JP2014085770A - Information processing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing device that can perform switching to a program that normally should be executed when detecting that a program which normally should not be executed is being executed.SOLUTION: An information processing device is constituted so as to execute: initial setting processing in which setting is made for prohibiting the execution of a program other than a predetermined program; and program switching processing in which if the execution of a program other than the predetermined program is detected, an execution program is switched to the predetermined program.

Description

  The present invention relates to an information processing apparatus.

  Conventionally, a program for controlling the operation of a portable electronic device has been configured by a plurality of program modules. Before starting execution of a certain program module, it is determined whether or not the program module can be executed. A technique for stopping the operation of the portable electronic device when the program module cannot be executed is known (see, for example, Patent Document 1).

JP 2007-115187 A

  By the way, with respect to a control program installed in a vehicle or the like, the ECU software may be commonly used for vehicles with different controls such as 2WD and 4WD. In this case, vehicle information is received from another ECU, a vehicle factory tool, or the like, stored in a non-volatile memory, and a logic for dynamically switching the operation with reference to the value is incorporated.

  In addition, microcomputers generally have a memory protection function that limits the memory area that can be used for each process (task) executed on the same microcomputer to prevent interference from unexpected memory access by other processes. ing.

  However, if the software operation is dynamically switched using the information stored in the ECU, a malfunction occurs when the information stored in the ECU is destroyed due to memory destruction, noise, or the like ( For example, there is a problem that processing that should not be executed can be executed. In this regard, in the case of a program that dynamically switches processing by conditional branching etc., even if protection such as multiplexing of the memory itself in which the original information is written is performed, a temporary register such as Since a large memory is used, there is a possibility of malfunction due to noise or the like. In this regard, the current memory protection function prevents interference between processes (tasks) to be implemented, but cannot prevent execution of processes that should not be executed.

  Therefore, an object of the present invention is to provide an information processing apparatus capable of switching to a program that should be originally executed when it is detected that a program that should not be executed is being executed.

In order to achieve the above object, according to one aspect of the present invention, an initial setting process for performing a setting for prohibiting execution of a program other than a predetermined program;
An information processing apparatus configured to execute a program switching process for switching a program to be executed to the predetermined program when execution of a program other than the predetermined program is detected is provided.

  According to the present invention, when it is detected that a program that should not be executed is executed, an information processing apparatus that can switch to a program that should be executed is obtained.

1 is a configuration diagram illustrating an example of a vehicle control device 100. FIG. It is a flowchart which shows an example of the initial process in ECU10 (microcomputer 20). It is a flowchart which shows an example of the main process in ECU10 (microcomputer 20). It is a flowchart which shows an example of the memory protection violation interruption process (program switching process) in ECU10 (microcomputer 20). It is a flowchart which shows another example of the memory protection violation interruption process (program switching process) in ECU10 (microcomputer 20). It is a flowchart which shows another example of the memory protection violation interruption process (program switching process) in ECU10 (microcomputer 20).

  The best mode for carrying out the present invention will be described below with reference to the drawings.

  FIG. 1 is a configuration diagram illustrating an example of the vehicle control device 100. Vehicle control device 100 includes an ECU 10. The ECU 10 may be an ECU that performs arbitrary vehicle control. For example, the ECU 10 may be an ECU that performs driving force control (engine control or transmission control) of the vehicle.

  The ECU 10 may be connected to various other ECUs 12 in the vehicle via an appropriate bus 14 such as a CAN (controller area network). The other ECU 12 may include, for example, a body ECU that controls the electrical components of the vehicle body.

  The hardware configuration itself of the ECU 10 is arbitrary. For example, as shown in FIG. 1, the ECU 10 includes a microcomputer 20 connected to the bus 14 via, for example, a CAN driver 12. The microcomputer 20 includes a CPU 22, a memory protection unit (protection function) 24, a flash memory 26, and a RAM 28.

