JP2020144699A - Control device and cause determination method - Google Patents

Abstract

To easily identify a cause of reset of a microcomputer.SOLUTION: A control device includes an acquisition section, a detection section, and a determination section. The acquisition section acquires a value of a stack pointer included in a microcomputer. The detection section detects a sign of stack overflow and stores detection history in a nonvolatile memory region when the value of the stack pointer acquired by the acquisition section reaches a previously defined abnormal range. The determination section determines reset is caused by the stack overflow if there is the detection history when recovering from the reset of the microcomputer.SELECTED DRAWING: Figure 2

Description

The disclosed embodiments relate to control devices and cause determination methods.

Conventionally, a control device (ECU: Electronic Control Unit) that is mounted on a vehicle and electronically controls various vehicle systems such as an engine, a transmission, and a car navigation system is known. In such a control device, a built-in microcomputer (hereinafter, referred to as "microcomputer") executes a control program to realize various assigned functions.

In such a control device, for example, a power supply IC (Integrated Circuit) functions as a monitoring unit for monitoring whether or not the microcomputer is operating normally. As a microcomputer monitoring method, for example, a WDC monitoring method for monitoring the pulse interval of a watchdog counter (hereinafter, referred to as “WDC”) signal output from a microcomputer has been conventionally known. When a malfunction of the microcomputer is detected by such a WDC monitoring method, the power supply IC resets the microcomputer.

By the way, an example of a malfunction of a microcomputer is the occurrence of stack overflow. The occurrence of stack overflow is caused by the amount of data stored in the stack area (call stack) secured in the memory area exceeding the limit due to, for example, an infinite loop due to a recursive call of a subroutine.

Therefore, a technique has been proposed in which the increase / decrease value of the stack pointer value in which the start address of the stack area is stored is stored and compared with the previous value to determine whether or not the microcomputer is in a runaway state. (See, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2005-216015

However, the above-mentioned prior art has room for further improvement in easily identifying the cause of the reset of the microcomputer.

Specifically, in the above-mentioned control device, when a stack overflow occurs, the power supply IC resets the microcomputer, but in the case of the control device mounted on the vehicle, the reset during startup affects the vehicle operation. Therefore, it is necessary to identify the cause of the reset at an early stage so that the reset due to the same cause will not be reproduced in the future.

However, the above-mentioned conventional technique merely determines whether or not the microcomputer is in a runaway state, and does not easily identify the cause of the reset of the microcomputer.

One aspect of the embodiment is made in view of the above, and an object of the present invention is to provide a control device and a cause determination method capable of easily identifying the cause of resetting the microcomputer.

The control device according to one aspect of the embodiment includes an acquisition unit, a detection unit, and a determination unit. The acquisition unit periodically acquires the value of the stack pointer included in the microcomputer. The detection unit detects a sign of stack overflow when the value of the stack pointer acquired by the acquisition unit reaches within a predefined abnormal range, and records the detection history in the non-volatile memory area. .. When the determination unit has the detection history at the time of returning from the reset of the microcomputer, the determination unit determines that the reset is due to the stack overflow.

According to one aspect of the embodiment, the cause of resetting the microcomputer can be easily identified.

FIG. 1A is a schematic explanatory view of an in-vehicle system. FIG. 1B is a schematic explanatory view of a cause determination method according to a comparative example. FIG. 1C is a schematic explanatory view of a cause determination method according to an embodiment. FIG. 2 is a block diagram of the ECU according to the embodiment. FIG. 3A is a processing explanatory diagram (No. 1) of the stack monitoring unit. FIG. 3B is a processing explanatory diagram (No. 2) of the stack monitoring unit. FIG. 3C is a processing explanatory diagram (No. 3) of the stack monitoring unit. FIG. 3D is a processing explanatory diagram (No. 4) of the stack monitoring unit. FIG. 4A is a flowchart showing a processing procedure executed by the stack monitoring unit of the microcomputer according to the embodiment. FIG. 4B is a flowchart showing a processing procedure executed by the determination unit of the microcomputer according to the embodiment.

Hereinafter, embodiments of the control device and the cause determination method disclosed in the present application will be described in detail with reference to the accompanying drawings. The present invention is not limited to the embodiments shown below.

Further, in the following, after explaining the outline of the cause determination method according to the embodiment with reference to FIGS. 1A to 1C, the ECU 10 (corresponding to an example of the “control device”) to which the cause determination method according to the embodiment is applied will be described. It will be described with reference to FIGS. 2 to 4B.

