JP6998434B2 - Electronic control device for automobiles - Google Patents

Description

The present invention relates to software rewriting in an electronic control device for an automobile equipped with a multi-core microcomputer.

Automotive electronic control devices such as ECUs (Electrical Control Units) are controlled by microcomputers, which are non-volatile memories that can electrically erase and write programs and data, such as code flash and data flash. It is equipped with RAM (Random Access Memory), which is a volatile memory, and controls vehicle equipment (for example, engine injection / ignition) by a control program stored in a code flash.

In recent years, due to the sophistication and multi-functionalization of automobile control, microcomputers having a plurality of cores have been mounted on ECUs, and each core executes tasks of software functions assigned to its own cores in parallel.

On the other hand, the ECU may have a software rewriting function in order to update to the correction software when a defect occurs in the software of the ECU or to replace the software with more efficient control software. In normal software rewriting, communication is performed with an external writing tool connected by wire or wirelessly, and the ECU writes to the code flash of the microcomputer while transferring the update software from the external writing tool to the ECU. When rewriting software, it is necessary to erase the code flash before rewriting the code flash. (Patent Document 1)

JP-A-2015-172974

By the way, when software is rewritten in an ECU that uses a multi-core microcomputer, if it operates with a code flash that belongs to the erase block that the core is trying to erase, exceptions / interrupts such as illegal instruction execution and resource access violations occur. It ends up.

In a multi-core microcomputer, it is difficult for the core in charge of the software rewriting function to know where in the code flash the core performing other different functions is located, and it also executes other different functions. Even if it is possible to know the position of the core on the code flash, it may be necessary to create a situation where all the cores are operating on the code flash at a different position from the erase block to be erased. There was a problem that it was difficult to manage, such as synchronization and waiting for time.

The present invention has been made in view of the above problems, and is an electronic control device for automobiles that easily configures a situation in which all cores do not operate on the erasing block to be erased when software is rewritten in a multi-core microcomputer. The purpose is to provide.

In the present invention, in software rewriting of an electronic control device for an automobile, a core other than the core for performing software rewriting is transferred to a program on RAM and erased under the command of the core for performing software rewriting. Make the situation that the erase block does not work.

The command of the core for executing the software rewriting is performed by using the interrupt function between the cores, and the program on the RAM is configured to return to the command of the core for executing the software rewriting.

According to the present invention, it can be executed without causing exceptions / interrupts such as software rewriting, illegal instruction execution, and resource access violation in a multi-core microcomputer.

It is a figure which shows the structure of a multi-core microcomputer. It is a figure which shows the configuration of the erase block in a code flash, and the example of the program counter of a core 1 and a core 2. It is a figure explaining the example that the core 2 operating by the program on the code flash shifts to the program on the RAM for core 2. It is a figure explaining the example that the core 2 and the core 3 which were operating by the program on the code flash shift to the program on the core common RAM. It is a flowchart which shows the example of the program on the code flash and the program on RAM, and the operation of the save program.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the attached drawings.

[First Example]
FIG. 1 is a diagram showing a configuration of a multi-core microcomputer having n cores. The multi-core microcomputer is a non-volatile core that can be accessed in common with cores 1 to n that perform program arithmetic processing, volatile RAMs 11 to 1n for cores 1 to n that can be accessed exclusively for each core, and cores 1 to 1n. It is composed of a code flash 100, which is a memory, and a core common RAM 200, which is a volatile RAM that can be accessed in common by the core. It has an inter-core interrupt function that can generate interrupts from each core.

The software execution program is placed in the code flash, and each core executes the program in the code flash.

FIG. 2 is a diagram showing an example of the configuration of the erase block in the code flash and the program counters of the core 1 and the core 2. As shown in FIG. 2, the code flash is composed of a plurality of m erasing blocks 101 to 10 m. When writing data to the code flash, it is necessary to be in the erased state in advance, and the code flash is erased in units of erase blocks.

When rewriting software, after the security access for rewriting the software is granted, the erase block corresponding to the rewrite target area of the software is erased, and data is written from the writing tool connected from the outside.

Here, when erasing the erase block in the code flash, if there is a core operating in the erase block to be erased, the erased code flash will be mistakenly executed as a program, resulting in illegal instruction execution. If an exception / interrupt such as a resource access violation occurs and the exception / interrupt processing is not performed correctly, the microcomputer will be in the reset state.

In other words, in order to safely perform software rewriting without failing in the middle, it is preferable to have no program counter that points to the erase block.

FIG. 2 shows a code flash 100 of a microcomputer equipped with two cores, a program counter 201 for core 1 indicating where the program of core 1 on the code flash is operating, and a program of core 2 on the code flash. An example of the program counter 202 for core 2 indicating the destination where is operating is also shown.

