WO2011062044A1 - Method of disabling execution of program, method of storing program, and airbag control device - Google Patents

Method of disabling execution of program, method of storing program, and airbag control device Download PDF

Info

Publication number
WO2011062044A1
WO2011062044A1 PCT/JP2010/069261 JP2010069261W WO2011062044A1 WO 2011062044 A1 WO2011062044 A1 WO 2011062044A1 JP 2010069261 W JP2010069261 W JP 2010069261W WO 2011062044 A1 WO2011062044 A1 WO 2011062044A1
Authority
WO
WIPO (PCT)
Prior art keywords
machine language
program
language program
execution
code
Prior art date
Application number
PCT/JP2010/069261
Other languages
French (fr)
Japanese (ja)
Inventor
哲郎 寺西
Original Assignee
オートリブ ディベロップメント エービー
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by オートリブ ディベロップメント エービー filed Critical オートリブ ディベロップメント エービー
Priority to JP2011541867A priority Critical patent/JP5468086B2/en
Priority to CN201080052705.8A priority patent/CN102666211B/en
Publication of WO2011062044A1 publication Critical patent/WO2011062044A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R21/00Arrangements or fittings on vehicles for protecting or preventing injuries to occupants or pedestrians in case of accidents or other traffic risks
    • B60R21/01Electrical circuits for triggering passive safety arrangements, e.g. airbags, safety belt tighteners, in case of vehicle accidents or impending vehicle accidents

Definitions

  • the present invention relates to a program execution disabling method for converting a machine language program for executing a process of forcibly deploying an airbag to a computer into an inexecutable state when the airbag is discarded, and the machine language program
  • the present invention relates to a program storage method that converts a computer program into an inexecutable state and stores it in a storage unit, and an airbag control device that stores a machine language program in an inexecutable state.
  • the airbag When a vehicle equipped with an airbag is to be discarded, the airbag must be forcibly deployed in advance to prevent accidental explosion of the airbag, and after the airbag is forcibly deployed, the vehicle should be discarded together with an inflator, etc. Has been done.
  • the storage unit of the airbag control apparatus uses the disposal processing execution code as a non-execution code so that the airbag does not explode during non-disposal processing under any circumstances. Is required to be stored in.
  • the non-executable code is stored in the ROM (Read Only Memory) of the airbag control device, and is stored in the RAM (Random Access Memory) only under a specific condition, that is, when a series of procedures is confirmed with the disposal tool. It must be restored and executed as executable code.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • a method using an illegal instruction or undefined instruction of a CPU can be considered. Specifically, by partially storing each instruction after generating an execution code in machine language, the execution code is made unexecutable in a normal processing procedure. That is, a process of converting each instruction of the execution code into an illegal instruction or an undefined instruction of the CPU is performed.
  • a CPU Central Processing Unit
  • FIG. 16A and 16B are explanatory diagrams conceptually showing a conventional non-executable coding and non-executable code restoration method.
  • FIG. 16A is an explanatory diagram conceptually showing a process of converting an executable code into a non-executable code by partially storing it separately.
  • a rectangular bar composed of four hatched cells represents execution code.
  • One grid corresponds to 1 byte length, and the execution code shown in FIG. 16A is 4 bytes long.
  • the execution code is converted into a non-execution code by separating the first byte (left side in the figure) of the execution code.
  • Open squares indicate data portions separated from the execution code. The data portion is arbitrary data that can make the execution code undefined or illegal.
  • the data portion is 1-byte length data of “0000000”.
  • the separated 1-byte data at the head is stored in the ROM together with the non-executable code as mask data for restoring the non-executable code.
  • FIG. 16B is an explanatory diagram conceptually showing a process of restoring the separated non-executable code.
  • the non-executable code stored in the ROM has data of 3 bytes length after the executable code, and the mask data has the data of the first 1 byte length of the executable code. Can be used to restore the executable code.
  • the present invention has been made in view of such circumstances, and an object thereof is to provide a part of instruction codes included in a source program of a machine language program for causing a computer to execute a process of forcibly deploying an airbag.
  • the airbag is forcibly deployed by replacing it with another instruction code or by replacing a part of the reference memory address included in the source program with another reference memory address and compiling it into a non-executable code. It is not necessary to generate a non-executable machine language program after generating a machine language program that can be executed, and even if the non-executable machine language program is executed prior to execution coding, all operations are grasped and guaranteed. That can execute program, method for storing program, and air storing non-executable machine language program To provide a Tsu grayed controller.
  • the program execution disabling method is a program execution for converting a machine language program for causing a computer to execute a process for forcibly deploying an air bag to an inexecutable state when the air bag is discarded.
  • a part of the instruction code included in the source program of the machine language program is replaced with another instruction code, or a part of the reference memory address included in the source program is replaced with another reference memory address.
  • a step of converting the source program into a non-executable machine language program a step of compiling a source program incapable of deploying an air bag into a non-executable machine language program, and the non-executable machine language
  • a part of the instruction code included in the source program of the machine language program for causing the computer to execute the process of forcibly deploying the airbag is replaced with another instruction code, or the source program Is replaced with another reference memory address, thereby converting the machine language program into a source program incapable of deploying an airbag.
  • Other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed.
  • the instruction code of the logical sum operation is replaced with the instruction code of the exclusive logical sum.
  • the reference address is an effective address where a reference destination exists.
  • the reference address is a broad address including all addresses necessary for reading and writing data.
  • the reference address includes a RAM, a CPU cache memory, a register, a data input / output memory, and other storage devices. Address, etc. are included. Then, the replaced source program is compiled to create an inexecutable machine language program. Also, restoration data for restoring the non-executable machine language program to the machine language program capable of forcibly deploying the airbag is created.
  • the execution order of the step of creating the restoration data and the step of creating the non-executable machine language program is not limited. Therefore, it is not necessary to generate a non-executable machine language program from the compiled machine language program. In addition, it is possible to verify and grasp the behavior of the CPU.
  • the restoration data includes data indicating a difference between the disable executable machine language program and the machine language program.
  • the restoration data includes data indicating a difference between the non-executable machine language program and the executable machine language program. Therefore, it is possible to restore an executable machine language program from the non-executable machine language program using the restored data.
  • the restoration data may be generated by a person or may be generated by a computer.
  • the restoration data includes an exclusive OR of the disable executable machine language program and the machine language program.
  • the restoration data is an exclusive OR of the non-executable machine language program and the machine language program. Therefore, the restoration data can be easily generated. It is also easy to restore the non-executable machine language program. Further, when the difference between the non-executable machine language program and the executable machine language program is expressed by exclusive OR, the machine language program can be disabled and restored by the same thought process or operation, that is, exclusive OR. Can be realized. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. In particular, when a person generates restoration data, it is not necessary to consider what the calculation method is when execution is disabled and what the calculation method is when restoration.
  • the generation of the restoration data by exclusive OR may be performed by a person or may be generated by a computer.
  • the program storage method according to the present invention includes a step of storing in the storage unit the non-executable machine language program and the restoration data created using the above-described program execution disable method.
  • the non-executable machine language program and the restoration data are created using the above-described method for disabling the airbag discard program, and the created non-executable machine language program and the restoration data are stored in the storage unit.
  • the machine language program for forcibly deploying the airbag is stored in the storage unit in an inexecutable state.
  • the non-executable machine language program and the restored data may be stored in different storage units.
  • the program storage method stores in a storage unit a restoration machine language program for causing a computer to execute a process of restoring the non-executable machine language program to the machine language program using the restoration data. It has the step to make it feature.
  • the restoration machine language program for restoring the machine language program capable of deploying the airbag is stored in the storage unit using the restoration data and the non-executable machine language program. Therefore, by causing the CPU to execute the restored machine language program, it is possible to restore the machine language program that can deploy the airbag using the restored data and the non-executable machine language program.
  • the airbag control apparatus includes a storage unit storing the non-executable machine language program and restoration data created by using the program execution disable method, and the execution stored in the storage unit. Based on the disabling machine language program and restoration data, the control unit that restores the non-executable machine language program to the machine language program and executes the machine language program, and the control unit that executes the machine language program And a circuit for deploying the airbag according to the control.
  • the airbag is not deployed.
  • the control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag.
  • the airbag is deployed under the control of the control unit that has executed the machine language program.
  • the airbag control apparatus When the airbag control apparatus according to the present invention discards an airbag, some instruction codes included in a machine language program for executing a process of forcibly deploying the airbag are used as other instruction codes.
  • the machine language program obtained by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address, and the machine language program disabled,
  • the storage unit of the airbag control device converts some instruction codes included in the machine language program for causing the computer to execute processing for forcibly deploying the airbag to other instruction codes.
  • a non-executable machine language program is stored by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address.
  • the other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed.
  • the reference address is an effective address where a reference destination exists.
  • the storage unit stores restoration data for restoring the non-executable machine language program into the machine language program capable of forcibly deploying the airbag.
  • the control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag.
  • the airbag is deployed under the control of the control unit that has executed the machine language program.
  • the present invention it is not necessary to perform the process of generating the non-executable machine language program after the generation of the machine language program capable of forcibly deploying the airbag, and the non-executable machine language is executed before execution coding. Even if the program is executed, all operations can be grasped and guaranteed. Therefore, it is possible to easily create an inexecutable machine language program having higher safety than the conventional inexecutability method and store it in the storage unit of the computer.
  • FIG. 1 is a block diagram schematically showing a configuration example of an airbag control device 1 and a disposal device 2 according to an embodiment of the present invention.
  • the airbag control device 1 is accommodated in a container (not shown), and is disposed at an appropriate location of the vehicle, for example, near the dashboard.
  • the airbag control device 1 includes a CPU 11 that controls the operation of each component constituting the airbag control device 1.
  • a ROM 12 and a RAM 13 are connected to the CPU 11 via a bus.
  • the acceleration sensor 14, the ignition circuit 15, and the communication circuit 16 are connected to the CPU 11 via an I / O port (not shown) connected to the bus.
  • the CPU 11 includes a control circuit, an arithmetic logic circuit, an instruction decoder, an address register, a data register, an instruction register, a program counter, a stack register, various registers such as a general-purpose register, an instruction decoder, and the like (not shown). Since the configurations and operations of various circuits and registers are well-known techniques, details thereof are omitted. In FIG. 1, only the r16 register, which is one general-purpose register, is shown for convenience of drawing and explanation. Further, the power source 3 mounted on the vehicle is connected to the CPU 11 via a regulator, and when the ignition switch is turned on, a predetermined voltage, for example, a voltage of 5V is applied to the CPU 11. ing.
  • the ROM (storage unit) 12 is a non-volatile storage unit that stores a non-executable code (non-executable machine language program) and a restoration code (restoration machine language program) according to the present embodiment.
  • the non-executable code terminates without executing the process of forcibly deploying the airbag even if the CPU 11 is deployed and executed in the RAM 13 as it is.
  • the restoration code is a program for restoring the non-execution code into an execution code (machine language program) that can forcibly deploy the airbag.
  • the execution code is a program for executing processing for forcibly deploying the airbag when the airbag is discarded. Details of the non-executable code and the restored code will be described later.
  • the ROM 12 stores a program for deploying the airbag when a vehicle collision is detected.
  • the ROM 12 includes a mask ROM and a PROM (Programmable Read Only Memory).
  • the ROM 12 is an example of a storage unit, and non-executable code and restoration code are stored in an EEPROM (Erasable and Programmable Read Only Memory), an EEPROM (Electrically-Erasable and Programmable Read Only Memory), a flash memory, and other nonvolatile memories. You may let them.
  • the RAM 13 is a volatile memory that temporarily stores data generated when the CPU 11 executes an execution code and other various programs.