First, the outline of the cause determination method according to the embodiment will be described with reference to FIGS. 1A to 1C. FIG. 1A is a schematic explanatory view of the in-vehicle system 1. Further, FIG. 1B is a schematic explanatory view of a cause determination method according to a comparative example. Further, FIG. 1C is a schematic explanatory view of a cause determination method according to an embodiment. In addition, "n" in FIG. 1A is an arbitrary natural number of 1 or more. Further, in FIG. 1B, "'" is added to the reference numerals of the components to distinguish them from the present embodiment.

As shown in FIG. 1A, the vehicle C includes an in-vehicle system 1. The in-vehicle system 1 includes a plurality of ECUs 10-1 to 10-n. The ECUs 10-1 to 10-n are connected to each other by a network N such as CAN (Controller Area Network) so that they can communicate with each other, and the controlled objects 20-1 to 20-n are electronically controlled by executing control programs, respectively. The controlled objects 20-1 to 20-n are various systems such as an engine, a transmission, and a car navigation system.

Here, as shown in FIG. 1B, the ECU 10 ′ according to the conventional configuration as a comparative example includes a microcomputer 11 ′ and a power supply IC 12 ′. The microcomputer 11'is the main processing unit of the ECU 10', and by executing the control program, various functions assigned to each of the ECUs 10' are realized.

During "normal control" of these various functions, the microcomputer 11'is periodically output a "WDC output", that is, a WDC signal to the power supply IC 12', and the power supply IC 12'monitors the pulse interval. Monitors the operating status of the microcomputer 11'.

In the process, as shown in FIG. 1B, it is assumed that "stack overflow" has occurred in the microcomputer 11'. In such a case, the microcomputer 11'causes an undefined operation and goes into a runaway state, so that, for example, the "WDC output" is delayed. Then, the power supply IC 12'"detects a timeout" and "resets" the microcomputer 11'.

As a result, the microcomputer 11'is "restarted" and the runaway state due to stack overflow is resolved, but "the cause of the reset is unknown" remains. Therefore, the cause of the reset is not specified, and in order to prevent the reset from occurring again, for example, unnecessary parts replacement may be taken. That is, according to the cause determination method according to the comparative example, it is uneconomical and it is difficult to identify the true cause of the reset.

Therefore, in the cause determination method according to the embodiment, as shown in FIG. 1C, "the value of the stack pointer is constantly monitored" in parallel with "during normal control" by the microcomputer 11 (step S1). The "stack pointer value" is the address of the place where data is saved next time in the stack area. Further, the "constant monitoring" referred to here is included in the case of periodic monitoring at predetermined intervals.

In the cause determination method according to the embodiment, among the values that the stack pointer can take, the data range indicating the sign of stack overflow is defined as the abnormal range, and the stack pointer reaches the abnormal range. , "Detecting a sign of stack overflow" (step S2).

Then, in the cause determination method according to the embodiment, if a sign is detected in step S2, the detection history is stored in the non-volatile memory (step S3). Then, in the cause determination method according to the embodiment, "fail-safe processing is executed" (step S4).

The "fail-safe process" is, for example, a reset triggered by a request from the microcomputer 11. In the case of such a reset, the microcomputer 11 transmits a "reset request" to the power supply IC 12, and the power supply IC 12 "resets" the microcomputer 11 in response to the "reset request".

As a result, the microcomputer 11 is "restarted", but the cause is that the microcomputer 11 was reset in the check process at the time of its startup and that the stack overflow detection history stored in the non-volatile memory exists. Can be specified (step S5).

As described above, in the cause determination method according to the embodiment, the microcomputer 11 constantly monitors the value of the stack pointer in parallel with the normal control. Further, the microcomputer 11 detects a sign of stack overflow when the value of the stack pointer reaches within the abnormal range of the value that the stack pointer can take. Further, when the microcomputer 11 detects such a sign, the microcomputer 11 stores the detection history in the non-volatile memory and then executes a predetermined fail-safe process.

As a result, according to the cause determination method according to the embodiment, the cause of the reset of the microcomputer 11 can be easily identified.

Hereinafter, the ECU 10 to which the cause determination method according to the above-described embodiment is applied will be described more specifically.

FIG. 2 is a block diagram of the ECU 10 according to the embodiment. Note that, in FIG. 2, only the components necessary for explaining the features of the present embodiment are represented by functional blocks, and the description of general components is omitted.

