JP2021004031A - Automotive electronic control device - Google Patents

Abstract

To securely rewrite software in an automotive electronic control device equipped with a multi-core microcontroller.SOLUTION: When rewriting software on a code flash, by a command from a core rewriting the software, it causes the cores other than the core rewriting the software executed on the code flash to move to a program on RAMs for each core or a RAM common for the cores.SELECTED DRAWING: Figure 2

Description

The present invention relates to software rewriting in an electronic control device for an automobile equipped with a multi-core microcomputer.

Automotive electronic control devices such as ECUs (Electrical Control Units) are controlled by microcomputers, which include code flash and data flash, which are non-volatile memories that can electrically erase and write programs and data. It is equipped with RAM (Random Access Memory), which is a volatile memory, and controls vehicle equipment (for example, engine injection / ignition) by a control program stored in a code flash.

In recent years, due to the sophistication and multifunctionality of automobile control, microcomputers having a plurality of cores have been mounted on the ECU, and each core executes tasks of software functions assigned to its own core in parallel.

On the other hand, the ECU may have a software rewriting function in order to update to the correction software when a problem occurs in the software of the ECU or to replace the software with more efficient control software. In normal software rewriting, communication is performed with an external writing tool connected by wire or wirelessly, and the ECU writes to the code flash of the microcomputer while transferring the update software from the external writing tool to the ECU. When rewriting software, it is necessary to erase the code flash before rewriting the code flash. (Patent Document 1)

JP 2015-172974

By the way, when software is rewritten in an ECU that employs a multi-core microcomputer, exceptions / interrupts such as illegal instruction execution and resource access violation occur when operating with a code flash belonging to the erase block that the core is trying to erase. It ends up.

In a multi-core microcomputer, it is difficult for the core in charge of the software rewriting function to know the position of the core performing other different functions in the code flash, and it also executes other different functions. Even if it is possible to know the position of the core on the code flash, it may be necessary to create a situation where all the cores are operating on the code flash at a different position from the erase block to be erased. There was a problem that it was difficult to manage it, such as synchronization and waiting for time.

The present invention has been made in view of the above problems, and an electronic control device for an automobile that easily configures a situation in which all cores do not operate on an erasing block to be erased when software is rewritten in a multi-core microcomputer. The purpose is to provide.

In the present invention, in software rewriting of an electronic control device for an automobile, a core other than the core for performing software rewriting is transferred to a program on RAM and erased under the command of the core for performing software rewriting. Make the situation that the erase block does not work.

The command of the core that executes the software rewriting is performed by using the interrupt function between the cores, and the program on the RAM is configured to return to the command of the core that executes the software rewriting.

According to the present invention, it is possible to execute software without causing exceptions / interrupts such as software rewriting, illegal instruction execution, and resource access violation in a multi-core microcomputer.

It is a figure which shows the structure of the multi-core microcomputer. It is a figure which shows the structure of the erase block in a code flash, and the example of the program counter of core 1 and core 2. It is a figure explaining the example that the core 2 which was operating by the program on the code flash shifts to the program on the RAM for core 2. It is a figure explaining the example that the core 2 and the core 3 which were operating by the program on the code flash shift to the program on the core common RAM. It is a flowchart which shows the example of the program on the code flash and the program on RAM, and the operation of the save program.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the attached drawings.

[First Example]
FIG. 1 is a diagram showing a configuration of a multi-core microcomputer having n cores. The multi-core microcomputer is a non-volatile microcomputer that can be accessed in common with cores 1 to n that perform program arithmetic processing, volatile RAMs 11 to 1n for cores 1 to n that can be accessed exclusively for each core, and cores 1 to 1n. It is composed of a code flash 100 which is a memory and a core common RAM 200 which is a volatile RAM which can be accessed in common by the core. It has an inter-core interrupt function that can generate interrupts from each core.

The software execution program is placed in the code flash, and each core executes the program in the code flash.

FIG. 2 is a diagram showing an example of the configuration of the erase block in the code flash and the program counters of the core 1 and the core 2. As shown in FIG. 2, the code flash is composed of a plurality of m erasing blocks 101 to 10 m. When writing data to the code flash, it is necessary to be in the erase state in advance, and the code flash is erased in units of erase blocks.

When rewriting software, after the security access for rewriting the software is granted, the erase block corresponding to the rewrite target area of the software is erased, and data is written from a writing tool connected from the outside.