  • the acceleration sensor 14 is a circuit for detecting a vehicle collision, and outputs a signal corresponding to the acceleration acting on the vehicle to the CPU 11.
  • a squib 15a is connected to the ignition circuit 15, and a voltage is applied to the squib 15a in accordance with a signal output from the CPU 11 to deploy the airbag.
  • the squib 15a is accommodated in an inflator arranged in a steering hole or a dashboard, and gunpowder is arranged around the squib 15a.
  • the squib 15a is connected to the power source 3 via a booster circuit (not shown) and has a heating element such as a filament that generates heat when it is turned on.
  • the ignition circuit 15 includes a switch for interrupting energization to the squib 15a.
  • the switch is, for example, a MOSFET, the gate terminal is connected to the I / O port of the CPU 11, the drain terminal is connected to the squib 15a, and the source terminal is grounded.
  • the communication circuit 16 includes a connector for connecting to the disposal device 2 via a cable.
  • the communication circuit 16 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the discarding device 2 under the control of the CPU 11.
  • the discarding device 2 includes a control unit 21, a communication circuit 22, and an operation unit 23.
  • the control unit 21 is a microcomputer provided with a CPU that controls the operation of each component of the discarding device 2, and a ROM, a RAM, and an I / O port (not shown) are connected to the CPU.
  • the communication circuit 22 includes a connector for connecting to the airbag control device 1 via a cable.
  • the communication circuit 22 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the airbag control device 1 under the control of the control unit 21.
  • the operation unit 23 is a button, switch, touch sensor, or the like for receiving an operation for forcibly deploying the airbag when the airbag is discarded.
  • the operation state of the operation unit 23 is controlled by the control unit 21. It is configured so that it can be detected.
  • FIG. 2 is a flowchart showing a program execution disable method and a program storage method according to the embodiment of the present invention.
  • the user of the program execution disablement method and the program storage method prepares an execution source code (source program) that is described in a lower language and for executing a process for forcibly deploying an airbag (step).
  • the lower language is, for example, an assembly language.
  • the lower language is an example of a language for describing a source program, and includes all computer languages except machine language.
  • FIG. 3 is a flowchart showing a part of the processing procedure described in the execution source code.
  • the CPU 11 executes the following processing by the execution code obtained by compiling the execution source code.
  • the CPU 11 assigns a numerical value based on the data transmitted from the discarding device 2 to the variable A (step S31).
  • the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S32).
  • the airbag control device 1 is configured such that “0xAA” is stored in the variable A when a series of procedures for forcibly deploying the airbag is performed with the disposal device 2. Note that “0xAA” represents a numerical value “AA” expressed in hexadecimal, and “170” when expressed in decimal.
  • step S32: YES When it is determined that the variable A is “0xAA” (step S32: YES), the CPU 11 outputs a deployment signal for deploying the airbag to the ignition circuit 15, thereby discarding and deploying the airbag, and processing. Finish (step S33). When it is determined that the variable A is not “0xAA” (step S32: NO), the CPU 11 ends the process.
  • step S11 the user who has finished the process of step S11 then converts the instruction code included in the execution source code into another instruction code, thereby converting it into a non-execution source code (Ste S12).
  • FIGS. 4A and 4B are explanatory diagrams showing a method of converting execution source code into non-execution source code.
  • FIG. 4A shows a part of the execution source code written in the assembly language.
  • the assembly language shown in FIGS. 4A and 4B is a language for “NEC V850ES series microcomputer”.
  • the execution source code shown in FIG. 4A corresponds to the process of step S32 shown in FIG. Specifically, in the first line program, the CPU 11 reads the contents of the 1-byte length variable A into the r16 register, and in the second line program, the CPU 11 reads the 1-byte length data read into the r16 register. Is signed extended to 4-byte data.
  • the signed extension is an instruction for causing the CPU 11 to execute sign extension so that numerical values can be handled correctly as positive and negative numbers. Then, in the program on the third line, the CPU 11 performs an OR operation on the data in the r16 register and the data in the r16 register itself, and adds “0x56” to the r16 register in the program on the fourth line. To do. Note that “0x56” represents the numerical value “56” expressed in hexadecimal, and “86” when expressed in decimal. According to the above processing, when the content of the variable A is “0xAA”, the content of the r16 register is “0x00”, and when the content of the variable A is other than “0xAA”, the content of the r16 register is “0x00”. It will be other than. The following processing is executed forcibly deploying the airbag when the content of the r16 register is “0x00”, and forcibly terminated when the content of the r16 register is other than “0x00”. Is programmed.
  • the content of the r16 register may be “0x00” immediately before the execution of the “addi” instruction on the fourth line.
  • the content of the r16 register becomes “0x56” in the program on the fourth line. This is the same as the case where a value other than “0xAA” is stored in the variable A in the execution code, and the program is forcibly terminated without deploying the airbag.
  • FIG. 4B is an example of non-executable source code.
  • part of the instruction code included in the execution source code is converted so that the content of the r16 register becomes “0x00” immediately before the execution of the “addi” instruction on the fourth line.
  • the “sxb” instruction on the second line is replaced with a “zxb” instruction
  • the “or” instruction on the third line is replaced with an “xor” instruction.
  • the CPU 11 performs an exclusive OR operation between the data in the r16 register and the data in the r16 register itself.
  • the exclusive OR of data “1” and “1” expressed in binary numbers is “0”, and the exclusive OR of “0” and “0” is also “0” (FIG. 8A and FIG. 8B). Therefore, as a result of the exclusive OR operation on the same data, the content of the r16 register becomes “0x00” (see FIGS. 8A and 8B).
  • the “zxb” instruction on the second line is an instruction for causing the CPU 11 to execute sign extension so that a numerical value can be handled as all positive and negative numbers.
  • FIG. 5 is a flowchart showing a part of the processing procedure for non-executable data.
  • the CPU 11 executes the following processing. First, the CPU 11 substitutes a numerical value based on the data transmitted from the discarding device 2 for the variable A (step S131). Then, the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S132). However, in the non-executable code, it is always determined that the variable A is not a predetermined value regardless of the value of the variable A. For this reason, the CPU 11 always determines that the variable A is not a predetermined value (step S132: NO), and the process is forcibly terminated.
  • a predetermined value for example, “0xAA”
  • step S12 restores the replaced instruction code to the instruction code before the replacement, that is, mask data for restoring the non-executed code to the executable code ( Restored data) is created (step S13).
  • 6A and 6B are explanatory diagrams showing execution codes and non-execution codes in which execution source code and non-execution source code are described in machine language.
  • 6A is an execution code in which execution source code is described in machine language
  • FIG. 6B is non-execution code in which non-execution source code is described in machine language.
  • the portion where the data contents are changed by the replacement of the instruction code is underlined.
  • r and R are data specifying a register
  • d is a memory reference address
  • i is data indicating a numerical value to be added.
  • FIG. 7 is an explanatory diagram showing mask data
  • FIGS. 8A and 8B are a truth table and a Venn diagram of exclusive OR operation.
  • Mask data for restoring non-execution data to execution data is obtained by an exclusive OR operation between the execution data and the non-execution data.
  • the exclusive OR operation as shown in FIGS. 8A and 8B, when the values of the first input and the second input are the same, the output is “0”, and the values of the first input and the second input are different. In this case, since the output is “1”, the difference between the execution data and the non-execution data can be expressed by the mask data.
  • the mask data for restoring the instruction code described in the second and third lines is “00000000000001”. It is also preferable to create mask data for the part where the instruction code is not replaced. This is because the calculation at the time of restoration becomes easy.
  • the mask data of the portion where the instruction code does not need to be restored is “0000...”.
  • it is not indispensable to create mask data corresponding to all instruction codes and only mask data of a portion where instruction codes are replaced may be created.
  • the mask data may be created manually by the user using an assembly language / machine language conversion table. However, the mask data can be generated by causing the computer to execute an exclusive OR operation of the execution code and the non-execution code. Data may be created.
  • exclusive OR was illustrated as a creation method of mask data, it is not limited to this, and other methods can be used as long as at least data indicating a difference between an execution code and a non-execution code can be created. It may be adopted. For example, a value obtained by subtracting a non-executable code from an executable code may be used as mask data. In this case, the execution code can be restored by adding the non-execution code and the mask data. A value obtained by adding the non-executable code to the executable code may be used as mask data. In this case, the execution code can be restored by subtracting the non-execution code from the mask data. Furthermore, the mask data may be calculated by multiplication, division, and other reversible operations between the execution code and the non-execution code.
  • the user who has finished the process of step S13 then compiles the non-executable code, the mask data, and the restoration program (step S14).
  • the restoration program is a program that restores the non-executable code to the execution code by executing an exclusive OR operation between the non-executable code and the mask data, and expands the restored execution code in the RAM 13.
  • the compiling is performed using a computer, but needless to say, it may be manually performed by a user using an assembly language / machine language conversion table.
  • the user stores the compiled non-executable code and the restored code including the mask data in the ROM 12 (step S15).
  • the mask data does not necessarily have to be integrated with the restoration code. If the non-execution code can be restored to the execution code using the mask data, the mask data may be stored in the ROM 12 separately. Further, it is not always necessary to store a non-executable code and a restoration code including mask data in one ROM 12.
  • the non-executable code may be stored in the ROM 12 of the airbag control device 1 and the restoration code including the mask data may be stored in an EEPROM (not shown) of the airbag control device 1. Alternatively, only mask data may be stored in an EEPROM (not shown) of the airbag control device 1.
  • FIG. 9 is a flowchart showing a processing procedure of the airbag control device 1 and the disposal device 2 related to disposal.
  • the processing contents will be described on the assumption that the discarding device 2 is connected to the airbag control device 1 and data is transmitted and received via the communication circuits 16 and 22.
  • the control unit 21 of the disposal apparatus 2 determines whether or not the start of the airbag disposal process has been instructed by monitoring the operation state of the operation unit 23 (step S51). If it is determined that the start of the discarding process has not been instructed (step S51: NO), the control unit 21 returns the process to step S51 again. If it is determined that the start of the discard process has been instructed (step S51: YES), the control unit 21 transmits the restoration execution data for requesting the restoration of the non-executed code to the airbag control device 1 through the communication circuit 22. (Step S52).
  • the CPU 11 of the airbag control device 1 receives the restoration execution data transmitted from the discarding device 2 by the communication circuit 16 (step S53).
  • the CPU 11 restores the execution code from the non-execution code stored in the ROM 12 and the mask data by executing the restoration code (restoration machine language program) stored in the ROM 12. Then, the restored execution code is expanded in the RAM 13 (step S54).
  • FIG. 10 is an explanatory diagram conceptually showing a general method for restoring execution code using mask data
  • FIGS. 11A and 11B conceptually show a specific method for restoring execution code using mask data
  • FIG. 12 is a block diagram schematically showing a configuration example of the airbag control device 1 and the discarding device 2 in which the restored execution data is expanded in the RAM 13.
  • the restoration of the non-executable code is performed by registering a non-executable code and a mask data for performing an exclusive OR operation for each predetermined byte from the beginning, for example, an exclusive OR operation. Is 16 bits, it is performed by sequentially executing 16 bits at a time.
  • the non-executable code is restored by sequentially executing an exclusive OR operation between the non-executable data shown in FIG. 6B and the mask data shown in FIG. Specifically, the content of the non-execution data corresponding to the numerical value “1” of the mask data is converted from “1” to “0” or from “0” to “1”. As a result, the “zxb” instruction is restored to the “sxb” instruction as shown in FIG. 11A, and the “xor” instruction is restored to the “or” instruction as shown in FIG. 11B.
  • the non-executable code shown in FIG. 6B is restored to the executable code shown in FIG. 6A, and the restored executable code is expanded in the RAM 13 as shown in FIG.
