-diagnosis software can be comprehensively extracted from the process of the fail-safe software so that the vehicle can only perform an operation that does not cause an abnormality by the self-diagnosis software while the fail-safe software is executed. it can. Since the fail-safe software is suppressed to a small process necessary for the driver to take evacuation action, the relationship of self-diagnosis software> fail-safe software can be guaranteed.

[Hardware configuration]
FIG. 2 shows an example of a schematic configuration diagram of the information processing apparatus 100. The information processing apparatus 100 is called an ECU (electronic control unit), for example, and is used to control various on-vehicle apparatuses. The information processing apparatus 100 includes a CPU 11, a ROM 12, a RAM 13 and an INTC (interrupt controller) 14 connected to the system bus 19, an I / O 17 connected to the I / O bus 20, and a system bus 19 and an I / O bus. It has a connected BRG (bus bridge) 15.

  The ROM 12 stores a program (hereinafter referred to as normal software) executed by the information processing apparatus 100 for control. As will be described later, the program includes self-diagnosis software and fail-safe software in addition to normal software. In addition, an OS and a device driver may be stored. There are cases where normal software processing is called normal processing, self-diagnostic software processing is called self-diagnosis processing, and fail-safe software processing is called fail-safe processing. However, software and processing need not be strictly distinguished.

  The RAM 13 is a working memory when the CPU 11 executes a program, and the INTC 14 arbitrates interrupt factors from timers, sensors, other ECUs, etc., and issues an interrupt request to the CPU 11.

  The BRG 15 converts the frequency, voltage value, and the like between the system bus 19 and the I / O bus 20. The I / O 17 is an interface that connects the information processing apparatus 100 and an external device. For example, various actuators, sensors, switches, and the like are connected to the I / O 17.

  FIG. 3 is an example of a functional block diagram of the CPU 11. The CPU 11 is a CPU capable of lockstep with a dual core. A plurality of CPUs 11 may be mounted instead of the multi-core. The CPU core 111 (hereinafter referred to as CPU cores 1 and 2 when distinguished) is connected to the lockstep management unit 30. The lockstep management unit 30 includes an arbitration unit 31, an output comparison unit 32, a result determination unit 33, and an output selection unit 34.

  A lock step is an instruction execution method in which two or more CPU cores 111 execute the same instruction stream in parallel. The CPU 11 that can perform the lock step is referred to as a lock step CPU. Since each CPU core 111 in the lockstep CPU executes the same instruction stream, it outputs the same result. However, if an abnormality occurs in one or more CPU cores 111, an extremely large noise that is electrically unacceptable, or alpha particles affect the CPU cores 111, the outputs of the plurality of CPU cores 111 match. Not happen.

  The CPU 11 of this embodiment tries to identify an abnormal CPU core 111 when the two outputs do not match. However, even if the CPU core 111 cannot be identified, no abnormality occurs in the CPU 111 as long as the CPU core 111 executes fail-safe software. I can guarantee that.

  The lockstep management unit 30 switches between a lockstep mode in which two CPU cores 111 execute the same instruction stream and an asynchronous mode in which each CPU core 111 executes an instruction stream independently. The lock step management unit 30 controls each function of the lock step management unit 30 depending on whether the lock step mode or the asynchronous mode.

  FIG. 4 is a diagram for explaining the validity / invalidity of lines between blocks and blocks in each of the lockstep mode and the asynchronous mode. In the lock step mode, the arbitration unit 31, the output comparison unit 32, and related lines are enabled. In the asynchronous mode, the arbitration unit 31, the result determination unit 33, the output selection unit 34, and related lines are enabled.

  Returning to FIG. 3, the ROM 12 is connected to the arbitration unit 31, and the arbitration unit 31 sends instructions for normal software, self-diagnosis software, or fail-safe software to the CPU core 1 and the CPU core 2 according to the state of the CPU 11. Output.

  In the lock step mode, the output comparison unit 32 constantly compares the output results of the CPU core 1 and the CPU core 2 (for example, every clock), and notifies the arbitration unit 31 when they do not match. When the output comparison unit 32 detects a mismatch, the output comparison unit 32 notifies the CPU core 1 and the CPU core 2 of the start of execution of the self-diagnosis software. Further, when both outputs match, the output comparison unit 32 outputs the operation result of at least one of the CPU core 1 and the CPU core 2.