  Here, in this embodiment, regarding the control program implemented in the vehicle or the like, it is assumed that the ECU software is common to vehicles with different controls such as 2WD and 4WD. That is, the control program includes a plurality of variations of programs (programs that have the same target control but different control contents). Here, the control program includes, for example, a program for variation A for the destination country “Europe” (program for variation A), and a program for variation B for the destination country “Japan” (program for variation B), for example. including. The program for variation A and the program for variation B have the same target control, but the control content (control logic such as required value calculation logic) is different. For example, the target control itself is the same driving force control, but the variation A program is a driving force control program designed for 2WD, for example, and the variation B program is designed for 4WD, for example. For example, it is a driving force control program. At this time, the driving force control program designed for 2WD and the driving force control program designed for 4WD are, for example, the calculation logic of required torque (distribution) to each motor in HV (hybrid) control. Different.

  There are many control programs installed in the vehicle, and each can include a plurality of variations. Here, the description will be continued with respect to a specific one arbitrary control program including a plurality of variations of programs.

  The CPU 22 accesses the flash memory 26 and the RAM 28 via the memory protection unit 24 and performs various processes based on the control programs (variation A program and variation B program) stored in the flash memory 26.

  When the memory protection unit 24 detects that an access (for example, Write / Read access) to an address area designated as a prohibited area has occurred (execution of memory protection) in accordance with execution of a certain control program, information to that effect (Access exception) occurs. The prohibited area may be set (designated) by an application that ensures security, such as supervisor mode. For example, when the access to only the variation A program is permitted and the access to the variation B program is prohibited, the address area in which the variation B program is stored becomes the prohibited area. At this time, the address area in which the variation A program is stored becomes the execution permission area (execution permission address).

  The flash memory 26 is an example of a nonvolatile memory, and other similar types of memory (for example, other EEPROMs) may be used. The flash memory 26 stores a variation A program and a variation B program.

  The RAM 28 may be an SRAM (Static Random Access Memory). The RAM 28 stores values temporarily read from the flash memory 26. The RAM 28 stores, for example, later-described variation information [VARI].

  FIG. 2 is a flowchart showing an example of initial processing in the ECU 10 (microcomputer 20).

  In step 200, vehicle information [INF] is input. Vehicle information may be inputted from other ECU12 (for example, body ECU etc.) by in-vehicle ECU communication, such as CAN communication, for example. In this case, the vehicle information may be data that is periodically received while the ignition switch is on. The vehicle information may be received from a vehicle factory tool or the like. The vehicle information includes information on variations of the control program (that is, information indicating which variation program should be executed for the vehicle). Here, the vehicle information includes information indicating which of the variation A program and the variation B program should be executed. For example, the vehicle information may be information indicating destination or the like as information indirectly indicating which of the variation A program and the variation B program should be executed.

  In step 202, the variation information [VARI] is determined based on the vehicle information input in step 200. That is, the variation information [VARI] corresponding to the vehicle information input in step 200 is stored in the RAM 28 (and the flash memory 26). For example, when the vehicle information [INF] input in step 200 includes information indicating the program for variation A, the variation information [VARI] is determined as “A”, and the vehicle information input in step 200 When [INF] includes information indicating the variation B program, the variation information [VARI] is determined as “B”.

  In step 204, the variation information [VARI] is determined based on the variation information [VARI] determined in step 202, that is, based on the variation information [VARI] stored in the RAM 28 (and the flash memory 26). It is determined whether or not A ″. If the variation information [VARI] is “A”, the process proceeds to step 206; otherwise, the process proceeds to step 208.

  In step 206, a setting for prohibiting execution of programs other than the variation A program is performed. That is, a setting for prohibiting the execution of the variation B program is performed. This setting can protect the memory of the microcomputer 20 from a user application (for example, an application that secures security such as supervisor mode) so that only the program for the variation A is allowed and access to the program for the variation B is prohibited. This may be realized by writing a set value to the register of the unit 24.

  In step 208, based on the variation information [VARI] determined in step 202, it is determined whether or not the variation information [VARI] is “B”. When the variation information [VARI] is “B”, the process proceeds to step 210, and otherwise, the process ends. If there are only two types of variations, the program for variation A and the program for variation B, step 208 may be omitted, and if a negative determination is made in step 204, the process may proceed to step 210.