  • the CPU 11 transmits restoration end notification data for notifying the end of restoration to the discarding device 2 through the communication circuit 16 (step S55).
  • the control unit 21 of the discard apparatus 2 receives the restoration end notification data transmitted from the airbag control apparatus 1 by the communication circuit 22 (step S56). And the control part 21 determines whether execution of the disposal process of an airbag was instruct
  • the CPU 11 of the airbag control device 1 receives the discard execution data transmitted from the discard device 2 via the communication circuit 16 (step S59). When the discard execution data is received, the CPU 11 executes the restored execution code (step S60) and ends the process. If a series of procedures for forcibly deploying the airbag is correctly performed with the disposal device 2 and the execution code is correctly restored, the variable A includes the numerical value “0xAA”. When the process shown in FIG. 3 is executed in step S60, the squib 15a is ignited and the airbag is forcibly deployed.
  • the program execution disabling method, the program storage method, and the airbag control device it is not necessary to perform a non-executable code generation process after generating an execution code described in machine language. Further, even if a non-executable code is executed before restoration due to a malfunction of the CPU 11, all operations can be grasped and guaranteed. Therefore, it is possible to create a non-executable code with higher safety than the conventional execution disable method and store it in the ROM 12.
  • the mask data is created by exclusive OR of the execution code and the non-execution code. Even when restoring the non-executable code, the non-executable code can be restored to the executable code by exclusive OR of the non-executable code and the mask data. Therefore, it is possible to easily create mask data and restore it to an execution code. That is, when the difference between the execution data and the non-execution data is expressed by exclusive OR, execution of the execution data can be disabled and restored by the same thought process or operation, that is, exclusive OR. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. Especially when a person generates restoration data, what is the calculation method at the time of disabling execution, There is no need to think about what the method is.
  • Modification 1 Since the airbag control device 1, the program execution disable method, and the program storage method according to the modification 1 are different only in the non-execution method, the difference will be mainly described below.
  • the program storing method according to the first modification a part of the reference addresses included in the execution source program is replaced with another reference address to make the execution impossible.
  • FIG. 13 is a flowchart showing a program execution disable method and a program storage method according to the first modification.
  • the user of the program storage method first prepares an execution source code written in a lower language and for executing a process of forcibly deploying an airbag, as in the above-described embodiment. (Step S111). Then, the user converts the reference address included in the execution source code into a non-execution source code by replacing it with another reference address (step S112). Thereafter, in steps S113 to S115, processing similar to that in steps S13 to S15 is executed.
  • FIG. 14A and FIG. 14B are explanatory diagrams showing an execution code and a non-execution code in which the execution source code and the non-execution source code in Modification 1 are described in machine language.
  • the reference address of the variable A is “0000000000001000”.
  • the user replaces the reference address of the variable A with “0000000000001000000”.
  • the reference address is changed so that the same result as when a value other than “0xAA” is stored in the variable A in the execution code, such as the numerical value “0x00” is always stored in the reference address after replacement. .
  • the program is forcibly terminated without deploying the airbag. Since the numerical value stored in the address may be replaced with an unexpected value when the CPU 11 malfunctions, it is better to replace the instruction code with another instruction code.
  • an example in which only the reference memory address is replaced will be described.
  • FIG. 15 is an explanatory diagram showing mask data in the first modification.
  • the mask data is a mask for restoring the reference address after replacement to the reference address before replacement by performing an exclusive OR operation between the reference address “0000000000001000” of the variable A and the reference address “0000000000000010000” after replacement. Data can be created. As in the above-described embodiment, in FIG. 15, mask data for other instruction codes that are not replaced is also created.
  • the same effects as those of the embodiment can be obtained.
  • fault tolerance can be improved and malfunctions can be more effectively prevented.

Abstract

Provided is a method of disabling the execution of a program such that when an airbag is to be discarded, executable code that serves to cause a computer to execute processing for forcibly deploying an airbag can be easily and reliably converted into a state wherein execution is disabled. The method comprises a step wherein either some of the instruction code included in a source program for executable code serving to cause the computer to execute processing for forcibly deploying an airbag is replaced with other instruction code, or some of the reference memory addresses included in the source program are replaced with other memory addresses, thereby converting the source program into one which is incapable of deploying the airbag; a step wherein a source program incapable of deploying an airbag is compiled into non-executable code; and a step wherein there are created restoring data for restoring the non-executable code to the executable code, which is capable of forcibly deploying the airbag.

Description

プログラム実行不能化方法、プログラム格納方法及びエアバッグ制御装置Program execution disable method, program storage method and airbag control device
 本発明は、エアバッグを廃棄する際、コンピュータに該エアバッグを強制的に展開させる処理を実行するための機械語プログラムを実行が不能な状態に変換するプログラム実行不能化方法、該機械語プログラムを実行が不能な状態に変換して記憶部に格納するプログラム格納方法、及び実行が不能な状態になった機械語プログラムを記憶したエアバッグ制御装置に関する。 The present invention relates to a program execution disabling method for converting a machine language program for executing a process of forcibly deploying an airbag to a computer into an inexecutable state when the airbag is discarded, and the machine language program The present invention relates to a program storage method that converts a computer program into an inexecutable state and stores it in a storage unit, and an airbag control device that stores a machine language program in an inexecutable state.
 エアバッグが搭載された車両を廃棄する場合、エアバッグの誤爆を防止すべく、予めエアバッグを強制的に展開させておき、エアバッグを強制展開させた後に、インフレータなどと共に車両を廃棄することが行われている。自動車用エアバッグの廃棄処理に係るISO-26021規格においては、いかなる状況下においても非廃棄処理時にエアバッグが誤爆しないよう、廃棄処理用の実行コードを非実行コードとしてエアバッグ制御装置の記憶部に格納することが要求されている。該非実行コードはエアバッグ制御装置のROM(Read Only Memory)に格納され、特定の条件下、即ち廃棄ツールとの間で一連の手続きが確認された場合にのみ、RAM(Random Access Memory)上に実行コードとして復元され実行されなければならない。 When a vehicle equipped with an airbag is to be discarded, the airbag must be forcibly deployed in advance to prevent accidental explosion of the airbag, and after the airbag is forcibly deployed, the vehicle should be discarded together with an inflator, etc. Has been done. In the ISO-26021 standard relating to the disposal of automobile airbags, the storage unit of the airbag control apparatus uses the disposal processing execution code as a non-execution code so that the airbag does not explode during non-disposal processing under any circumstances. Is required to be stored in. The non-executable code is stored in the ROM (Read Only Memory) of the airbag control device, and is stored in the RAM (Random Access Memory) only under a specific condition, that is, when a series of procedures is confirmed with the disposal tool. It must be restored and executed as executable code.
 特定の条件下でのみ実行が可能になる非実行コードを作成する方法としては、CPU(Central Processing Unit)の不正命令もしくは未定義命令を利用する方法が考えられる。具体的には、機械語の実行コードを生成した後で各命令を部分的に分離格納することにより、該実行コードを正規の処理手順での実行が不能な状態にする。つまり、実行コードの各命令を、CPUの不正命令又は未定義命令に変換する処理を行う。 As a method of creating non-executable code that can be executed only under specific conditions, a method using an illegal instruction or undefined instruction of a CPU (Central Processing Unit) can be considered. Specifically, by partially storing each instruction after generating an execution code in machine language, the execution code is made unexecutable in a normal processing procedure. That is, a process of converting each instruction of the execution code into an illegal instruction or an undefined instruction of the CPU is performed.
 図16A及び図16Bは、従来の非実行コード化、及び非実行コードの復元方法を概念的に示した説明図である。図16Aは、実行コードを部分的に分離格納することにより、非実行コード化する処理を概念的に示した説明図である。ハッチングが付された4個の升目で構成された矩形バーは、実行コードを表している。1個の升目は1バイト長に対応しており、図16Aに示した実行コードは4バイト長である。図16Aに示した例では、実行コードの先頭(図中左側)1バイトを分離することによって、該実行コードは非実行コード化されている。白抜きの升目は、実行コードから分離されたデータ部分を示している。該データ部分は、実行コードを、未定義又は不正命令にすることができる任意のデータである。例えば、前記データ部分は、「0000000」の1バイト長データである。また、分離された先頭の1バイトのデータは、非実行コードを復元するためのマスクデータとして、非実行コードと共にROMに格納される。
 図16Bは、分離された非実行コードを復元する処理を概念的に示した説明図である。ROMに格納された非実行コードは、実行コードの後段3バイト長のデータを有し、マスクデータは、実行コードの先頭1バイト長のデータを有しているため、非実行コード及びマスクデータを用いて、実行コードを復元することができる。 16A and 16B are explanatory diagrams conceptually showing a conventional non-executable coding and non-executable code restoration method. FIG. 16A is an explanatory diagram conceptually showing a process of converting an executable code into a non-executable code by partially storing it separately. A rectangular bar composed of four hatched cells represents execution code. One grid corresponds to 1 byte length, and the execution code shown in FIG. 16A is 4 bytes long. In the example shown in FIG. 16A, the execution code is converted into a non-execution code by separating the first byte (left side in the figure) of the execution code. Open squares indicate data portions separated from the execution code. The data portion is arbitrary data that can make the execution code undefined or illegal. For example, the data portion is 1-byte length data of “0000000”. The separated 1-byte data at the head is stored in the ROM together with the non-executable code as mask data for restoring the non-executable code.
FIG. 16B is an explanatory diagram conceptually showing a process of restoring the separated non-executable code. The non-executable code stored in the ROM has data of 3 bytes length after the executable code, and the mask data has the data of the first 1 byte length of the executable code. Can be used to restore the executable code.
特開平11-301390号公報Japanese Patent Laid-Open No. 11-301390
 しかしながら、実行データの一部を分離格納する方法は、コンパイラ等により機械語の実行コードを生成した後に行われる。従って、この方法では実行コードの関数長および格納アドレスを特定し処理する必要があり、また命令が可変長フォーマットである場合は、実行コードの命令解析までも行わなければいけないため、非実行コード化の工程が非常に複雑であるという問題があった。
 また、分離後の非実行コードは、CPUの未定義又は不正命令であり、CPU製造業者によって動作が保証されていない場合、CPUの異常動作などにより非実行コードが実行コード化される前に実行されたときのCPUの挙動すら検証・把握することができないなど、安全面での憂慮も払拭できないという問題があった。 However, a method of separately storing a part of execution data is performed after a machine language execution code is generated by a compiler or the like. Therefore, in this method, it is necessary to specify and process the function length and storage address of the execution code, and if the instruction is in a variable length format, the instruction analysis of the execution code must also be performed. There has been a problem that the process is very complicated.
The non-executable code after separation is an undefined or illegal instruction of the CPU, and if the operation is not guaranteed by the CPU manufacturer, it is executed before the non-executable code is converted into an executable code due to an abnormal operation of the CPU. There was a problem that safety concerns could not be eliminated, for example, even the behavior of the CPU when it was done could not be verified and grasped.
 本発明は斯かる事情に鑑みてなされたものであり、その目的は、エアバッグを強制的に展開させる処理をコンピュータに実行させるための機械語プログラムのソースプログラムに含まれる一部の命令コードを他の命令コードに置換、又は該ソースプログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換し、コンパイルすることで非実行コード化することによって、エアバッグを強制的に展開させることが可能な機械語プログラムの生成後に実行不能化機械語プログラムの生成処理を行う必要が無く、実行コード化前に実行不能化機械語プログラムが実行されたとしても全ての動作を把握及び保障することができるプログラム実行不能化方法、プログラム格納方法、及び実行不能化機械語プログラムを記憶したエアバッグ制御装置を提供することにある。 The present invention has been made in view of such circumstances, and an object thereof is to provide a part of instruction codes included in a source program of a machine language program for causing a computer to execute a process of forcibly deploying an airbag. The airbag is forcibly deployed by replacing it with another instruction code or by replacing a part of the reference memory address included in the source program with another reference memory address and compiling it into a non-executable code. It is not necessary to generate a non-executable machine language program after generating a machine language program that can be executed, and even if the non-executable machine language program is executed prior to execution coding, all operations are grasped and guaranteed. That can execute program, method for storing program, and air storing non-executable machine language program To provide a Tsu grayed controller.