Here, when erasing the erase block in the code flash, if there is a core operating in the erase block to be erased, the erased code flash will be mistakenly executed as a program, resulting in illegal instruction execution. If an exception / interrupt such as a resource access violation occurs and the exception / interrupt processing is not performed correctly, the microcomputer will be in the reset state.

In other words, in order to safely perform software rewriting without failing in the middle, it is preferable that there is no program counter that points to the erase block.

FIG. 2 shows a code flash 100 of a microcomputer equipped with two cores, a program counter 201 for core 1 indicating where the program of core 1 on the code flash is operating, and a program of core 2 on the code flash. An example of the program counter 202 for core 2 indicating the destination where is operating is also shown.

If the erase block 104 is erased while the program counter 202 for the core 2 is operating on the erase block 104 of the code flash 100, the program executed by the core 2 causes an illegal instruction execution or an exception / interrupt. I will let you.

A microcomputer equipped with multiple code flashes is used as the means for rewriting the software of the ECU, some of the multiple cores operate as software rewriting functions, and the other cores execute programs that are normally operating. Exists. After the software rewriting is completed, the newly written code flash is selected and the program is executed the next time the ECU is started. This method is mainly used for wireless ECU software rewriting.

Here, when executing software rewriting, it is assumed that the mode that is normally executed is shifted to the dedicated mode for software rewriting, and the program that is normally operating is not executed. This method is used for software rewriting of the ECU for a system in which the frequency of software rewriting is low.

FIG. 3 shows a first embodiment in a microcomputer having two cores, in which the core 2 operating in the program on the code flash is transferred to the program on the RAM for the core 2 by the command of the core 1 for rewriting the software. It is a figure which showed an example.

First, interrupt permission is set individually for each core when the microcomputer is started so that dedicated processing can be executed when an interrupt between cores from the core that executes software rewriting occurs. In the dedicated process, a process for migrating to the save program area 312 of the core 2 RAM is performed.

Specifically, the address of the program counter 202 for core 2 being executed by the code flash 100 is changed to the program counter 302 on the RAM in which the program to be executed at the time of evacuation can be executed in the evacuation program area 312 of the RAM for core 2. To do.

A program to be executed at the time of evacuation is developed in advance by the core 2 which is a core other than the core that executes software rewriting in the evacuation program area 312 of the RAM for core 2. The timing of deploying the save execution program in the save program area 312 of the RAM for core 2 may be executed after the software rewriting is actually permitted, or may be performed individually for each core when the microcomputer is started. ..

According to the first embodiment of the migration process, the cores other than the core that executes the software rewrite are expanded to the RAM dedicated to each core when an interrupt occurs between the cores that execute the software rewrite. Set the inter-core interrupt and expand the program to the core dedicated RAM so that it can be transferred to the program.

Therefore, when rewriting the software of the ECU, it is possible to create a situation where there is no core to be executed in the code flash of the erase block to be erased, and exceptions / interrupts such as illegal instruction execution and resource access violation at the time of software rewriting can be created. Will not occur.

In short, when the software of the ECU is rewritten, the software can be safely rewritten without resetting the microcomputer.

[Second Example]
FIG. 4 shows a second implementation in which, in a microcomputer having three cores, the cores 2 and 3 that were operating in the program on the code flash are transferred to the program on the core common RAM 200 by the command of the core 1 that rewrites the software. It is a figure which showed an example of an example.

First, interrupt permission is set individually for each core when the microcomputer is started so that dedicated processing can be executed when an interrupt between cores from the core that executes software rewriting occurs. The dedicated process is a process for migrating to the save program area 400 on the core shared RAM 200.

Specifically, the program counter 202 for the core 2 and the program counter 203 for the core 3 being executed by the code flash 100 are on the RAM on which the program to be executed at the time of saving in the save program area 400 of the core shared RAM 200 can be executed. Change the address to the program counters 302 and 303.

A program to be executed at the time of evacuation is developed in advance by the core 1 that executes software rewriting in the evacuation program area 400 of the core shared RAM 200. The timing of deploying the save execution program in the save program area 400 of the core shared RAM 200 may be executed after the software rewriting is actually permitted, or may be performed when the microcomputer is started.

According to the second embodiment of the migration process, the cores other than the core that executes software rewriting are transferred to the program expanded in the core common RAM 200 when an interrupt between cores occurs from the core that executes software rewriting. The core that sets the inter-core interrupt and executes the software rewrite expands the program to the core common RAM 200 so that it can be executed.