  In step 210, as in step 206 above, a setting for prohibiting execution of programs other than the variation B program is performed. That is, the setting for prohibiting the execution of the variation A program is performed. When the process of step 210 is completed, the initial process is completed.

  As described above, according to the initial process shown in FIG. 2, it is possible to perform the setting for prohibiting the execution of the program area that should not be executed in the corresponding vehicle, using the vehicle information input by communication or the like.

  FIG. 3 is a flowchart showing an example of main processing in the ECU 10 (microcomputer 20). The main process shown in FIG. 3 may be repeatedly executed at predetermined intervals while the ignition switch is on after completion of the initial process shown in FIG.

  In step 300, based on the variation information [VARI] stored in the RAM 28 (or the flash memory 26), it is determined whether or not the variation information [VARI] is “A”. If the variation information [VARI] is “A”, the process proceeds to step 302; otherwise, the process proceeds to step 304.

  In step 302, the function Func_A () for the variation A is executed. That is, the variation A program is executed.

  In step 304, based on the variation information [VARI] stored in the RAM 28 (or the flash memory 26), it is determined whether or not the variation information [VARI] is “B”. When the variation information [VARI] is “B”, the process proceeds to step 306. Otherwise, the process returns to step 300 as it is. If there are only two types of variations, the variation A program and the variation B program, step 304 may be omitted, and if a negative determination is made in step 300, the process may proceed to step 306.

  In step 306, the function Func_B () for variation B is executed. That is, the variation B program is executed.

  If the variation information stored in the RAM 28 (or the flash memory 26) is rewritten during operation to a value that is not a normal value for some reason (such as noise) during the main processing shown in FIG. The CPU 22 tries to access the memory area (prohibited area) of the program that should not be executed based on the non-normal value. At this time, the memory protection unit 24 functions and prohibits the access. Therefore, information used for switching the control program (that is, switching between the program for variation A and the program for variation B) (or a copy of the information), that is, variation information stored in the RAM 28 (or flash memory 26). Even if it is rewritten to a value that is not a regular value for some reason during the operation, the operation of the processing that should not be executed can be surely prohibited by the setting of the memory protection unit 24.

  FIG. 4 is a flowchart showing an example of a memory protection violation interrupt process (program switching process) in the ECU 10 (microcomputer 20). The process shown in FIG. 4 may be executed as an interrupt process when the memory protection unit 24 generates an access exception during the main process shown in FIG. 3, for example.

  In step 400, based on the setting information of the memory protection unit 24 (see step 206 and step 210 in FIG. 2), whether or not the execution permission area (execution permission address) is the process of the variation A program (process A). Determine. The execution permission area (execution permission address) may be realized by referring to the setting information of the memory protection unit 24. If the execution permission area is the process A, the process proceeds to step 402. If the execution permission area is not the process A, the process proceeds to step 404.

  In step 402, the return to the function Func_A () for variation A is executed. That is, switching to the variation A program is executed. Thus, the variation information in the RAM 28 (or the flash memory 26) used for switching the control program (that is, switching between the variation A program and the variation B program) is a value that is not the normal value “A” for some reason. Even when the program is rewritten to “B” during the operation, it is possible to realize return (switching) to the variation A program that should be executed. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “A”.

  In step 404, based on the setting information of the memory protection unit 24 (see step 206 and step 210 in FIG. 2), whether or not the execution permission area (execution permission address) is the processing of the variation B program (processing B). Determine. If the execution permission area is process B, the process proceeds to step 406. If the execution permission area is not process B, the process ends. If there are only two types of variations, the variation A program and the variation B program, step 404 may be omitted, and if a negative determination is made in step 400, the process may proceed to step 406.

  In step 406, the return to the function B for the variation B Func_B () is executed. That is, switching to the variation B program is executed. As a result, the variation information in the RAM 28 (or flash memory 26) used for switching the control program (that is, switching between the variation A program and the variation B program) is a value that is not the normal value “B” for some reason. Even when the program is rewritten to “A” during operation, it is possible to realize return (switching) to the variation B program that should be executed. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “B”.

  According to the process shown in FIG. 4, it is possible to determine the program area to be originally executed by the interrupt process when the memory protection violation occurs, and to return to the execution state of the program to be originally executed.