 本発明に係るプログラム実行不能化方法は、エアバッグを廃棄する際、コンピュータに、エアバッグを強制的に展開させる処理を実行させるための機械語プログラムを、実行が不能な状態に変換するプログラム実行不能化方法において、前記機械語プログラムのソースプログラムに含まれる一部の命令コードを他の命令コードに置換、又は該ソースプログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換することによって、エアバッグを展開させることが不能なソースプログラムに変換するステップと、エアバッグを展開させることが不能なソースプログラムを実行不能化機械語プログラムにコンパイルするステップと、該実行不能化機械語プログラムを、エアバッグを強制的に展開させることが可能な前記機械語プログラムに復元するための復元データを作成するステップとを有することを特徴とする。 The program execution disabling method according to the present invention is a program execution for converting a machine language program for causing a computer to execute a process for forcibly deploying an air bag to an inexecutable state when the air bag is discarded. In the disabling method, a part of the instruction code included in the source program of the machine language program is replaced with another instruction code, or a part of the reference memory address included in the source program is replaced with another reference memory address. A step of converting the source program into a non-executable machine language program, a step of compiling a source program incapable of deploying an air bag into a non-executable machine language program, and the non-executable machine language The machine capable of forcibly deploying an air bag program Characterized by a step of creating a restoration data for restoring the program.
 本発明にあっては、コンピュータに、エアバッグを強制的に展開させる処理を実行させるための機械語プログラムのソースプログラムに含まれる一部の命令コードを他の命令コードに置換、又は該ソースプログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換することによって、該機械語プログラムをエアバッグを展開させることが不能なソースプログラムに変換する。置換に用いる他の命令コードは、コンピュータのCPUを動作させるために使用される正規のコードであり、コンピュータの動作は保証される。例えば、論理和演算の命令コードを、排他的論理和の命令コードに置換する。また、参照アドレスは、参照先が存在する有効なものである。なお参照アドレスは、データの読み書きを行う際に必要な一切のアドレスを含む広義のアドレスであり、参照アドレスには、RAM、CPUのキャッシュメモリ、レジスタ、データ入出力用のメモリ、その他の記憶装置のアドレス等が含まれる。
 そして、置換後のソースプログラムをコンパイルして実行不能化機械語プログラムを作成する。また、実行不能化機械語プログラムを、エアバッグを強制的に展開させることが可能な前記機械語プログラムに復元するための復元データを作成する。なお、復元データを作成するステップと、実行不能化機械語プログラムを作成するステップとの実行順序は問わない。
 従って、コンパイルされた機械語プログラムから実行不能化機械語プログラムを生成する処理は不要である。また、CPUの挙動を検証及び把握することが可能である。 In the present invention, a part of the instruction code included in the source program of the machine language program for causing the computer to execute the process of forcibly deploying the airbag is replaced with another instruction code, or the source program Is replaced with another reference memory address, thereby converting the machine language program into a source program incapable of deploying an airbag. Other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed. For example, the instruction code of the logical sum operation is replaced with the instruction code of the exclusive logical sum. The reference address is an effective address where a reference destination exists. The reference address is a broad address including all addresses necessary for reading and writing data. The reference address includes a RAM, a CPU cache memory, a register, a data input / output memory, and other storage devices. Address, etc. are included.
Then, the replaced source program is compiled to create an inexecutable machine language program. Also, restoration data for restoring the non-executable machine language program to the machine language program capable of forcibly deploying the airbag is created. The execution order of the step of creating the restoration data and the step of creating the non-executable machine language program is not limited.
Therefore, it is not necessary to generate a non-executable machine language program from the compiled machine language program. In addition, it is possible to verify and grasp the behavior of the CPU.
 本発明に係るプログラム実行不能化方法は、前記復元データは、前記実行不能化機械語プログラムと、前記機械語プログラムとの差分を示したデータを含むことを特徴とする。 In the program execution disable method according to the present invention, the restoration data includes data indicating a difference between the disable executable machine language program and the machine language program.
 本発明にあっては、復元データは、実行不能化機械語プログラムと、実行可能な機械語プログラムとの差分を示したデータを含む。従って、復元データを用いて、実行不能化機械語プログラムから実行可能な機械語プログラムを復元することが可能である。なお、復元データの生成は、人が行っても良いし、コンピュータに生成させても良い。 In the present invention, the restoration data includes data indicating a difference between the non-executable machine language program and the executable machine language program. Therefore, it is possible to restore an executable machine language program from the non-executable machine language program using the restored data. The restoration data may be generated by a person or may be generated by a computer.
 本発明に係るプログラム実行不能化方法は、前記復元データは、前記実行不能化機械語プログラムと、前記機械語プログラムとの排他的論理和を含むことを特徴とする。 In the program execution disable method according to the present invention, the restoration data includes an exclusive OR of the disable executable machine language program and the machine language program.
 本発明にあっては、復元データは、実行不能化機械語プログラムと、機械語プログラムとの排他的論理和である。従って、復元データの生成は容易である。また、実行不能化機械語プログラムの復元も容易である。更に、実行不能化機械語プログラムと、実行可能な機械語プログラムとの差分を排他的論理和によって表現した場合、機械語プログラムの実行不能化及び復元を同じ思考プロセス又は演算、即ち排他的論理和によって実現することができる。このため、実行不能化時の演算方法と、復元時の演算方法とを区別する必要が無い。特に、人が復元データを生成する場合、実行不能化時の演算方法が何で、復元時の演算方法が何で等と考える必要が無くなる。
 なお、排他的論理和による復元データの生成は、人が行っても良いし、コンピュータに生成させても良い。 In the present invention, the restoration data is an exclusive OR of the non-executable machine language program and the machine language program. Therefore, the restoration data can be easily generated. It is also easy to restore the non-executable machine language program. Further, when the difference between the non-executable machine language program and the executable machine language program is expressed by exclusive OR, the machine language program can be disabled and restored by the same thought process or operation, that is, exclusive OR. Can be realized. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. In particular, when a person generates restoration data, it is not necessary to consider what the calculation method is when execution is disabled and what the calculation method is when restoration.
The generation of the restoration data by exclusive OR may be performed by a person or may be generated by a computer.
 本発明に係るプログラム格納方法は、上述のプログラム実行不能化方法を用いて作成された前記実行不能化機械語プログラム及び復元データを記憶部に格納させるステップを有することを特徴とする。 The program storage method according to the present invention includes a step of storing in the storage unit the non-executable machine language program and the restoration data created using the above-described program execution disable method.
 本発明にあっては、上述のエアバッグ廃棄用プログラム実行不能化方法を用いて、実行不能化機械語プログラム及び復元データが作成され、作成された実行不能化機械語プログラム及び復元データが記憶部に格納される。従って、エアバッグを強制的に展開させる機械語プログラムは、実行不能な状態で記憶部に格納される。なお、記憶部は一つ又は複数のいずれであっても良い。また、実行不能化機械語プログラム及び復元データを異なる記憶部に格納させても良い。 In the present invention, the non-executable machine language program and the restoration data are created using the above-described method for disabling the airbag discard program, and the created non-executable machine language program and the restoration data are stored in the storage unit. Stored in Therefore, the machine language program for forcibly deploying the airbag is stored in the storage unit in an inexecutable state. Note that one or a plurality of storage units may be used. Further, the non-executable machine language program and the restored data may be stored in different storage units.
 本発明に係るプログラム格納方法は、コンピュータに、前記復元データを用いて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元する処理を実行させるための復元機械語プログラムを記憶部に格納させるステップを有することを特徴とする。 The program storage method according to the present invention stores in a storage unit a restoration machine language program for causing a computer to execute a process of restoring the non-executable machine language program to the machine language program using the restoration data. It has the step to make it feature.
 本発明にあっては、復元データ及び実行不能化機械語プログラムを用いて、エアバッグを展開させることが可能な機械語プログラムに復元するための復元機械語プログラムを記憶部に格納させる。従って、復元機械語プログラムをCPUに実行させることによって、復元データ及び実行不能化機械語プログラムを用いて、エアバッグを展開させることが可能な機械語プログラムに復元することが可能になる。 In the present invention, the restoration machine language program for restoring the machine language program capable of deploying the airbag is stored in the storage unit using the restoration data and the non-executable machine language program. Therefore, by causing the CPU to execute the restored machine language program, it is possible to restore the machine language program that can deploy the airbag using the restored data and the non-executable machine language program.
 本発明に係るエアバッグ制御装置は、上述のプログラム実行不能化方法を用いて作成された前記実行不能化機械語プログラム及び復元データを格納した記憶部と、該記憶部が格納している前記実行不能化機械語プログラム及び復元データに基づいて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元し、該機械語プログラムを実行する制御部と、前記機械語プログラムを実行した前記制御部の制御に従ってエアバッグを展開させる回路とを備えることを特徴とする。 The airbag control apparatus according to the present invention includes a storage unit storing the non-executable machine language program and restoration data created by using the program execution disable method, and the execution stored in the storage unit. Based on the disabling machine language program and restoration data, the control unit that restores the non-executable machine language program to the machine language program and executes the machine language program, and the control unit that executes the machine language program And a circuit for deploying the airbag according to the control.
 本発明にあっては、エアバッグ制御装置の制御部の誤作動によって、実行不能化機械語プログラムが実行されたとしても、エアバッグは展開しない。制御部は、復元データを用いて実行不能化機械語プログラムを、エアバッグを強制的に展開させることができる機械語プログラムに復元し、実行することができる。該機械語プログラムが実行された制御部の制御に従って、エアバッグは展開する。 In the present invention, even if the non-executable machine language program is executed due to a malfunction of the control unit of the airbag control device, the airbag is not deployed. The control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag. The airbag is deployed under the control of the control unit that has executed the machine language program.
 本発明に係るエアバッグ制御装置は、エアバッグを廃棄する際に、該エアバッグを強制的に展開させる処理を実行するための機械語プログラムに含まれる一部の命令コードを他の命令コードに置換、又は該機械語プログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換することによって得られた実行不能化機械語プログラム、及び該実行不能化機械語プログラムを、前記機械語プログラムに復元するための復元データを格納した記憶部と、該記憶部が格納している前記実行不能化機械語プログラム及び復元データに基づいて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元し、該機械語プログラムを実行する制御部と、前記機械語プログラムを実行した前記制御部の制御に従ってエアバッグを展開させる回路とを備えることを特徴とする。 When the airbag control apparatus according to the present invention discards an airbag, some instruction codes included in a machine language program for executing a process of forcibly deploying the airbag are used as other instruction codes. The machine language program obtained by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address, and the machine language program disabled, A storage unit storing restoration data for restoration to a program, the non-executable machine language program stored in the storage unit, and the machine language program based on the restoration data To the control unit that executes the machine language program and the airbag according to the control of the control unit that executes the machine language program. Characterized in that it comprises a circuit for open.