If the erase block 104 is erased while the program counter 202 for the core 2 is operating on the erase block 104 of the code flash 100, the program executed by the core 2 generates an illegal instruction or an exception / interrupt. I will let you.

A microcomputer equipped with multiple code flashes is used as the means for rewriting the software of the ECU, some of the multiple cores operate as the software rewrite function, and the other cores execute programs that are normally operating. Exists. After the software rewriting is completed, the newly written code flash is selected and the program is executed when the ECU is started next time. This method is mainly used for wireless ECU software rewriting.

Here, when executing software rewriting, it is assumed that the mode that is normally executed is changed to the dedicated mode for software rewriting, and the program that is normally operating is not executed. This method is used for software rewriting of an ECU for a system in which the frequency of software rewriting is low.

FIG. 3 shows a first embodiment in which, in a microcomputer having two cores, the core 2 operated by the program on the code flash is transferred to the program on the RAM for the core 2 by the command of the core 1 for rewriting the software. It is a figure which showed an example.

First, interrupt permission is set individually for each core when the microcomputer is started so that dedicated processing can be executed when an interrupt between cores from the core that executes software rewriting occurs. The dedicated process carries out a process for migrating to the save program area 312 of the RAM for the core 2.

Specifically, the address of the program counter 202 for core 2 being executed by the code flash 100 is changed to the program counter 302 on the RAM that can execute the program to be executed at the time of evacuation in the evacuation program area 312 of the RAM for core 2. do.

A program to be executed at the time of evacuation is developed in advance by the core 2 which is a core other than the core that executes software rewriting in the evacuation program area 312 of the RAM for the core 2. The timing of deploying the save execution program in the save program area 312 of the RAM for core 2 may be executed after the software rewriting is actually permitted, or may be performed individually for each core when the microcomputer is started. ..

According to the first embodiment of the migration process, the cores other than the core that executes the software rewrite are expanded to the RAM dedicated to each core when an interrupt between the cores that execute the software rewrite occurs. Set the interrupt between cores and expand the program to the core dedicated RAM so that it can be transferred to the program.

Therefore, when rewriting the software of the ECU, it is possible to create a situation in which there is no core to be executed in the code flash of the erase block to be erased, and exceptions / interrupts such as illegal instruction execution and resource access violation at the time of software rewriting can be created. Will not occur.

In short, when the software of the ECU is rewritten, the software can be safely rewritten without resetting the microcomputer.

[Second Example]
FIG. 4 shows a second implementation in which, in a microcomputer having three cores, the core 2 and the core 3 that were operating in the program on the code flash are transferred to the program on the core common RAM 200 by the command of the core 1 that rewrites the software. It is a figure which showed an example of an example.

First, interrupt permission is set individually for each core when the microcomputer is started so that dedicated processing can be executed when an interrupt between cores from the core that executes software rewriting occurs. The dedicated process carries out a process for migrating to the save program area 400 on the core shared RAM 200.

Specifically, the program counter 202 for the core 2 and the program counter 203 for the core 3 being executed by the code flash 100 are on the RAM on which the program to be executed at the time of saving in the save program area 400 of the core shared RAM 200 can be executed. Change the address to the program counters 302 and 303.

A program to be executed at the time of evacuation is developed in advance by the core 1 that executes software rewriting in the evacuation program area 400 of the core shared RAM 200. The timing of deploying the save execution program in the save program area 400 of the core shared RAM 200 may be executed after the software rewriting is actually permitted, or may be performed when the microcomputer is started.

According to the second embodiment of the migration process, the cores other than the core that executes software rewriting are migrated to the program expanded in the core common RAM 200 when an interrupt between cores occurs from the core that executes software rewriting. The core that sets the interrupt between cores and executes software rewriting expands the program to the core common RAM 200 so that it can be performed.

Therefore, as in the first embodiment, when the software of the ECU is rewritten, it is possible to create a situation in which the core to be executed does not exist in the code flash of the erase block to be erased, and the illegal instruction at the time of software rewriting can be executed. And exceptions / interrupts such as resource access violations will not occur.

In the first embodiment, it is possible to make the operation of the save program executed in each core different and change the operation. On the other hand, in the second embodiment, as compared with the first embodiment, each core can use the same save program, and the core that performs software rewriting selects a program to be executed when the core saves. It is possible to obtain the effect of reducing the amount of RAM used by making it common.

[Third Example]
FIG. 5 is a diagram showing an example of a third embodiment in which an exception / interrupt that does not affect the access of the code flash is used during the evacuation program. In this example, an example of a program on the code flash and a program on the RAM, and a flowchart showing the operation of the save program are shown.

The code flash is for a program 502 that is normally executed and a normal program 502 that provides exception / interrupt processing information to be executed when an exception / interrupt occurs during operation of the program 502 that is normally executed. A vector table 501 is arranged.