  Specifically, during the main process shown in FIG. 3, the variation information stored in the RAM 28 (or the flash memory 26) is rewritten during operation to a value that is not a normal value for some reason (noise or the like). In this case, the CPU 22 attempts to access a memory area (prohibited area) related to a program that should not be executed based on the non-normal value. At this time, the memory protection unit 24 functions to prohibit the processing that should not be executed as described above, and the processing shown in FIG. 4 is executed as the interrupt processing. Therefore, it should not be executed originally when the variation information used for switching the control program (that is, switching between the program for variation A and the program for variation B) is rewritten during operation to a value that is not a regular value for some reason. Even when the program can be executed, it is possible to return (correct) the program to be originally executed.

  In the processing shown in FIG. 4, it is assumed that there are two types of control programs, a variation A program and a variation B program, but the same applies to three or more types of control programs. For example, when there are three types of control programs, a variation A program, a variation B program, and a variation C program, when a negative determination is made in step 404, the setting information (step 206 and step in FIG. 210)), it is determined whether or not the execution permission area (execution permission address) is the process (process C) of the variation C program. If the execution permission area is the process C, the variation C area It is only necessary to return to the function Func_C ().

  FIG. 5 is a flowchart showing another example of the memory protection violation interrupt process (program switching process) in the ECU 10 (microcomputer 20). The process shown in FIG. 5 may be executed as an interrupt process when the memory protection unit 24 generates an access exception during the main process shown in FIG. 3, for example.

  In step 500, it is determined whether or not the violation occurrence location of the memory protection violation is the processing of the variation A program (processing A). For example, referring to the value (address) of the program counter when a memory protection violation occurs, it is determined whether or not the process (task) corresponding to the value of the program counter is the process of the variation A program (process A). May be. In this case as well, the memory protection violation is generated based on the setting information of the memory protection unit 24 (see step 206 and step 210 in FIG. 2). It is determined based on the setting information. If the violation occurrence location is the process A, the process proceeds to step 502. If the violation occurrence location is not the process A, the process proceeds to step 504.

  In step 502, a return to the function B for the variation B Func_B () is executed. That is, switching to the variation B program is executed. As a result, the variation information in the RAM 28 (or flash memory 26) used for switching the control program (that is, switching between the variation A program and the variation B program) is a value that is not the normal value “B” for some reason. Even when the program is rewritten to “A” during operation, it is possible to realize return (switching) to the variation B program that should be executed. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “B”.

  In step 504, it is determined whether or not the violation occurrence location of the memory protection violation is the processing of the variation B program (processing B). If the violation occurrence location is process B, the process proceeds to step 506, and if the violation occurrence location is not process B, the process ends. If there are only two types of variations, the variation A program and the variation B program, step 504 may be omitted, and if a negative determination is made in step 500, the process may proceed to step 506.

  In step 506, return to the function Func_A () for variation A is executed. That is, switching to the variation A program is executed. Thus, the variation information in the RAM 28 (or the flash memory 26) used for switching the control program (that is, switching between the variation A program and the variation B program) is a value that is not the normal value “A” for some reason. Even when the program is rewritten to “B” during the operation, it is possible to realize return (switching) to the variation A program that should be executed. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “A”.

  Similarly, according to the processing shown in FIG. 5, the interrupt processing when a memory protection violation occurs can return to the execution state of the program in which the memory protection violation does not occur, that is, the execution state of the program to be originally executed.

  Specifically, during the main process shown in FIG. 3, the variation information stored in the RAM 28 (or the flash memory 26) is rewritten during operation to a value that is not a normal value for some reason (noise or the like). In this case, the CPU 22 attempts to access a memory area (prohibited area) related to a program that should not be executed based on the non-normal value. At this time, the memory protection unit 24 functions to prohibit the processing that should not be executed as described above, and the processing shown in FIG. 5 is executed as the interrupt processing. Thereby, the variation information used for switching the control program (that is, switching between the program for variation A and the program for variation B) should be originally executed by rewriting it to a value that is not a normal value for some reason during operation. Even when a program that is not ready can be executed, it is possible to return (correct) the program to be originally executed.