 本発明にあっては、エアバッグ制御装置の記憶部は、コンピュータに、エアバッグを強制的に展開させる処理を実行させるための機械語プログラムに含まれる一部の命令コードを他の命令コードに置換、又は該機械語プログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換された実行不能化機械語プログラムを記憶している。置換に用いられた他の命令コードは、コンピュータのCPUを動作させるために使用される正規のコードであり、コンピュータの動作は保証される。また、参照アドレスは、参照先が存在する有効なものである。更に、記憶部は、そして、実行不能化機械語プログラムを、エアバッグを強制的に展開させることが可能な前記機械語プログラムに復元するための復元データを記憶する。
 従って、エアバッグ制御装置の制御部の誤作動によって、実行不能化機械語プログラムが実行されたとしても、エアバッグは展開しない。制御部は、復元データを用いて実行不能化機械語プログラムを、エアバッグを強制的に展開させることができる機械語プログラムに復元し、実行することができる。該機械語プログラムが実行された制御部の制御に従って、エアバッグは展開する。 In the present invention, the storage unit of the airbag control device converts some instruction codes included in the machine language program for causing the computer to execute processing for forcibly deploying the airbag to other instruction codes. A non-executable machine language program is stored by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address. The other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed. The reference address is an effective address where a reference destination exists. Further, the storage unit stores restoration data for restoring the non-executable machine language program into the machine language program capable of forcibly deploying the airbag.
Therefore, even if the non-executable machine language program is executed due to a malfunction of the control unit of the airbag control device, the airbag is not deployed. The control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag. The airbag is deployed under the control of the control unit that has executed the machine language program.
 本発明にあっては、エアバッグを強制的に展開させることが可能な機械語プログラムの生成後に実行不能化機械語プログラムの生成処理を行う必要が無く、実行コード化前に実行不能化機械語プログラムが実行されたとしても全ての動作を把握及び保障することができる。従って、従来の実行不能化方法に比べて、安全性が高い実行不能化機械語プログラムを容易に作成し、コンピュータの記憶部に格納することができる。 In the present invention, it is not necessary to perform the process of generating the non-executable machine language program after the generation of the machine language program capable of forcibly deploying the airbag, and the non-executable machine language is executed before execution coding. Even if the program is executed, all operations can be grasped and guaranteed. Therefore, it is possible to easily create an inexecutable machine language program having higher safety than the conventional inexecutability method and store it in the storage unit of the computer.
本発明の実施の形態に係るエアバッグ制御装置及び廃棄装置の一構成例を模式的に示したブロック図である。It is the block diagram which showed typically the example of 1 structure of the airbag control apparatus and disposal apparatus which concern on embodiment of this invention. 本発明の実施の形態に係るプログラム実行不能化方法及びプログラム格納方法を示したフローチャートである。It is the flowchart which showed the program execution disabling method and program storing method which concern on embodiment of this invention. 実行ソースコードに記述された処理手順の一部を示すフローチャートである。It is a flowchart which shows a part of process procedure described in the execution source code. 実行ソースコードを非実行ソースコードに変換する方法を示した説明図である。It is explanatory drawing which showed the method of converting an execution source code into a non-execution source code. 実行ソースコードを非実行ソースコードに変換する方法を示した説明図である。It is explanatory drawing which showed the method of converting an execution source code into a non-execution source code. 非実行データの処理手順の一部を示すフローチャートである。It is a flowchart which shows a part of processing procedure of non-execution data. 実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。It is explanatory drawing which showed the execution code and non-execution code which described the execution source code and the non-execution source code in the machine language. 実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。It is explanatory drawing which showed the execution code and non-execution code which described the execution source code and the non-execution source code in the machine language. マスクデータを示した説明図である。It is explanatory drawing which showed mask data. 排他的論理和演算の真理値表及びベン図である。It is a truth table and Venn diagram of exclusive OR operation. 排他的論理和演算の真理値表及びベン図である。It is a truth table and Venn diagram of exclusive OR operation. 廃棄に係るエアバッグ制御装置及び廃棄装置の処理手順を示すフローチャートである。It is a flowchart which shows the process sequence of the airbag control apparatus and disposal apparatus which concern on disposal. マスクデータを用いて実行コードを復元する一般的方法を概念的に示した説明図である。It is explanatory drawing which showed notionally the general method which decompress | restores an execution code using mask data. マスクデータを用いて実行コードを復元する具体的方法を概念的に示した説明図である。It is explanatory drawing which showed notionally the specific method of decompress | restoring an execution code using mask data. マスクデータを用いて実行コードを復元する具体的方法を概念的に示した説明図である。It is explanatory drawing which showed notionally the specific method of decompress | restoring an execution code using mask data. 復元された実行データがRAMに展開されたエアバッグ制御装置及び廃棄装置の一構成例を模式的に示したブロック図である。It is the block diagram which showed typically the structural example of the airbag control apparatus by which the decompressed execution data were expand | deployed by RAM, and the discard apparatus. 変形例1に係るプログラム実行不能化方法及びプログラム格納方法を示したフローチャートである。10 is a flowchart showing a program execution disabling method and a program storing method according to Modification 1. 変形例1における実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。It is explanatory drawing which showed the execution code and non-execution code which described the execution source code and non-execution source code in the modification 1 in the machine language. 変形例1における実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。It is explanatory drawing which showed the execution code and non-execution code which described the execution source code and non-execution source code in the modification 1 in the machine language. 変形例1におけるマスクデータを示した説明図である。It is explanatory drawing which showed the mask data in the modification 1. 従来の非実行コード化、及び非実行コードの復元方法を概念的に示した説明図である。It is explanatory drawing which showed notionally the conventional non-executable coding and the restoration method of a non-executable code. 従来の非実行コード化、及び非実行コードの復元方法を概念的に示した説明図である。It is explanatory drawing which showed notionally the conventional non-executable coding and the restoration method of a non-executable code.
 以下、本発明をその実施の形態を示す図面に基づいて詳述する。
 図1は、本発明の実施の形態に係るエアバッグ制御装置1及び廃棄装置2の一構成例を模式的に示したブロック図である。 Hereinafter, the present invention will be described in detail with reference to the drawings illustrating embodiments thereof.
FIG. 1 is a block diagram schematically showing a configuration example of an airbag control device 1 and a disposal device 2 according to an embodiment of the present invention.
 エアバッグ制御装置1は、図示しない収容体に収容され、車両の適宜箇所、例えばダッシュボード付近に配置される。エアバッグ制御装置1は、該エアバッグ制御装置1を構成する各構成部の動作を制御するCPU11を備える。CPU11には、バスを介してROM12及びRAM13が接続されている。また、CPU11には、バスに接続された図示しないI/Oポートを介して加速度センサ14、点火回路15及び通信回路16が接続されている。 The airbag control device 1 is accommodated in a container (not shown), and is disposed at an appropriate location of the vehicle, for example, near the dashboard. The airbag control device 1 includes a CPU 11 that controls the operation of each component constituting the airbag control device 1. A ROM 12 and a RAM 13 are connected to the CPU 11 via a bus. Further, the acceleration sensor 14, the ignition circuit 15, and the communication circuit 16 are connected to the CPU 11 via an I / O port (not shown) connected to the bus.
 CPU11は、図示しない制御回路、演算論理回路、命令デコーダ、アドレスレジスタ、データレジスタ、命令レジスタ、プログラムカウンタ、スタックレジスタ、汎用レジスタ等の各種レジスタ、命令デコーダ等で構成されている。各種回路、レジスタの構成及び動作については周知技術であるため、その詳細は省略する。なお、図1では、作図及び説明の便宜上、一の汎用レジスタであるr16レジスタのみが図示されている。また、CPU11には、車両に搭載された電源3がレギュレータを介して接続されており、イグニッションスイッチがオン状態になった場合、所定電圧、例えば5Vの電圧がCPU11に印加されるように構成されている。 The CPU 11 includes a control circuit, an arithmetic logic circuit, an instruction decoder, an address register, a data register, an instruction register, a program counter, a stack register, various registers such as a general-purpose register, an instruction decoder, and the like (not shown). Since the configurations and operations of various circuits and registers are well-known techniques, details thereof are omitted. In FIG. 1, only the r16 register, which is one general-purpose register, is shown for convenience of drawing and explanation. Further, the power source 3 mounted on the vehicle is connected to the CPU 11 via a regulator, and when the ignition switch is turned on, a predetermined voltage, for example, a voltage of 5V is applied to the CPU 11. ing.
 ROM(記憶部)12は、本実施の形態に係る非実行コード(実行不能化機械語プログラム)及び復元コード(復元機械語プログラム)を記憶する不揮発性の記憶部である。非実行コードは、CPU11がそのままRAM13に展開及び実行されても、エアバッグを強制的に展開させる処理は実行されずに終了するものである。復元コードは、非実行コードを、エアバッグを強制的に展開させることが可能な実行コード(機械語プログラム)に復元するためのプログラムである。実行コードは、エアバッグを廃棄する際に、CPU11がエアバッグを強制的に展開させる処理を実行するためのプログラムである。非実行コード及び復元コードの詳細は後述する。また、ROM12は、車両の衝突を検知した場合にエアバッグを展開させるためのプログラムを記憶している。
 なお、ROM12には、マスクROM及びPROM(Programmable Read Only Memory)が含まれる。また、ROM12は、記憶部の一例であり、EPROM(Erasable and Programmable Read Only Memory)、EEPROM(Electrically - Erasable and Programmable Read only Memory)、フラッシュメモリ、その他の不揮発メモリに非実行コード及び復元コードを格納させても良い。 The ROM (storage unit) 12 is a non-volatile storage unit that stores a non-executable code (non-executable machine language program) and a restoration code (restoration machine language program) according to the present embodiment. The non-executable code terminates without executing the process of forcibly deploying the airbag even if the CPU 11 is deployed and executed in the RAM 13 as it is. The restoration code is a program for restoring the non-execution code into an execution code (machine language program) that can forcibly deploy the airbag. The execution code is a program for executing processing for forcibly deploying the airbag when the airbag is discarded. Details of the non-executable code and the restored code will be described later. The ROM 12 stores a program for deploying the airbag when a vehicle collision is detected.
The ROM 12 includes a mask ROM and a PROM (Programmable Read Only Memory). The ROM 12 is an example of a storage unit, and non-executable code and restoration code are stored in an EEPROM (Erasable and Programmable Read Only Memory), an EEPROM (Electrically-Erasable and Programmable Read Only Memory), a flash memory, and other nonvolatile memories. You may let them.
 RAM13は、CPU11が実行コード、その他の各種プログラムを実行する際に発生するデータを一時的に記憶する揮発性のメモリである。 The RAM 13 is a volatile memory that temporarily stores data generated when the CPU 11 executes an execution code and other various programs.
 加速度センサ14は、車両の衝突を検知するための回路であり、車両に働く加速度に応じた信号をCPU11へ出力する。 The acceleration sensor 14 is a circuit for detecting a vehicle collision, and outputs a signal corresponding to the acceleration acting on the vehicle to the CPU 11.
 点火回路15には、スクイブ15aが接続されており、CPU11から出力された信号に応じて、スクイブ15aに電圧を印加し、エアバッグを展開させる回路である。
 スクイブ15aは、ステアリングホール又はダッシュボードなどに配置されたインフレータ内に収容され、その周囲には火薬が配されている。スクイブ15aは、図示しない昇圧回路を介して電源3に接続されており、導通することによって発熱するフィラメントなどの発熱体を有する。
 点火回路15は、スクイブ15aへの通電を遮断するためのスイッチを備える。該スイッチは例えば、MOSFETであり、ゲート端子は、CPU11のI/Oポートに接続され、ドレイン端子はスクイブ15aに接続され、ソース端子は接地されている。 A squib 15a is connected to the ignition circuit 15, and a voltage is applied to the squib 15a in accordance with a signal output from the CPU 11 to deploy the airbag.