  The result determination unit 33 acquires a diagnosis result when the CPU core 1 and the CPU core 2 execute the self-diagnosis software from the CPU core 1 and the CPU core 2 in the asynchronous mode, and the CPU core 1 according to the diagnosis result. And CPU core 2 are instructed to execute normal software or fail-safe software.

When the abnormal CPU core 111 is identified by the self-diagnostic software in the asynchronous mode, the output selection unit 34 selectively selects the normal software calculation result by the CPU core 1 or the CPU core 2 without abnormality to the system bus 19. Output.
[Processing procedure]
FIG. 5 is an example of a flowchart illustrating a procedure in which the lock step management unit 30 switches between the lock step mode and the asynchronous mode.

  The CPU 11 immediately after start-up operates in the lockstep mode (S110). Since the lock step management unit 30 operates each unit in the lock step mode, as described with reference to FIG. 4, the line k1, k2, lines a1, a2, lines b1, b2, and line f are effectively enabled, and the arbitration unit 31 And the output comparison unit 32 are set effectively.

  The arbitration unit 31 in the lockstep mode supplies normal software or fail-safe software instructions to the CPU core 1 and the CPU core 2 one by one (S120). Since clock signals having the same frequency are supplied to the CPU core 1 and the CPU core 2, both execute the same instruction at the same time. Since the arbitration unit 31 reads one command from the ROM 12, the arbitration unit 31 duplicates the command and supplies it to the CPU core 1 and the CPU core 2. Further, in a configuration in which the system bus 19 between the ROM 12 and the CPU does not become a bottle net, even if the arbitration unit 31 sets the same address in the program counter of the CPU core 1 and the CPU core 2, both of them synchronize and issue the same instruction. Can be executed.

  Since the CPU core 1 and the CPU core 2 output the calculation results almost simultaneously via the lines a1 and a2, the output comparison unit 32 compares whether or not the two output results match. Notify the unit 30 and the arbitration unit 31. Note that whether or not they match may be determined by determining whether or not they completely match, but it is possible to regard that a level mismatch that can be regarded as an error matches.

  When it is determined that the output comparison unit 32 matches (Yes in S130), the output comparison unit 32 outputs the output of the CPU core 1 or the CPU core 2 to the system bus 19 via the line f (S140).

  When it is not determined that the output comparison units 32 match (No in S130), the lock step management unit 30 switches the CPU 11 from the lock step mode to the asynchronous mode (S150). Specifically, in order to operate each part in the asynchronous mode, the lines k1, k2 and the arbitration unit 31 remain valid, and communication via the lines c1, c2, d1, d2, lines e1, e2, and line g is enabled. The result determination unit 33 and the output selection unit 34 are set effectively.

  Then, the arbitrating unit 31 causes the CPU core 1 or the CPU core 2 to execute self-diagnosis software (S160). Specifically, the head address of the self-diagnosis software is set in the program counters of CPU core 1 and CPU core 2.

  The CPU core 1 and the CPU core 2 detect that the self-diagnosis software is being executed based on the start notification of the self-diagnosis software from the output comparison unit 32, and determine the result of the self-diagnosis results via the lines c1 and c2, respectively. The data is output to the unit 33 (S170). The diagnosis result is assumed to be High or Low when the expected value and the calculation result of the self-diagnosis software match.

The result determination unit 33 notifies the determination result to the lockstep management unit 30, the arbitration unit 31, and the output selection unit 34 based on the diagnosis results of the CPU core 1 and the CPU core 2 (S180). There are the following four determination results.
(i)
Only the diagnosis result of CPU core 1 indicates that there is an abnormality
(ii) Only the diagnosis result of CPU core 2 indicates that there is an abnormality
(iii) CPU core 1 and 2 diagnostic results are both abnormal
(iv) The diagnosis results of CPU cores 1 and 2 are both normal
As shown in (iii), the failure of both the CPU cores 1 and 2 occurs in a situation where the information processing apparatus 100 itself is physically destroyed, for example, a large impact is applied to the vehicle. Such a situation does not occur when the vehicle is running normally, but in the unlikely event, the information processing apparatus 100 promptly turns on all the warning lamps on the meter panel, etc. ) Is urged to be brought into the vehicle (S190).