In other words, each component shown in FIG. 2 is a functional concept and does not necessarily have to be physically configured as shown. For example, the specific form of distribution / integration of each functional block is not limited to the one shown in the figure, and all or part of the functional blocks are functionally or physically distributed in arbitrary units according to various loads and usage conditions. -It is possible to integrate and configure.

As shown in FIG. 2, the ECU 10 includes a microcomputer 11 and a power supply IC 12. First, the power supply IC 12 will be described. The power supply IC 12 monitors the microcomputer 11 by the WDC monitoring method in response to the output of the WDC signal from the main processing execution unit 111a described later. If a malfunction of the microcomputer 11 is detected as a result of the monitoring, the power supply IC 12 resets the microcomputer 11.

Further, the power supply IC 12 resets the microcomputer 11 when the reset request is received from the fail-safe processing execution unit 111bc described later.

The microcomputer 11 includes a control unit 111 and a storage unit 112. The control unit 111 includes a main processing execution unit 111a, a stack monitoring unit 111b, a determination unit 111c, and a diagnostic output unit 111d. The stack monitoring unit 111b includes an acquisition unit 111ba, a detection unit 111bb, and a fail-safe processing execution unit 111bc.

The storage unit 112 stores the stack pointer 112a, the definition information 112b, the detection history 112c, and the reset history 112d. The stack pointer 112a is a type of register included in the storage unit 112. The definition information 112b, the detection history 112c, and the reset history 112d are stored in the non-volatile memory area of the storage unit 112. The non-volatile memory area referred to here includes a retention RAM (Random Access Memory) area.

The retention RAM area is a RAM area that retains information even when the microcomputer 11 is reset, in other words, a RAM area that can retain information if the device power supply is maintained, and is, for example, an SRAM (Static) composed of flip-flops. Random Access Memory).

The control unit 111 is, for example, a CPU (Central Processing Unit) and controls the entire microcomputer 11. The main processing execution unit 111a realizes the electronic control function assigned to the ECU 10 by reading a control program (not shown) from the storage unit 112 and executing it when the microcomputer 11 is started.

Further, the main processing execution unit 111a pushes or pops data to a stack area (not shown) and updates the stack pointer 112a as appropriate each time a subroutine call or a return from the subroutine occurs during execution of the control program.

The stack monitoring unit 111b constantly monitors the stack pointer 112a, and when a sign of stack overflow is detected as a result of the monitoring, a predetermined fail-safe process is executed.

Specifically, the acquisition unit 111ba constantly acquires the value of the stack pointer 112a and passes it to the detection unit 111bb. The detection unit 111bb illuminates the value of the stack pointer 112a acquired most recently with respect to the definition information 112b in which the abnormal range of the possible values of the stack pointer 112a is defined in advance.

Then, when the latest value of the stack pointer 112a reaches the abnormal range, the detection unit 111bb stores the detection history in the detection history 112c, assuming that a sign of stack overflow has been detected. Then, the detection unit 111bb causes the fail-safe processing execution unit 111bc to execute a predetermined fail-safe processing.

Further, if the detection unit 111bb detects that the latest value of the stack pointer 112a has reached the abnormal range, the detection history 112c may store the history of the detection of such arrival. In this case, the fail-safe processing execution unit 111bc can execute a predetermined fail-safe processing while omitting the detection processing of the sign of the stack overflow.

The fail-safe processing execution unit 111bc executes a predetermined fail-safe processing. The fail-safe processing execution unit 111bc transmits a reset request to the power supply IC 12 in order to reset the microcomputer 11 as a predetermined fail-safe processing, for example.

The predetermined fail-safe process is not limited to reset, and the control program may be forcibly returned to the main process execution unit 111a, for example. In such a case, since the forced return is performed at the stage of predicting the stack overflow, at least the stack area does not overflow, and the control program does not run out of control by causing undefined behavior.

Further, the predetermined fail-safe process may use a function called a ROB function for storing a predetermined abnormal code in the non-volatile memory when an abnormal state occurs.

Here, the processing content of the processing executed by the stack monitoring unit 111b will be described more specifically with reference to FIGS. 3A to 3D. 3A to 3D are processing explanatory views (No. 1) to (No. 4) in the stack monitoring unit 111b.

Although not shown in the storage unit 112 of FIG. 2, each area shown in FIG. 3A is secured in the memory space included in the storage unit 112 when the control program is executed by the main processing execution unit 111a. As shown in the figure, the "stack area" is secured adjacent to, for example, the "variable data area".