  In the processing shown in FIG. 5, it is assumed that there are two types of control programs: a variation A program and a variation B program, but the same applies to three or more types of control programs. For example, when there are four types of control programs: a variation A program, a variation B program, a variation C program, and a variation D program, a memory protection violation interrupt process as shown in FIG. 6 below may be executed. .

  FIG. 6 is a flowchart showing another example of the memory protection violation interrupt process (program switching process) in the ECU 10 (microcomputer 20). The process shown in FIG. 6 may be executed as an interrupt process when the memory protection unit 24 generates an access exception during the main process shown in FIG. 3, for example.

  In step 600, it is determined whether or not the violation occurrence location of the memory protection violation is the processing of the variation A program (processing A). The location where the memory protection violation occurred is determined based on the setting information of the memory protection unit 24 (see step 206 and step 210 in FIG. 2). If the violation occurrence location is process A, the process proceeds to step 602, and if the violation occurrence location is not process A, the process proceeds to step 604.

  In step 602, a change to the function B for the variation B Func_B () is executed. That is, switching to the variation B program is executed. As a result, even if the variation information in the RAM 28 (or flash memory 26) used for switching the control program is rewritten during operation to a value other than the normal value “B” for some reason, it is originally executed. Return to the program for variation B to be performed (switching) can be realized. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “B”. Here, when the regular value is not “B” (for example, when the regular value is “D”), after the change to the function B for the variation B, Func_B (), an access exception occurs again from the memory protection unit 24. Then, the memory protection violation interrupt process of FIG. 6 is executed again. In this case, an affirmative determination is made in step 604 described later.

  In step 604, it is determined whether or not the violation occurrence location of the memory protection violation is the processing of the variation B program (processing B). If the violation occurrence location is process B, the process proceeds to step 606, and if the violation occurrence location is not process B, the process proceeds to step 608.

  In step 606, a change to the function Func_C () for variation C is executed. That is, switching to the variation C program is executed. As a result, even if the variation information in the RAM 28 (or flash memory 26) used for switching the control program is rewritten during operation to a value other than the normal value “C” for some reason, it is originally executed. Return to the program for variation C to be performed (switching) can be realized. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “C”. Here, when the regular value is not “C” (for example, when the regular value is “D”), after the change to the function Func_C () for variation C, an access exception occurs again from the memory protection unit 24. Then, the memory protection violation interrupt process of FIG. 6 is executed again. In this case, an affirmative determination is made in step 608 described later.

  In step 608, it is determined whether the violation occurrence location of the memory protection violation is the processing of the variation C program (processing C). When the violation occurrence location is process C, the process proceeds to step 610, and when the violation occurrence location is not process C, the process proceeds to step 612.

  In step 610, a change to the function Func_D () for variation D is performed. That is, switching to the variation D program is executed. As a result, even if the variation information in the RAM 28 (or flash memory 26) used for switching the control program is rewritten during operation to a value other than the normal value “D” for some reason, it is originally executed. Return to the program for variation D to be performed (switching) can be realized. At this time, the variation information in the RAM 28 (or the flash memory 26) may be rewritten to the value “D”. Here, when the regular value is not “D” (for example, when the regular value is “A”), an access exception occurs again from the memory protection unit 24 after the change to the function D for the variation D, Func_D (). Then, the memory protection violation interrupt process of FIG. 6 is executed again.

  In step 612, a change to the function Func_A () for variation A is performed. That is, switching to the variation A program is executed. As a result, even if the variation information in the RAM 28 (or flash memory 26) used for switching the control program is rewritten during operation to a value other than the normal value “A” for some reason, it is originally executed. Return to the program for variation A to be performed (switching) can be realized.

  As described above, according to the processing shown in FIG. 6, every time a memory protection violation occurs, the control program is sequentially switched until the memory protection violation does not occur. As a result, the variation information used for switching the control program (that is, switching between the program for variation A, the program for variation B, the program for variation C, and the program for variation D) operates to a value that is not a normal value for some reason. Even when a program that should not be executed can be executed, it can be restored (corrected) to the program that should be executed.