  When only one of the CPU core 1 or the CPU core 2 fails as in (i) or (ii), the CPU 11 remains in the asynchronous mode, but the arbitration unit 31 determines whether the CPU core 1 or the CPU core is based on the determination result. A normal software command is supplied only to one of the two that has not failed (S200). In addition, the result determination unit 33 notifies the CPU core 1 or the CPU core 2 that has not failed of the type of software to be executed (normal software in this case).

  The CPU core 1 or the CPU core 2 that has not failed outputs the calculation result to the output selection unit 34 based on the type of software to be executed (normal software in this case). Based on the determination result, the output selection unit 34 enables only the non-failed side of the lines e1 and e2, acquires the calculation result of either the CPU core 1 or the CPU core 2 that is not faulty, and the line g The calculation result is output to the system bus 19 via S (S210).

  As described above, in the case of (i) or (ii), the information processing apparatus 100 executes the normal software in the asynchronous mode, so that the driver can drive in the same manner as before the abnormality occurs. Note that the occurrence of an abnormality in the CPU core 1 or the CPU core 2 is notified to the driver by a warning lamp or the like, and is stored in the nonvolatile memory, so that it can be used for later analysis.

  As shown in (iv), when both the diagnosis results of the CPU cores 1 and 2 indicate normality, the lock step management unit 30 switches from the asynchronous mode to the lock step lock step mode (S220).

  In the lock step mode, the arbitrating unit 31 causes both the CPU core 1 or the CPU core 2 to execute fail-safe software based on the determination result (S230). Because of the lock step mode, the CPU core 1 and the CPU core 2 execute the same instruction at the same time. The result determination unit 33 notifies both the CPU core 1 or the CPU core 2 of the type of software to be executed (here, fail-safe software).

  Both the CPU core 1 and the CPU core 2 output a calculation result to the output comparison unit 32 based on the type of software to be executed (here, fail-safe software). If the output comparison unit 32 determines that the two outputs match, the output of the CPU core 1 or the CPU core 2 is output to the system bus 19 via the line f.

  Since the minimum necessary processing is executed by the fail-safe processing, the driver can perform a driving operation such as retreating the vehicle to the road shoulder. For example, if the information processing apparatus 100 is an ECU for engine control, the information processing apparatus 100 suppresses the engine speed to about the idling speed regardless of the throttle opening caused by the driver's operation of the accelerator pedal. Alternatively, when the engine speed exceeds a predetermined value, the fuel injection is cut regardless of the operation of the accelerator pedal. Such fail-safe processing allows the vehicle to run only at low speeds and allows parking and stopping.

  Further, for example, if the information processing apparatus 100 is a power steering ECU, the information processing apparatus 100 does not interfere with the driver's steering or the assist force when detecting the torque in the steering direction of the driver is zero. Control to a small value. Thus, the driver can steer the vehicle in a desired direction even if the steering force becomes heavy.

  When the information processing apparatus 100 is a brake ECU, the information processing apparatus 100 stops processing related to ABS (anti-lock brake system) and TRC (traction control) and puts the solenoid valve of the brake actuator in a non-energized state. As a result, the vehicle is braked only by the hydraulic pressure generated by the driver's operation of the brake pedal, so that the driver can park at a desired location.

[Fail-safe software and self-diagnosis software]
Hereinafter, the self-diagnosis software of this embodiment will be described.
The self-diagnosis software is substantially the same as the fail-safe software. If no abnormality is detected in either the CPU core 1 or the CPU core 2, the information processing apparatus 100 executes the fail-safe process in the lockstep mode. However, in other words, if fail-safe processing is possible, it may be determined that there is no abnormality even by self-diagnosis. Therefore, if the self-diagnosis software is the same as the fail-safe software, development of the self-diagnosis software is not required and the increase in cost can be suppressed.

  As described above, the fail-safe process includes the minimum process necessary for the driver to evacuate in any ECU, but does not include an expected value or a process for verifying the expected value. . For this reason, the developer adds an expected value and a process for verifying the expected value to the fail-safe software.