The squib 15a is accommodated in an inflator arranged in a steering hole or a dashboard, and gunpowder is arranged around the squib 15a. The squib 15a is connected to the power source 3 via a booster circuit (not shown) and has a heating element such as a filament that generates heat when it is turned on.
The ignition circuit 15 includes a switch for interrupting energization to the squib 15a. The switch is, for example, a MOSFET, the gate terminal is connected to the I / O port of the CPU 11, the drain terminal is connected to the squib 15a, and the source terminal is grounded.
 通信回路16は、ケーブルを介して廃棄装置2と接続するためのコネクタを備える。通信回路16は、CPU11の制御に従って、廃棄装置2との間で、エアバッグを強制的に展開させるための各種データを送受信するための回路である。 The communication circuit 16 includes a connector for connecting to the disposal device 2 via a cable. The communication circuit 16 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the discarding device 2 under the control of the CPU 11.
 廃棄装置2は、制御部21と、通信回路22と、操作部23とを備える。
 制御部21は、廃棄装置2の各構成部の動作を制御するCPUを備えたマイクロコンピュータであり、該CPUには、図示しないROM、RAM、I/Oポートが接続されている。
 通信回路22は、ケーブルを介してエアバッグ制御装置1と接続するためのコネクタを備える。通信回路22は、制御部21の制御に従って、エアバッグ制御装置1との間で、エアバッグを強制的に展開させるための各種データを送受信するための回路である。
 操作部23は、エアバッグを廃棄する際に、エアバッグを強制的に展開させるための操作を受け付けるためのボタン、スイッチ、タッチセンサなどであり、操作部23の操作状態は、制御部21によって検出できるように構成されている。 The discarding device 2 includes a control unit 21, a communication circuit 22, and an operation unit 23.
The control unit 21 is a microcomputer provided with a CPU that controls the operation of each component of the discarding device 2, and a ROM, a RAM, and an I / O port (not shown) are connected to the CPU.
The communication circuit 22 includes a connector for connecting to the airbag control device 1 via a cable. The communication circuit 22 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the airbag control device 1 under the control of the control unit 21.
The operation unit 23 is a button, switch, touch sensor, or the like for receiving an operation for forcibly deploying the airbag when the airbag is discarded. The operation state of the operation unit 23 is controlled by the control unit 21. It is configured so that it can be detected.
 図2は、本発明の実施の形態に係るプログラム実行不能化方法及びプログラム格納方法を示したフローチャートである。プログラム実行不能化方法及びプログラム格納方法の使用者は、まず、低級言語で記述されており、エアバッグを強制的に展開させる処理を実行させるための実行ソースコード(ソースプログラム)を用意する(ステップS11)。低級言語は、例えばアセンブリ言語である。なお、低級言語は、ソースプログラムを記述する言語の一例であり、機械語を除くすべてのコンピュータ言語が含まれる。 FIG. 2 is a flowchart showing a program execution disable method and a program storage method according to the embodiment of the present invention. First, the user of the program execution disablement method and the program storage method prepares an execution source code (source program) that is described in a lower language and for executing a process for forcibly deploying an airbag (step). S11). The lower language is, for example, an assembly language. The lower language is an example of a language for describing a source program, and includes all computer languages except machine language.
 図3は、実行ソースコードに記述された処理手順の一部を示すフローチャートである。実行ソースコードをコンパイルして得られる実行コードによって、CPU11は以下の処理を実行する。まず、CPU11は、廃棄装置2から送信されたデータに基づく数値を変数Aに代入する(ステップS31)。そして、CPU11は、変数Aの値が所定値、例えば「0xAA」であるか否かを判定する(ステップS32)。エアバッグ制御装置1は、エアバッグを強制的に展開させるための一連の手続きを廃棄装置2との間で行った場合、変数Aに「0xAA」が格納されるように構成されている。なお、「0xAA」は、16進数で表記された数値「AA」を表しており、10進数で表記すると「170」である。 FIG. 3 is a flowchart showing a part of the processing procedure described in the execution source code. The CPU 11 executes the following processing by the execution code obtained by compiling the execution source code. First, the CPU 11 assigns a numerical value based on the data transmitted from the discarding device 2 to the variable A (step S31). Then, the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S32). The airbag control device 1 is configured such that “0xAA” is stored in the variable A when a series of procedures for forcibly deploying the airbag is performed with the disposal device 2. Note that “0xAA” represents a numerical value “AA” expressed in hexadecimal, and “170” when expressed in decimal.
 変数Aが「0xAA」であると判定した場合(ステップS32:YES)、CPU11は、エアバッグを展開させるための展開信号を点火回路15へ出力することによって、エアバッグを廃棄展開させ、処理を終える(ステップS33)。変数Aが「0xAA」でないと判定した場合(ステップS32:NO)、CPU11は処理を終える。 When it is determined that the variable A is “0xAA” (step S32: YES), the CPU 11 outputs a deployment signal for deploying the airbag to the ignition circuit 15, thereby discarding and deploying the airbag, and processing. Finish (step S33). When it is determined that the variable A is not “0xAA” (step S32: NO), the CPU 11 ends the process.
 図2に示すように、ステップS11の工程を終えた使用者は、次いで、実行ソースコードに含まれる一部の命令コードを他の命令コードに置換することによって、非実行ソースコードに変換する(ステップS12)。 As shown in FIG. 2, the user who has finished the process of step S11 then converts the instruction code included in the execution source code into another instruction code, thereby converting it into a non-execution source code ( Step S12).
 図4A及び図Bは、実行ソースコードを非実行ソースコードに変換する方法を示した説明図である。図4Aは、アセンブリ言語で記述された実行ソースコードの一部を示している。なお、図4A及び図4Bに示したアセンブリ言語は、「NEC V850ES シリーズマイコン」用の言語である。図4Aに示された実行ソースコードは、図3に示したステップS32の処理に対応している。具体的には、1行目のプログラムで、CPU11は、1バイト長変数Aの内容をr16レジスタに読み出し、2行目のプログラムで、CPU11は、r16レジスタに読み出された1バイト長のデータを、4バイト長データにsigned拡張する。signed拡張は、数値を、正負の数字を正しく扱えるように符号拡張をCPU11に実行させるための命令である。そして、第3行目のプログラムで、CPU11は、r16レジスタのデータと、該r16レジスタ自身のデータとの論理和演算を実行し、第4行目のプログラムで、r16レジスタに「0x56」を加算する。なお、「0x56」は、16進数で表記された数値「56」を表しており、10進数で表記すると「86」である。
 以上の処理によれば、変数Aの内容が「0xAA」である場合、r16レジスタの内容が「0x00」になり、変数Aの内容が「0xAA」以外である場合、r16レジスタの内容が「0x00」以外になる。そして、以下の処理は、r16レジスタの内容が「0x00」である場合、エアバッグを強制的に展開させる処理が実行され、r16レジスタの内容が「0x00」以外である場合、強制終了されるようにプログラムされている。 4A and 4B are explanatory diagrams showing a method of converting execution source code into non-execution source code. FIG. 4A shows a part of the execution source code written in the assembly language. The assembly language shown in FIGS. 4A and 4B is a language for “NEC V850ES series microcomputer”. The execution source code shown in FIG. 4A corresponds to the process of step S32 shown in FIG. Specifically, in the first line program, the CPU 11 reads the contents of the 1-byte length variable A into the r16 register, and in the second line program, the CPU 11 reads the 1-byte length data read into the r16 register. Is signed extended to 4-byte data. The signed extension is an instruction for causing the CPU 11 to execute sign extension so that numerical values can be handled correctly as positive and negative numbers. Then, in the program on the third line, the CPU 11 performs an OR operation on the data in the r16 register and the data in the r16 register itself, and adds “0x56” to the r16 register in the program on the fourth line. To do. Note that “0x56” represents the numerical value “56” expressed in hexadecimal, and “86” when expressed in decimal.
According to the above processing, when the content of the variable A is “0xAA”, the content of the r16 register is “0x00”, and when the content of the variable A is other than “0xAA”, the content of the r16 register is “0x00”. It will be other than. The following processing is executed forcibly deploying the airbag when the content of the r16 register is “0x00”, and forcibly terminated when the content of the r16 register is other than “0x00”. Is programmed.
 従って、上述の実施ソースコードを非実行ソースコードに変換するためには、どのような条件であってもr16レジスタに「0x00」が格納されないようにすれば良い。例えば、4行目の「addi」命令の実行直前において、r16レジスタの内容が「0x00」であれば良い。この場合、4行目のプログラムで、r16レジスタの内容が「0x56」になる。これは、実行コードにおける変数Aに「0xAA」以外の値が格納された場合と同じであり、エアバッグの展開が行われないまま、プログラムは強制終了される。 Therefore, in order to convert the implementation source code described above into non-executable source code, it is only necessary to prevent “0x00” from being stored in the r16 register under any conditions. For example, the content of the r16 register may be “0x00” immediately before the execution of the “addi” instruction on the fourth line. In this case, the content of the r16 register becomes “0x56” in the program on the fourth line. This is the same as the case where a value other than “0xAA” is stored in the variable A in the execution code, and the program is forcibly terminated without deploying the airbag.
 図4Bは、非実行ソースコードの一例である。図4Bでは、上述のように、4行目の「addi」命令の実行直前において、r16レジスタの内容が「0x00」になるように、実行ソースコードに含まれる命令コードの一部を変換する。具体的には、2行目の「sxb」命令を、「zxb」命令に置換し、3行目の「or」命令を、「xor」命令に置換する。特に、置換後の3行目のプログラムで、CPU11は、r16レジスタのデータと、該r16レジスタ自身のデータとの排他的論理和演算を実行する。2進数で表現されたデータ「1」と、「1」との排他的論理和は「0」であり、「0」と、「0」との排他的論理和も「0」である(図8A及び図8B参照)。従って、同一データの排他的論理和演算の結果、r16レジスタの内容は「0x00」になる(図8A及び図8B参照)。
 なお、2行目の「zxb」命令は、数値を、正負の数字を全て正のデータとして扱えるように符号拡張をCPU11に実行させるための命令である。 FIG. 4B is an example of non-executable source code. In FIG. 4B, as described above, part of the instruction code included in the execution source code is converted so that the content of the r16 register becomes “0x00” immediately before the execution of the “addi” instruction on the fourth line. Specifically, the “sxb” instruction on the second line is replaced with a “zxb” instruction, and the “or” instruction on the third line is replaced with an “xor” instruction. In particular, in the program on the third line after replacement, the CPU 11 performs an exclusive OR operation between the data in the r16 register and the data in the r16 register itself. The exclusive OR of data “1” and “1” expressed in binary numbers is “0”, and the exclusive OR of “0” and “0” is also “0” (FIG. 8A and FIG. 8B). Therefore, as a result of the exclusive OR operation on the same data, the content of the r16 register becomes “0x00” (see FIGS. 8A and 8B).
The “zxb” instruction on the second line is an instruction for causing the CPU 11 to execute sign extension so that a numerical value can be handled as all positive and negative numbers.
 図5は、非実行データの処理手順の一部を示すフローチャートである。非実行コードが実行された場合、CPU11は以下の処理を実行する。まず、CPU11は、廃棄装置2から送信されたデータに基づく数値を変数Aに代入する(ステップS131)。そして、CPU11は、変数Aの値が所定値、例えば「0xAA」であるか否かを判定する(ステップS132)。ただし、非実行コードにおいては、変数Aの値に拘わらず、常に変数Aは所定値ではないと判定される。このため、CPU11は、常に変数Aは所定値ではないと判定し(ステップS132:NO)、処理が強制的に終了することになる。 FIG. 5 is a flowchart showing a part of the processing procedure for non-executable data. When the non-executable code is executed, the CPU 11 executes the following processing. First, the CPU 11 substitutes a numerical value based on the data transmitted from the discarding device 2 for the variable A (step S131). Then, the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S132). However, in the non-executable code, it is always determined that the variable A is not a predetermined value regardless of the value of the variable A. For this reason, the CPU 11 always determines that the variable A is not a predetermined value (step S132: NO), and the process is forcibly terminated.