As is generally known, such a "stack area" is an area for holding data in a last in first out (LIFO) structure as shown in FIG. 3B, and is two basic operations. Has push and pop. Push adds data to the top of the stack area and leaves existing data underneath. Pop removes and retrieves the current top data on the stack. Therefore, the data held in the stack area is older as it goes down as shown in the figure.

Then, the stack pointer 112a stores the address of the place where the data is saved next in the stack area as a value. For example, as shown in FIG. 3C, when data is saved in the area pointed to by the address 0x0FFF of the stack area by pushing, the address 0x0FFE smaller than the address 0x0FFF points to the next place to save the data in the stack area and the stack pointer 112a Stored in. In the case of pop, the magnitude relationship of addresses is opposite. That is, as shown in the figure, the top of the stack is updated by pushing (or popping).

As shown in FIG. 3D, on the premise of such a data structure of the stack area and how to update the stack pointer 112a, the ECU 10 according to the embodiment has "the value that the stack pointer 112a can take in the definition information 112b". Anomalous range is defined ”(step S11). Here, an example is shown in which addresses 0x0FFB to 0x0FFE are set as an abnormal range at the boundary between the stack area and the stack overflow area.

Then, while referring to such definition information 112b, the stack monitoring unit 111b "constantly monitors" the stack pointer 112a (step S12). Here, as shown in the figure, it is assumed that 0x0FFE, which is a value within the abnormal range, is stored in the stack pointer 112a.

Then, the stack monitoring unit 111b “detects arrival within the abnormal range” of the value of the stack pointer 112a (step S13). Then, the stack monitoring unit 111b "determines that there is a sign of stack overflow" based on the detection result (step S14).

Returning to the description of FIG. For example, when the microcomputer 11 is restarted after being reset, the determination unit 111c refers to the detection history 112c and the reset history 112d, and resets by stack overflow when there is a detection history of a sign of stack overflow and a reset history. Is determined to have been performed. Further, the determination unit 111c notifies the diagnosis output unit 111d of the determination result.

The diagnosis output unit 111d outputs the determination result notified from the determination unit 111c as a diagnosis signal. This makes it possible to detect by diagnostic diagnosis that the cause of the reset was stack overflow.

Next, the processing procedures executed by the stack monitoring unit 111b and the determination unit 111c of the microcomputer 11 according to the embodiment will be described with reference to FIGS. 4A and 4B. FIG. 4A is a flowchart showing a processing procedure executed by the stack monitoring unit 111b of the microcomputer 11 according to the embodiment. Further, FIG. 4B is a flowchart showing a processing procedure executed by the determination unit 111c of the microcomputer 11 according to the embodiment.

It is assumed that the main control program of the ECU 10 is executed by the main processing execution unit 111a in parallel with the processing procedure shown in FIG. 4A, and the ECU 10 is normally in control.

As shown in FIG. 4A, first, the abnormal range of the value of the stack pointer 112a is defined in advance (step S101). Then, the acquisition unit 111ba of the stack monitoring unit 111b acquires the value of the stack pointer 112a (step S102).

Then, the detection unit 111bb of the stack monitoring unit 111b determines whether or not the value of the stack pointer 112a acquired by the acquisition unit 111ba is within the abnormal range (step S103). Here, when it is out of the abnormal range (steps S103, No), the stack monitoring unit 111b repeats the processing from step S102.

If it is within the abnormal range (step S103, Yes), the detection unit 111bb detects a sign of stack overflow (step S104). Then, the detection unit 111bb stores the detection history 112c reflecting the detection result in the non-volatile memory (step S105).

Then, the fail-safe processing execution unit 111bc executes a predetermined fail-safe processing (step S106), and ends the processing. Here, it is assumed that the microcomputer 11 has been reset as a fail-safe process.

By such a reset, as shown in FIG. 4B, the microcomputer 11 is first activated (step S201). Then, the determination unit 111c determines whether or not there is a detection history 112c and a reset history 112d in, for example, the check process at the time of activation (step S202).

Here, when there is such a history (step S202, Yes), the determination unit 111c determines that the reset is due to stack overflow (step S203), outputs the determination result as a diagnostic as necessary, and ends the process.