  FIG. 6 is an example of a diagram schematically illustrating the relationship between fail-safe software and self-diagnosis software. In FIG. 6, the conventional failsafe process is executed with the failsafe function, the operation result of the failsafe function is called with the main function, and compared with the expected value.

  First, when the main function is executed, the expected value nnnn is stored in the variable kekka. The expected value nnnn is a control value when the CPU core 111 executes fail-safe processing in a state where there is no abnormality in the CPU core 111. For example, in the case of an engine ECU, there are a throttle opening at idling, a control amount (voltage value) of an injector (electronically controlled electromagnetic valve) calculated for fuel cut, and the like. In the case of a power steering ECU, the assist torque is calculated from the steering torque.

  Next, the main function calls the falesafe function with “kekka = failsafe ();”. The failsafe function performs calculations necessary for fail-safe processing such as calculation of throttle opening at the time of idling, control amount of the injector, or calculation of assist torque, and stores the calculation result in a variable enzan. In this fail-safe process, the same calculation as that performed when the expected value nnnn is obtained is executed. The result of the operation is stored in the variable kekka by "return enzan;".

  The main function compares kitaichi and kekka and outputs a diagnosis result to the result determination unit 33. In this way, the developer can prepare self-diagnosis software by making full use of fail-safe software. Further, if there is no abnormality in the diagnosis result by the self-diagnosis software, it is guaranteed that the CPU core 111 does not behave abnormally even by fail-safe processing, so that the driver can evacuate the vehicle reliably. .

・ Generate self-diagnostic software from fail-safe software Instead of importing fail-safe software into self-diagnostic software as it is, it is also possible to extract instructions or instruction streams from fail-safe software and generate self-diagnostic software by appropriately supplementing instructions. it can. If the fail-safe software is self-diagnosis software, there is a possibility that sufficient diagnosis cannot be performed or there are many instructions that are included in the normal software but not executed in the self-diagnosis software.

  Therefore, by extracting instructions and instruction streams from fail-safe software and supplementing or combining instructions as appropriate, self-diagnostic software that makes it easier for the CPU core 111 to detect abnormalities can be obtained, and fail-safe It is possible to generate self-diagnosis software that guarantees that there is no abnormality in the execution of the fail-safe process even if the process shifts to the process.

  FIG. 7 is an example of a diagram schematically illustrating a procedure for generating self-diagnosis software from fail-safe software. The failsafe software is written in C language or the like, but when stored in the ROM 12, it is compiled by a compiler and converted into object code. Since the object code is a machine language, it is actually expressed in hexadecimal, etc., but a mnemonic such as “Load” in the figure is an opcode. Further, following the opcode, an operand represented by Rn (n is an integer) is described. There are various operands such as a register name and numerical value, two register names, a register name and a pointer name. Many instructions have only one operand.

  If there is self-diagnostic software that comprehensively executes this object code, the failure-safe software can detect that no abnormality is detected by the execution of the self-diagnostic software more than when the self-diagnostic software and fail-safe software have the same processing contents. It can be guaranteed that it can be executed without abnormality.

In order to create self-diagnosis software from fail-safe software, in this embodiment, an instruction extraction means is provided in the compiler. The instruction extracting unit extracts the instruction in, for example, three modes.
I Single opcode detected by failsafe software object code
II Opcode and operand pairs detected by the object code of failsafe software
III With the instruction stream of consecutive instructions detected by the object code of the failsafe software, the operation code of LOAD ADD ST SUB SH is extracted by I alone, and by II, “LOAD R1”, “ADD R1” “ST R1” “ A set such as “LOAD R2”, “SUB R2”, and “SH R3” is extracted, and an instruction stream such as “LOAD + ADD”, “ADD + ST”, “LOAD + SUB”, “SUB + ST”, and “LOAD + SH” is extracted by III.

  Since only the extracted instructions are not established as a program, the developer adds a minimum number of instructions and generates self-diagnostic software components. For example, Load and St are inevitably necessary as minimum instructions. In addition, it is included in mov (assignment instruction), add (addition instruction), jmp (movement instruction), xor (logical operation), etc., but it is difficult to guarantee fail-safe processing for instructions that are not in fail-safe processing Therefore, it is preferable to minimize instructions that are not included in the fail-safe software.