 図2に示すように、ステップS12の工程を終えた使用者は、次いで、置換された命令コードを置換前の命令コードに復元、つまり、非実行コードを実行コードに復元するためのマスクデータ(復元データ)を作成する(ステップS13)。 As shown in FIG. 2, the user who has finished the process of step S12 then restores the replaced instruction code to the instruction code before the replacement, that is, mask data for restoring the non-executed code to the executable code ( Restored data) is created (step S13).
 図6A及び図6Bは、実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。図6Aは、実行ソースコードを機械語で記述した実行コードであり、図6Bは、非実行ソースコードを機械語で記述した非実行コードである。命令コードの置換によってデータの内容が変更された部分には下線が引かれている。なお、r,Rはレジスタを指定するデータ、dはメモリの参照アドレス、iは加算する数値を示したデータである。 6A and 6B are explanatory diagrams showing execution codes and non-execution codes in which execution source code and non-execution source code are described in machine language. 6A is an execution code in which execution source code is described in machine language, and FIG. 6B is non-execution code in which non-execution source code is described in machine language. The portion where the data contents are changed by the replacement of the instruction code is underlined. Here, r and R are data specifying a register, d is a memory reference address, and i is data indicating a numerical value to be added.
 図7は、マスクデータを示した説明図、図8A及び図8Bは、排他的論理和演算の真理値表及びベン図である。非実行データを実行データに復元するためのマスクデータは、実行データと、非実行データとの排他的論理和演算によって得られる。排他的論理和演算は、図8A、Bに示すように、第1入力と、第2入力の値が同じである場合、出力が「0」、第1入力と、第2入力の値が異なる場合、出力が「1」になるため、マスクデータによって、実行データと、非実行データとのデータの差分を表現することができる。具体的には、図6A及び図6B中、2行目及び3行目に記述された命令コードを復元するためのマスクデータは、いずれも「0000000000100000」である。また、命令コードが置換されていない部分についてもマスクデータを作成しておくと良い。復元時の演算が容易になるためである。命令コードの復元が不要な部分のマスクデータは「0000…」である。なお、言うまでも無く、全ての命令コードに対応するマスクデータを作成することは必須では無く、命令コードを置換した部分のマスクデータのみを作成するようにしても良い。また、マスクデータは、アセンブリ言語・機械語変換テーブルを用いて使用者が手作業で作成しても良いが、コンピュータに実行コード及び非実行コードの排他的論理和演算を実行させることによって、マスクデータを作成しても良い。 FIG. 7 is an explanatory diagram showing mask data, and FIGS. 8A and 8B are a truth table and a Venn diagram of exclusive OR operation. Mask data for restoring non-execution data to execution data is obtained by an exclusive OR operation between the execution data and the non-execution data. In the exclusive OR operation, as shown in FIGS. 8A and 8B, when the values of the first input and the second input are the same, the output is “0”, and the values of the first input and the second input are different. In this case, since the output is “1”, the difference between the execution data and the non-execution data can be expressed by the mask data. Specifically, in FIG. 6A and FIG. 6B, the mask data for restoring the instruction code described in the second and third lines is “00000000000001”. It is also preferable to create mask data for the part where the instruction code is not replaced. This is because the calculation at the time of restoration becomes easy. The mask data of the portion where the instruction code does not need to be restored is “0000...”. Needless to say, it is not indispensable to create mask data corresponding to all instruction codes, and only mask data of a portion where instruction codes are replaced may be created. The mask data may be created manually by the user using an assembly language / machine language conversion table. However, the mask data can be generated by causing the computer to execute an exclusive OR operation of the execution code and the non-execution code. Data may be created.
 なお、マスクデータの作成方法として、排他的論理和を例示したが、これに限定されるものでは無く、少なくとも実行コードと、非実行コードとの差分を示したデータを作成できれば、他の方法を採用しても良い。例えば、実行コードから、非実行コードを減算して得た値をマスクデータとしても良い。この場合、非実行コードと、マスクデータとを加算することによって、実行コードを復元することができる。また、実行コードに、非実行コードを加算して得た値をマスクデータとしても良い。この場合、マスクデータから非実行コードを減算することによって、実行コードを復元することができる。更に、実行コードと、非実行コードとの間で、乗算、除算、その他の可逆な演算によって、マスクデータを算出するように構成しても良い。 In addition, although exclusive OR was illustrated as a creation method of mask data, it is not limited to this, and other methods can be used as long as at least data indicating a difference between an execution code and a non-execution code can be created. It may be adopted. For example, a value obtained by subtracting a non-executable code from an executable code may be used as mask data. In this case, the execution code can be restored by adding the non-execution code and the mask data. A value obtained by adding the non-executable code to the executable code may be used as mask data. In this case, the execution code can be restored by subtracting the non-execution code from the mask data. Furthermore, the mask data may be calculated by multiplication, division, and other reversible operations between the execution code and the non-execution code.
 図2に示すように、ステップS13の工程を終えた使用者は、次いで、非実行コード及びマスクデータ、並びに復元用プログラムをコンパイルする(ステップS14)。復元用プログラムは、非実行コードと、マスクデータとの排他的論理和演算を実行することによって、非実行コードを実行コードに復元し、復元された実行コードをRAM13に展開するプログラムである。なお、コンパイルは、コンピュータを用いて行われるが、言うまでも無く、アセンブリ言語・機械語変換テーブルを用いて使用者が、手作業で行っても良い。 As shown in FIG. 2, the user who has finished the process of step S13 then compiles the non-executable code, the mask data, and the restoration program (step S14). The restoration program is a program that restores the non-executable code to the execution code by executing an exclusive OR operation between the non-executable code and the mask data, and expands the restored execution code in the RAM 13. The compiling is performed using a computer, but needless to say, it may be manually performed by a user using an assembly language / machine language conversion table.
 次いで、使用者は、コンパイルされた非実行コードと、マスクデータを含む復元コードとをROM12に格納させる(ステップS15)。なお、マスクデータは、必ずしも復元コードと一体である必要は無く、マスクデータを用いて非実行コードを実行コードに復元できるのであれば、各別にROM12に格納させるようにしても良い。また、必ずしも一つのROM12に非実行コード、マスクデータを含む復元コードを格納させる必要は無い。例えば、非実行コードをエアバッグ制御装置1のROM12に格納させ、マスクデータを含む復元コードをエアバッグ制御装置1の図示しないEEPROMに格納させるように構成しても良い。また、マスクデータのみをエアバッグ制御装置1の図示しないEEPROMに格納させるように構成しても良い。 Next, the user stores the compiled non-executable code and the restored code including the mask data in the ROM 12 (step S15). Note that the mask data does not necessarily have to be integrated with the restoration code. If the non-execution code can be restored to the execution code using the mask data, the mask data may be stored in the ROM 12 separately. Further, it is not always necessary to store a non-executable code and a restoration code including mask data in one ROM 12. For example, the non-executable code may be stored in the ROM 12 of the airbag control device 1 and the restoration code including the mask data may be stored in an EEPROM (not shown) of the airbag control device 1. Alternatively, only mask data may be stored in an EEPROM (not shown) of the airbag control device 1.
 図9は、廃棄に係るエアバッグ制御装置1及び廃棄装置2の処理手順を示すフローチャートである。以下、エアバッグ制御装置1に廃棄装置2が接続され、通信回路16、22を介してデータを送受信することが前提として、処理内容を説明する。 FIG. 9 is a flowchart showing a processing procedure of the airbag control device 1 and the disposal device 2 related to disposal. Hereinafter, the processing contents will be described on the assumption that the discarding device 2 is connected to the airbag control device 1 and data is transmitted and received via the communication circuits 16 and 22.
 廃棄装置2の制御部21は、操作部23の操作状態を監視することによって、エアバッグの廃棄処理の開始が指示されたか否かを判定する(ステップS51)。廃棄処理の開始が指示されていないと判定した場合(ステップS51:NO)、制御部21は、処理を再びステップS51へ戻す。廃棄処理の開始が指示されたと判定した場合(ステップS51:YES)、制御部21は、非実行コードの復元を要求するための復元実行データを、通信回路22にてエアバッグ制御装置1へ送信する(ステップS52)。 The control unit 21 of the disposal apparatus 2 determines whether or not the start of the airbag disposal process has been instructed by monitoring the operation state of the operation unit 23 (step S51). If it is determined that the start of the discarding process has not been instructed (step S51: NO), the control unit 21 returns the process to step S51 again. If it is determined that the start of the discard process has been instructed (step S51: YES), the control unit 21 transmits the restoration execution data for requesting the restoration of the non-executed code to the airbag control device 1 through the communication circuit 22. (Step S52).
 エアバッグ制御装置1のCPU11は、廃棄装置2から送信された復元実行データを通信回路16にて受信する(ステップS53)。復元実行データを受信した場合、CPU11は、ROM12が記憶している復元コード(復元機械語プログラム)を実行することによって、ROM12が記憶している非実行コードと、マスクデータとから実行コードを復元し、復元された実行コードをRAM13に展開する(ステップS54)。 The CPU 11 of the airbag control device 1 receives the restoration execution data transmitted from the discarding device 2 by the communication circuit 16 (step S53). When the restoration execution data is received, the CPU 11 restores the execution code from the non-execution code stored in the ROM 12 and the mask data by executing the restoration code (restoration machine language program) stored in the ROM 12. Then, the restored execution code is expanded in the RAM 13 (step S54).
 図10は、マスクデータを用いて実行コードを復元する一般的方法を概念的に示した説明図、図11A及び図11Bは、マスクデータを用いて実行コードを復元する具体的方法を概念的に示した説明図、図12は、復元された実行データがRAM13に展開されたエアバッグ制御装置1及び廃棄装置2の一構成例を模式的に示したブロック図である。図10に示すように、非実行コードの復元は、非実行コードと、マスクデータとの排他的論理和演算を先頭から所定バイトずつ、例えば排他的論理和演算を実行するために使用されるレジスタが16ビットである場合、16ビットずつ順次実行することによって行われる。つまり、非実行コードの復元は、図6Bに示された非実行データと、図7に示したマスクデータとの排他的論理和演算を先頭から所定バイトずつ順次実行することによって行われる。具体的には、マスクデータの数値「1」に対応する部分の非実行データの内容が「1」から「0」へ、又は「0」から「1」へ変換される。その結果、図11Aに示すように「zxb」命令は、「sxb」命令に復元され、図11Bに示すように「xor」命令は、「or」命令に復元される。以上の処理によって、図6Bに示した非実行コードは、図6Aに示した実行コードに復元され、復元された実行コードは、図12に示すようにRAM13に展開される。
 そして、CPU11は、復元の終了を通知する復元終了通知データを、通信回路16にて廃棄装置2へ送信する(ステップS55)。 FIG. 10 is an explanatory diagram conceptually showing a general method for restoring execution code using mask data, and FIGS. 11A and 11B conceptually show a specific method for restoring execution code using mask data. FIG. 12 is a block diagram schematically showing a configuration example of the airbag control device 1 and the discarding device 2 in which the restored execution data is expanded in the RAM 13. As shown in FIG. 10, the restoration of the non-executable code is performed by registering a non-executable code and a mask data for performing an exclusive OR operation for each predetermined byte from the beginning, for example, an exclusive OR operation. Is 16 bits, it is performed by sequentially executing 16 bits at a time. That is, the non-executable code is restored by sequentially executing an exclusive OR operation between the non-executable data shown in FIG. 6B and the mask data shown in FIG. Specifically, the content of the non-execution data corresponding to the numerical value “1” of the mask data is converted from “1” to “0” or from “0” to “1”. As a result, the “zxb” instruction is restored to the “sxb” instruction as shown in FIG. 11A, and the “xor” instruction is restored to the “or” instruction as shown in FIG. 11B. Through the above processing, the non-executable code shown in FIG. 6B is restored to the executable code shown in FIG. 6A, and the restored executable code is expanded in the RAM 13 as shown in FIG.