As described above, the ECU 10 (corresponding to an example of the “control device”) according to the embodiment includes an acquisition unit 111ba, a detection unit 111bb, and a determination unit 111c. The acquisition unit 111ba acquires the value of the stack pointer 112a included in the microcomputer 11 (corresponding to an example of the “microcomputer”). When the value of the stack pointer acquired by the acquisition unit 111ba reaches the predetermined abnormal range, the detection unit 111bb detects a sign of stack overflow and records the detection history in the non-volatile memory area. When the determination unit 111c has the above-mentioned detection history at the time of returning from the reset of the microcomputer 11, the determination unit 111c determines that the reset is due to stack overflow.

Therefore, according to the ECU 10 according to the embodiment, the cause of the reset of the microcomputer 11 can be easily identified.

Further, the ECU 10 according to the embodiment further includes a fail-safe processing execution unit 111bc. The fail-safe processing execution unit 111bc executes a predetermined fail-safe processing after recording the detection history by the detection unit 111bb.

Therefore, according to the ECU 10 according to the embodiment, the fail-safe process can be executed at the stage of predicting stack overflow.

Further, the fail-safe processing execution unit 111bc resets the microcomputer 11 as a fail-safe processing.

Therefore, according to the ECU 10 according to the embodiment, after the detection history is recorded by the detection unit 111bb, the microcomputer 11 is reset as a fail-safe process. Therefore, when returning from the reset, it is easily determined that the reset is due to stack overflow. Can be reset.

Further, the fail-safe processing execution unit 111bc forcibly returns the main processing execution unit 111a that executes the main control program in the microcomputer 11 from the execution of the control program as the fail-safe processing.

Therefore, according to the ECU 10 according to the embodiment, it is possible to avoid the reset of the microcomputer 11 while keeping the stack overflow at the predictive stage.

Further, the detection unit 111bb detects a sign of stack overflow by setting an address range indicating a predetermined amount of the stack area in contact with the boundary with the stack overflow area as the abnormal range.

Therefore, according to the ECU 10 according to the embodiment, it is possible to determine that an abnormality occurs at the predictive stage of stack overflow, so that the occurrence of stack overflow can be prevented.

In the above-described embodiment, the ECU 10 is provided in the vehicle C, but of course, the ECU 10 is not limited to the vehicle C, and may be provided in, for example, a ship or an aircraft.

Further, in the above-described embodiment, the microcomputer 11 is an example of a microcomputer, but it may be a mycolo controller or a microprocessor.

Further effects and variations can be easily derived by those skilled in the art. For this reason, the broader aspects of the invention are not limited to the particular details and representative embodiments expressed and described as described above. Therefore, various modifications can be made without departing from the spirit or scope of the general concept of the invention as defined by the appended claims and their equivalents.

10 ECU
11 Microcomputer 12 Power supply IC
20 Control target 111 Control unit 111a Main processing execution unit 111b Stack monitoring unit 111ba Acquisition unit 111bb Detection unit 111bc Fail-safe processing execution unit 111c Judgment unit 111d Diag output unit 112 Storage unit 112a Stack pointer 112b Definition information 112c Detection history 112d Reset history C Vehicle N network

Claims (6)

An acquisition unit that acquires the value of the stack pointer provided by the microcomputer,
A detection unit that detects a sign of stack overflow and records the detection history in a non-volatile memory area when the value of the stack pointer acquired by the acquisition unit reaches within a predefined abnormal range.
A control device including a determination unit that determines that the reset is due to the stack overflow when there is the detection history at the time of returning from the reset of the microcomputer. The control device according to claim 1, further comprising a fail-safe processing execution unit that executes a predetermined fail-safe processing after the detection history is recorded by the detection unit. The fail-safe processing execution unit
The control device according to claim 2, wherein the microcomputer is reset as the fail-safe process. The fail-safe processing execution unit
The control device according to claim 2, wherein as the fail-safe process, the main process execution unit that executes the main control program in the microcomputer is forcibly returned from the execution of the control program. The detection unit
The invention according to any one of claims 1 to 4, wherein an address range indicating a predetermined amount of the stack area in contact with the boundary with the stack overflow area is set as the abnormal range, and a sign of the stack overflow is detected. Control device. The acquisition process to acquire the value of the stack pointer provided by the microcomputer,
A detection step of detecting a sign of stack overflow and recording the detection history in a non-volatile memory area when the value of the stack pointer acquired by the acquisition step reaches within a predefined abnormal range.
A cause determination method including a determination step of determining that the reset is due to the stack overflow when there is the detection history at the time of returning from the reset of the microcomputer.

Images