  In the mode III, it is more preferable to extract not only the instruction stream of two instructions but also the instruction stream of three or more instructions. This is because, since pipeline processing is implemented in the CPU core 111, there is a tendency for a correlation to occur between the occurrence of an abnormality (occurrence of mismatch) and the combination of instructions executed continuously.

  In this way, the developer completes the self-diagnostic software component. The developer keeps the components of the plurality of self-diagnosis software (or may be combined) and calculates the expected value. If some initial value is required to calculate the expected value, the initial value is given.

  Then, a process for verifying the expected value (initial value if necessary) and the expected value is added for each component of the plurality of self-diagnosis software.

  As described above, the developer can generate self-diagnosis software from fail-safe software. The self-diagnostic software generated in this way sufficiently covers the contents of the fail-safe software, so that the execution of fail-safe processing can be guaranteed, and the self-diagnostic software's instructions are comprehensive, so there is an abnormality due to self-diagnosis. It can also be expected that the detection rate will increase.

[Modification]
In the flowchart of FIG. 5, self-diagnostic software is executed when the output comparison unit 32 detects a mismatch, but no abnormality is detected from either of the CPU cores 111. The information processing apparatus 100 cannot normally execute software.

  However, even when the output comparison unit 32 detects a mismatch, it may be temporary soft air. For this reason, when the output comparison unit 32 detects a mismatch, it may be preferable that the information processing apparatus 100 can execute the normal software again.

  FIG. 8 is an example of a flowchart obtained by modifying the flowchart of FIG. The processing up to step S130 is the same, and when the output comparison unit 32 determines that there is a mismatch (Yes in S130), the arbitration unit 31 increases the number of times of detection of mismatch by one (S135). The number of detections is stored in a memory accessible by the lockstep management unit 30 and the arbitration unit 31. The number of times of detection is counted from the time when the information processing apparatus 100 is activated, for example.

  Then, the lock step management unit 30 switches from the lock step mode to the asynchronous mode, and causes the CPU core 1 and the CPU core 2 to execute self-diagnosis software (S150 to S180).

  In FIG. 8, as shown in (iv), when both the diagnosis results of the CPU cores 1 and 2 indicate normality, the lockstep management unit 30 determines whether or not the number of mismatch detections exceeds the threshold ( S215).

  If the number of mismatch detections does not exceed the threshold (No in S215), there is a possibility that the mismatch is transient, and the lock step management unit 30 executes the processing from step S110. That is, the normal software is executed by the CPU core 1 and the CPU core 2 in the lock step mode. By doing so, it is possible to prevent the fail-safe process from being executed due to a temporary mismatch.

  When the number of mismatch detections exceeds the threshold value (Yes in S215), the lock step management unit 30 switches from the asynchronous mode to the lock step lock step mode as in FIG. Causes fail-safe software to be executed (S220 to S230).

  By processing in this way, if the cause of the mismatch is transient, the information processing apparatus 100 can execute normal software as much as possible.

-A part of normal software can also be used as fail-safe software The developer can specify a part of the normal software that is important for the save operation, but the CPU core 11 is executed only in such a part in the fail-safe process. For example, the same function as the fail-safe software can be obtained by executing a part of the normal software.

  FIG. 9 is an example of a diagram schematically illustrating fail-safe software in normal software. For comparison, the software structure of FIG. 3 is also shown. In FIG. 9, the shaded area is an important part for the saving process. Since this part is used for normal processing, it may not be used for fail-safe processing as it is.

  Therefore, the developer sets a variable for fail-safe processing in an important place for the save processing, and writes a program so that the variable is used during the fail-safe processing. As a result, the normal software can be used as fail-safe software.

  Because of the description such as setting a variable for fail-safe processing, even if the size of the normal software is larger than before, the size can be made smaller than the case where the normal software and the fail-safe software are prepared separately. Therefore, fail-safe software is not necessary, and the capacity of the memory such as the ROM 12 can be reduced.