  For example, it is assumed that the program to be executed is the program for variation A (that is, the regular value of variation information is “A”), but the variation information value is rewritten to “D” for some reason. To do. In this case, a negative determination is made in step 600, step 604, and step 608, respectively, and the function Func_A () for variation A is changed in step 612. That is, the return (correction) to the variation A program to be originally executed is realized.

  Also, for example, when the program to be executed originally is the program for variation D (that is, the regular value of variation information is “D”), but the value of variation information is rewritten to “A” for some reason. Is assumed. In this case, first, an affirmative determination is made in step 600, and in step 602, the function is changed to the function B for variation B Func_B (). In this case, after changing to the function B for the variation B, Func_B (), an access exception occurs again from the memory protection unit 24, and the memory protection violation interrupt process of FIG. 6 is executed again. Next, an affirmative determination is made at step 604, and the function Func_C () for variation C is changed at step 606. In this case, after the change to the function Func_C () for variation C, an access exception occurs again from the memory protection unit 24, and the memory protection violation interrupt process of FIG. 6 is executed again. Next, an affirmative determination is made at step 608, and the function Func_D () for variation D is changed at step 610. That is, the return (correction) to the variation D program to be originally executed is realized.

  According to the present embodiment described above, the following excellent effects can be obtained.

  As described above, access to a program area (memory area) that is not used in the original variation is prohibited by using the memory protection unit (memory protection function) 24 of the microcomputer 20 and an access violation occurs (when an access exception occurs). Can be forcibly changed to the program area to be used in the original variation. As a result, even if the variation information used for switching the control program is rewritten during operation to a value that is not a normal value for some reason, the program that should not be executed can be executed. It is possible to return (correct) the program to the execution state.

  The preferred embodiments of the present invention have been described in detail above. However, the present invention is not limited to the above-described embodiments, and various modifications and substitutions can be made to the above-described embodiments without departing from the scope of the present invention. Can be added.

  For example, in the embodiment described above, the memory protection unit 24 may manage (protect) access to the memory area for each domain (a group of functional units that perform specific processing).

  In the above-described embodiment, the variation A program and the variation B program (same for other variation programs) may be completely different separate programs or have some common parts. It may be a program. In the latter case, for example, the program for variation A and the program for variation B are a common task group (first domain), a task group specific to the program for variation A (second domain), and a program for variation B And a specific task group (third domain). In this case, the memory protection unit 24 may manage (protect) access to the respective memory areas for the second domain and the third domain, for example.

10 ECU
12 Other ECUs
20 Microcomputer 22 CPU
24 Memory Protection Unit 26 Flash Memory 28 RAM
100 Vehicle control device

Claims (6)

An initial setting process for performing a setting for prohibiting execution of a program other than a predetermined program;
And a program switching process for switching a program to be executed to the predetermined program based on the setting information set by the initial setting process when execution of a program other than the predetermined program is detected. Information processing device. With memory protection,
The information processing apparatus according to claim 1, wherein execution of a program other than the predetermined program is detected by the memory protection unit based on access to a memory area related to a program other than the predetermined program. A first storage device comprising a non-volatile memory and storing a plurality of programs including the predetermined program;
A second storage device comprising the same nonvolatile memory as the first storage device or a different volatile memory, and storing information for determining the predetermined program to be executed among the plurality of programs;
With a memory protector,
When a program to be executed is determined based on information stored in the second storage device, and a memory protection violation occurs in the memory protection unit when accessing the first storage device due to execution of the determined program The information processing apparatus according to claim 1, wherein the determined program to be executed is switched to the predetermined program.   The program switching process is executed as an interrupt process when a memory protection violation occurs, and switching to the predetermined program is realized by referring to the execution permission area set in the memory protection unit by the initial setting process. The information processing apparatus according to claim 2 or 3.   4. The information processing according to claim 2, wherein the program switching process is executed as an interrupt process when a memory protection violation occurs, and the switching to the predetermined program is realized by determining a location where the memory protection violation occurs. apparatus.   4. The program switching process is executed as an interrupt process when a memory protection violation occurs, and switching to the predetermined program is realized by sequentially switching programs until no memory protection violation occurs. Information processing device.

Images