A save program 504 and a vector table 503 for the save program 503 that provides exception / interrupt processing information to be executed when an exception / interrupt occurs during operation of the save program 504 executed at the time of save are arranged in the RAM. As is to be done, it is expanded into the RAM by the method mentioned in the first embodiment and the second embodiment.

When the program counter 202 for core 2, which is a core other than the core for software rewriting, is transferred to the program counter 302 on the RAM on which the program to be executed at the time of evacuation can be executed by a command from the core for rewriting the software, the evacuation process is performed. Preprocessing S501 is executed.

The preprocessing S501 is a process for setting a state while the save program is executed as needed. For example, DMAC (Direct Memory Access) is used so that access to the code flash or RAM is not generated during software rewriting of the ECU. It is also possible to stop peripheral devices that are not used in the save program of the Controller).

While the evacuation end condition is not satisfied in the evacuation end condition determination S503, the evacuation process S502 is repeatedly executed. When the save end condition is satisfied, the return process S504 is executed, and the execution of the save program 504 is completed.

The save end condition determination S503 polls and monitors the return information via the core shared RAM 200 and the core shared register (not shown), and interrupts the program for performing the return process to the save program vector table 503. Judgment is possible by setting.

According to the third embodiment of the return processing, by expanding the vector table for the save program to the RAM in advance and using it in the same manner as the save program, exceptions / interrupts that do not affect the access of the code flash are used. And when the save end condition is satisfied, the return process can be executed. The third embodiment can be applied to both the first embodiment and the second embodiment.

Here, technical ideas other than the claims that can be grasped from the above-described embodiment will be described below together with their effects.

(B) An electronic control device for automobiles equipped with a microcomputer having at least two cores, and when it is determined that a certain core has failed, the failed core is stored in a non-volatile memory by a command from a core other than the failed core. An electronic control device for automobiles characterized by migrating from a program running in the above program to a program in a volatile memory dedicated to a failed core.
According to such a technical idea, it can be a fail-safe process in the event of a core failure.

(B) When accessing a resource that is an electronic control device for automobiles equipped with a microcomputer having at least two cores and the resources that can be commonly accessed by the core are not occupied by any task, the resource is accessed. When the core that executes the task with high access priority accesses, the core that executes the task with lower access priority is non-volatile by the command from the core that executes the task with high access priority to the resource. An electronic control device for automobiles characterized by migrating from a program running on a program on sexual memory to a program on volatile memory.

According to such a technical idea, it is possible to obtain the effect of interrupt prohibition processing across cores when a plurality of cores handle the same resource, and it is possible to construct semaphore processing across cores.

1-n core 1-n
11-1n core dedicated RAM
100 code flash 200 core common RAM
101 to 10m Erase block 201 Program counter for core 1 202 Program counter for core 2 302 Program counter for core 2 transferred to RAM 312 Program area for saving RAM for core 2 303 Program counter for core 3 transferred to RAM 400 Core common RAM Save program area 501 Vector table for normal execution program 502 Normal execution program 503 Vector table for save execution program 504 Save execution program

Claims (5)

An electronic control device for automobiles equipped with a microcomputer having at least two cores.
When it is determined that a certain core has failed, a command from a core other than the failed core gives a command.
An electronic control device for an automobile, characterized in that a program operating in the failed core is transferred from a program on a non-volatile memory to a program on a volatile memory dedicated to the failed core. The electronic control device for an automobile according to claim 1, wherein the microcomputer has a non-volatile memory that can be accessed in common by at least two cores and a volatile memory dedicated to each core. An automobile electronic control device having at least two cores and equipped with a microcomputer having a non-volatile memory and a volatile memory in which an execution program of the at least two cores is stored.
When a core that executes a task with a high access priority to the resource accesses a resource that can be accessed in common by the core but is not occupied by any task, the access priority to the resource is prioritized. A program running on a core on which a task with a lower access priority is executed is transferred from a program on the non-volatile memory to a program on the volatile memory by a command from a core on which a task with a high degree is executed. An electronic control device for automobiles, characterized in that it does. A multi-core microcomputer having a plurality of cores and a non-volatile memory and a volatile memory in which execution programs of the plurality of cores are stored is provided.
The non-volatile memory stores a normal program executed at normal times and a vector table for the normal program.
The volatile memory stores a save program and a vector table for the save program.
Among the plurality of cores, a program operating in another core is changed from the normal program on the non-volatile memory to the volatile memory by a command from the core that rewrites the software by the program of the non-volatile memory. Move to the above save program and
An electronic control device for an automobile, characterized in that the evacuation program is repeatedly executed while the evacuation end condition is not satisfied, and the execution of the evacuation program is terminated when the evacuation end condition is satisfied. The automotive electron according to claim 4, wherein the program counter of the other core shifts to the program counter of the volatile memory in which the save program can be executed by a command from the core that rewrites the software. Control device.

Images