11 CPU
12 ROM
13 RAM
DESCRIPTION OF SYMBOLS 30 Lockstep management part 31 Arbitration part 32 Output comparison part 33 Result determination part 34 Output selection part 100 Information processing apparatus 111 CPU core

Claims (8)

Program storage means for storing a program, first computing means, second computing means,
From the lock step mode in which the first arithmetic unit and the second arithmetic unit execute the same instruction at the same timing, the asynchronous mode in which the first arithmetic unit and the second arithmetic unit independently execute the instruction. An information processing device comprising mode switching means for switching,
Comparison means for comparing the calculation results of the first calculation means and the second calculation means in the lockstep mode;
If the calculation results do not match, after the mode switching unit switches from the lock step mode to the asynchronous mode, the first control unit and the second calculation unit to execute the self-diagnosis software respectively, Have
When the self-diagnosis results of the first calculation unit and the second calculation unit are both normal, the soft control unit performs the self-diagnosis after the mode switching unit switches from the asynchronous mode to the lockstep mode. Causing each of the first calculation means and the second calculation means to execute fail-safe software whose operation is guaranteed by execution of software;
An information processing apparatus characterized by that. The self-diagnosis software is a program obtained by adding the expected value of processing by the fail-safe software and verification processing of the expected value to the fail-safe software.
The information processing apparatus according to claim 1. The self-diagnosis software is a program having a series of processes generated to include instructions extracted from the fail-safe software according to a predetermined rule, an expected value of the series of processes, and a verification process of the expected values. is there,
The information processing apparatus according to claim 1. When only one of the result of the self-diagnosis of the first calculation means and the result of the self-diagnosis of the second calculation means is abnormal,
The first calculation means or the second calculation means having an abnormality is disconnected from the information processing apparatus, and the calculation result by the first calculation means or the second calculation means having a normal self-diagnosis result is used as a bus. Output selection means for outputting to
The information processing apparatus according to claim 1, further comprising: When the calculation results in the lock step mode match, the comparison unit outputs the calculation result of either the first calculation unit or the second calculation unit to the bus.
The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus. Program storage means for storing a program;
A first computing means, a second computing means,
From the lock step mode in which the first calculation means and the second calculation means execute the same instruction at the same timing, to the asynchronous mode in which the first calculation means and the second calculation means execute the instructions independently. An information processing device comprising mode switching means for switching,
Comparison means for comparing the calculation results of the first calculation means and the second calculation means in the lockstep mode;
A counter for measuring the number of times when the calculation results of the first calculation means and the second calculation means do not match,
Software control means for causing the first calculation means and the second calculation means to execute self-diagnosis software after the mode switching means is switched from the lock step mode to the asynchronous mode,
When the results of self-diagnosis of the first calculation means and the second calculation means are both normal and the counter value of the counter exceeds a threshold value, the mode switching means changes from the asynchronous mode to the lock step mode. After switching to the above, the software control unit causes the first calculation unit and the second calculation unit to execute fail-safe software whose operation is guaranteed by the execution of the self-diagnosis software, respectively.
An information processing apparatus characterized by that. When the self-diagnosis results of the first calculation means and the second calculation means are both normal and the counter value of the counter is equal to or less than a threshold value, the mode switching means changes from the asynchronous mode to the lockstep mode. After switching, the software control means causes the first calculation means and the second calculation means to execute a program for controlling the in-vehicle device,
The information processing apparatus according to claim 6. Program storage means for storing a program;
A first computing means, a second computing means,
From the lock step mode in which the first arithmetic unit and the second arithmetic unit execute the same instruction at the same timing, the asynchronous mode in which the first arithmetic unit and the second arithmetic unit independently execute the instruction. An abnormality detection method for an information processing apparatus comprising mode switching means for switching,
A comparison means comparing the calculation results of the first calculation means and the second calculation means in the lock step mode;
If the calculation results do not match, the mode switching means switches from the lock step mode to the asynchronous mode;
Software control means for causing the first calculation means and the second calculation means to execute self-diagnosis software, respectively;
When the results of self-diagnosis of the first calculation means and the second calculation means are both normal, the mode switching means switches from the asynchronous mode to the lock step mode;
The software control means includes causing the first calculation means and the second calculation means to execute fail-safe software whose operation is guaranteed by execution of the self-diagnosis software, respectively. Detection method.

Images