Therefore, as in the first embodiment, when the software of the ECU is rewritten, it is possible to create a situation in which there is no core to be executed in the code flash of the erase block to be erased, and an illegal instruction is executed at the time of software rewriting. Exceptions and interrupts such as resource access violations will no longer occur.

In the first embodiment, it is possible to make the operation of the save program executed in each core different and change the operation. On the other hand, in the second embodiment, as compared with the first embodiment, each core can use the same save program, and the core that executes software rewriting selects a program to be executed when it saves. It is possible to obtain the effect of reducing the amount of RAM used by making it common.

[Third Example]
FIG. 5 is a diagram showing an example of a third embodiment in which an exception / interrupt that does not affect the access of the code flash is used during the evacuation program. In this example, an example of a program on the code flash and a program on the RAM, and a flowchart showing the operation of the save program are shown.

The code flash is for a program 502 that is normally executed and a normal program 502 that provides exception / interrupt processing information to be executed when an exception / interrupt occurs during operation of the program 502 that is normally executed. The vector table 501 is arranged.

A save program 504 and a vector table 503 for the save program 503 that provides exception / interrupt processing information to be executed when an exception / interrupt occurs during operation of the save program 504 that is executed at the time of save are arranged in the RAM. As described above, the program is expanded into the RAM by the methods described in the first embodiment and the second embodiment.

When the program counter 202 for core 2, which is a core other than the core for software rewriting, is transferred to the program counter 302 on the RAM that can execute the program to be executed at the time of evacuation, the evacuation process is performed by a command from the core that rewrites the software. Preprocessing S501 is executed.

The pre-process S501 is a process of setting the state while the save program is executed as needed. For example, DMAC (Direct Memory Access) prevents access to the code flash or RAM during rewriting of the software of the ECU. It is also possible to stop peripheral devices that are not used in the save program of Controller).

While the evacuation end condition is not satisfied in the evacuation end condition determination S503, the evacuation process S502 is repeatedly executed. When the save end condition is satisfied, the return process S504 is executed, and the execution of the save program 504 is completed.

The save end condition determination S503 polls and monitors the return information via the core shared RAM 200 and the core shared register (not shown), and causes a program that executes the return process to interrupt the vector table 503 for the save program between cores. Judgment is possible by setting.

According to the third embodiment of the recovery process, by expanding the vector table for the save program to the RAM in advance and using it in the same manner as the save program, exceptions / interrupts that do not affect the access of the code flash are used. This can be done, and the return process can be executed when the save end condition is satisfied. The third embodiment can be applied to both the first embodiment and the second embodiment.

Here, the technical ideas other than the claims that can be grasped from the above-described embodiment will be described below together with the effects.

(B) An electronic control device for automobiles equipped with a microcomputer having at least two cores, and when it is determined that a certain core has failed, the failed core is stored in a non-volatile memory by a command from a core other than the failed core. An electronic microcontroller for automobiles, which is characterized by migrating from a program running in the above program to a program in a volatile memory dedicated to a failed core.
According to such a technical idea, it can be a fail-safe process at the time of core failure.

(B) When accessing a resource that is an electronic control device for automobiles equipped with a microcomputer having at least two cores and the resources that can be commonly accessed by the core are not occupied by any task, the resource is accessed. When a core that executes a task with a high access priority accesses, the core that executes a task with a lower access priority is non-volatile in response to a command from the core that executes a task with a higher access priority to resources. An electronic control device for automobiles, which is characterized by migrating from a program running on a program on sexual memory to a program on volatile memory.

According to such a technical idea, the effect of interrupt prohibition processing across cores can be obtained when a plurality of cores handle the same resource, and semaphore processing across cores can be constructed.

1-n core 1-n
11-1n core dedicated RAM
100 code flash 200 core common RAM
101-10m Erase block 201 Program counter for core 1 202 Program counter for core 2 302 Program counter for core 2 transferred to RAM 312 Program area for saving RAM for core 2 303 Program counter for core 3 transferred to RAM 400 Core common RAM Save program area 501 Vector table for normal execution program 502 Normal execution program 503 Vector table for save execution program 504 Save execution program

Claims (1)

An electronic control device for automobiles equipped with a microcomputer having at least two cores.
When it is determined that a certain core has failed, a command from a core other than the failed core gives
An electronic control device for an automobile, characterized in that the failed core is transferred from a program operating in a program on a non-volatile memory to a program on a volatile memory dedicated to the failed core.

Images