Then, the CPU 11 transmits restoration end notification data for notifying the end of restoration to the discarding device 2 through the communication circuit 16 (step S55).
 廃棄装置2の制御部21は、エアバッグ制御装置1から送信された復元終了通知データを通信回路22にて受信する(ステップS56)。そして、制御部21は、操作部23の操作状態を監視することによって、エアバッグの廃棄処理の実行が指示されたか否かを判定する(ステップS57)。エアバッグの廃棄処理の実行が指示されていないと判定した場合(ステップS57:NO)、制御部21は、処理を再びステップS57へ戻す。エアバッグの廃棄処理の実行が指示されたと判定した場合(ステップS57:YES)、制御部21は、廃棄処理の実行を指示する廃棄実行データを、通信回路22にてエアバッグ制御装置1へ送信する(ステップS58)。 The control unit 21 of the discard apparatus 2 receives the restoration end notification data transmitted from the airbag control apparatus 1 by the communication circuit 22 (step S56). And the control part 21 determines whether execution of the disposal process of an airbag was instruct | indicated by monitoring the operation state of the operation part 23 (step S57). When it determines with execution of the disposal process of an airbag not being instruct | indicated (step S57: NO), the control part 21 returns a process to step S57 again. When it is determined that the execution of the disposal process of the airbag has been instructed (step S57: YES), the control unit 21 transmits the disposal execution data instructing the execution of the disposal process to the airbag control device 1 through the communication circuit 22. (Step S58).
 エアバッグ制御装置1のCPU11は、廃棄装置2から送信された廃棄実行データを、通信回路16を介して受信する(ステップS59)。廃棄実行データを受信した場合、CPU11は、復元された実行コードを実行し(ステップS60)、処理を終える。エアバッグを強制的に展開させるための一連の手続きが廃棄装置2との間で正しく行われ、実行コードが正しく復元されていれば、変数Aには数値「0xAA」が含まれているため、ステップS60で図3に示した処理が実行された場合、スクイブ15aが点火し、エアバッグが強制的に展開する。 The CPU 11 of the airbag control device 1 receives the discard execution data transmitted from the discard device 2 via the communication circuit 16 (step S59). When the discard execution data is received, the CPU 11 executes the restored execution code (step S60) and ends the process. If a series of procedures for forcibly deploying the airbag is correctly performed with the disposal device 2 and the execution code is correctly restored, the variable A includes the numerical value “0xAA”. When the process shown in FIG. 3 is executed in step S60, the squib 15a is ignited and the airbag is forcibly deployed.
 本実施の形態に係るプログラム実行不能化方法、プログラム格納方法及びエアバッグ制御装置によれば、機械語で記述された実行コードの生成後に非実行コードの生成処理を行う必要が無い。また、CPU11の誤作動によって、復元前に非実行コードが実行されたとしても全ての動作を把握及び保障することができる。従って、従来の実行不能化方法に比べて、安全性が高い非実行コードを作成し、ROM12に格納することができる。 According to the program execution disabling method, the program storage method, and the airbag control device according to the present embodiment, it is not necessary to perform a non-executable code generation process after generating an execution code described in machine language. Further, even if a non-executable code is executed before restoration due to a malfunction of the CPU 11, all operations can be grasped and guaranteed. Therefore, it is possible to create a non-executable code with higher safety than the conventional execution disable method and store it in the ROM 12.
 また、マスクデータは、実行コードと、非実行コードとの排他的論理和によって作成される。非実行コードを復元する場合も、非実行コードと、マスクデータとの排他的論理和によって、非実行コードを実行コードに復元することができる。従って、マスクデータの作成、及び実行コードへの復元を容易に行うことができる。つまり、実行データと、非実行データとの差分を排他的論理和によって表現した場合、実行データの実行不能化及び復元を同じ思考プロセス又は演算、即ち排他的論理和によって実現することができる。このため、実行不能化時の演算方法と、復元時の演算方法とを区別する必要が無く、特に、人が復元データを生成する場合、実行不能化時の演算方法が何で、復元時の演算方法が何で等と考える必要が無くなる。 Also, the mask data is created by exclusive OR of the execution code and the non-execution code. Even when restoring the non-executable code, the non-executable code can be restored to the executable code by exclusive OR of the non-executable code and the mask data. Therefore, it is possible to easily create mask data and restore it to an execution code. That is, when the difference between the execution data and the non-execution data is expressed by exclusive OR, execution of the execution data can be disabled and restored by the same thought process or operation, that is, exclusive OR. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. Especially when a person generates restoration data, what is the calculation method at the time of disabling execution, There is no need to think about what the method is.
(変形例1)
 変形例1に係るエアバッグ制御装置1、プログラム実行不能化方法及びプログラム格納方法は、非実行化の方法のみが異なるため、以下では主に上記相異点について説明する。変形例1に係るプログラム格納方法は、実行ソースプログラムに含まれる一部の参照アドレスを、他の参照アドレスに置換することによって、実行不能にするものである。 (Modification 1)
Since the airbag control device 1, the program execution disable method, and the program storage method according to the modification 1 are different only in the non-execution method, the difference will be mainly described below. In the program storing method according to the first modification, a part of the reference addresses included in the execution source program is replaced with another reference address to make the execution impossible.
 図13は、変形例1に係るプログラム実行不能化方法及びプログラム格納方法を示したフローチャートである。変形例1では、プログラム格納方法の使用者は、上述の実施の形態と同様、まず、低級言語で記述されており、エアバッグを強制的に展開させる処理を実行させるための実行ソースコードを用意する(ステップS111)。そして、使用者は、実行ソースコードに含まれる一部の参照アドレスを他の参照アドレスに置換するすることによって、非実行ソースコードに変換する(ステップS112)。以下、ステップS113~ステップS115において、ステップS13~ステップS15と同様の処理を実行する。 FIG. 13 is a flowchart showing a program execution disable method and a program storage method according to the first modification. In the first modification, the user of the program storage method first prepares an execution source code written in a lower language and for executing a process of forcibly deploying an airbag, as in the above-described embodiment. (Step S111). Then, the user converts the reference address included in the execution source code into a non-execution source code by replacing it with another reference address (step S112). Thereafter, in steps S113 to S115, processing similar to that in steps S13 to S15 is executed.
 図14A及び図14Bは、変形例1における実行ソースコード及び非実行ソースコードを機械語で記述した実行コード及び非実行コードを示した説明図である。図14A及び図14Bに示すように、変数Aの参照アドレスは「0000000000001000」である。ステップS112で、使用者は、変数Aの参照アドレスを「0000000000010000」に置換している。置換後の参照アドレスには、常に数値「0x00」が格納されているなど、実行コードにおける変数Aに「0xAA」以外の値が格納された場合と同じ結果になるように、参照アドレスを変更する。この場合、エアバッグの展開が行われないまま、プログラムは強制終了される。
 なお、アドレスに格納される数値は、CPU11が誤動作した場合、予想し得ない数値に置き換わるおそれがあるため、命令コードも合わせて他の命令コードに置換しておく方が良い。以下では、説明の便宜上、参照メモリアドレスのみを置換した例を説明する。 FIG. 14A and FIG. 14B are explanatory diagrams showing an execution code and a non-execution code in which the execution source code and the non-execution source code in Modification 1 are described in machine language. As shown in FIGS. 14A and 14B, the reference address of the variable A is “0000000000001000”. In step S112, the user replaces the reference address of the variable A with “0000000000001000000”. The reference address is changed so that the same result as when a value other than “0xAA” is stored in the variable A in the execution code, such as the numerical value “0x00” is always stored in the reference address after replacement. . In this case, the program is forcibly terminated without deploying the airbag.
Since the numerical value stored in the address may be replaced with an unexpected value when the CPU 11 malfunctions, it is better to replace the instruction code with another instruction code. Hereinafter, for convenience of explanation, an example in which only the reference memory address is replaced will be described.
 図15は、変形例1におけるマスクデータを示した説明図である。マスクデータは、変数Aの参照アドレス「0000000000001000」と、置換後の参照アドレス「0000000000010000」との排他的論理和演算を行うことによって、置換後の参照アドレスを、置換前の参照アドレスに復元するマスクデータを作成することができる。なお、上述の実施の形態と同様、図15では、置換されていない他の命令コードに対するマスクデータも作成されている。 FIG. 15 is an explanatory diagram showing mask data in the first modification. The mask data is a mask for restoring the reference address after replacement to the reference address before replacement by performing an exclusive OR operation between the reference address “0000000000001000” of the variable A and the reference address “0000000000000010000” after replacement. Data can be created. As in the above-described embodiment, in FIG. 15, mask data for other instruction codes that are not replaced is also created.
 変形例1に係るプログラム実行不能化方法、プログラム格納方法及びエアバッグ制御装置によれば、実施の形態と同様の効果を奏する。特に、変形例1に係る方法と、実施の形態に係る方法とを組み合わせることによって、耐障害性を向上させ、誤動作をより効果的に防止することができる。 According to the program execution disabling method, the program storing method, and the airbag control device according to the first modification, the same effects as those of the embodiment can be obtained. In particular, by combining the method according to the modified example 1 and the method according to the embodiment, fault tolerance can be improved and malfunctions can be more effectively prevented.
 今回開示された実施の形態はすべての点で例示であって、制限的なものではないと考えられるべきである。本発明の範囲は、上記した意味ではなく、請求の範囲によって示され、請求の範囲と均等の意味及び範囲内でのすべての変更が含まれることが意図される。 It should be considered that the embodiment disclosed this time is illustrative in all respects and not restrictive. The scope of the present invention is defined not by the above-described meaning but by the scope of claims, and is intended to include all modifications within the meaning and scope equivalent to the scope of claims.
 1 エアバッグ制御装置
 2 廃棄装置
 3 電源
 11 CPU
 12 ROM
 13 RAM
 14 加速度センサ
 15 点火回路
 15a スクイブ
 16 通信回路
 21 制御部
 22 通信回路
 23 操作部
  DESCRIPTION OF SYMBOLS 1 Airbag control apparatus 2 Disposal apparatus 3 Power supply 11 CPU
12 ROM
13 RAM
DESCRIPTION OF SYMBOLS 14 Acceleration sensor 15 Ignition circuit 15a Squib 16 Communication circuit 21 Control part 22 Communication circuit 23 Operation part

Claims (7)

  1.  エアバッグを廃棄する際、コンピュータに、エアバッグを強制的に展開させる処理を実行させるための機械語プログラムを、実行が不能な状態に変換するプログラム実行不能化方法において、
     前記機械語プログラムのソースプログラムに含まれる一部の命令コードを他の命令コードに置換、又は該ソースプログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換することによって、エアバッグを展開させることが不能なソースプログラムに変換するステップと、
     エアバッグを展開させることが不能なソースプログラムを実行不能化機械語プログラムにコンパイルするステップと、
     該実行不能化機械語プログラムを、エアバッグを強制的に展開させることが可能な前記機械語プログラムに復元するための復元データを作成するステップと
     を有することを特徴とするプログラム実行不能化方法。     In a program execution disabling method for converting a machine language program for causing a computer to execute a process of forcibly deploying an air bag when the air bag is discarded,
    By replacing some instruction codes included in the source program of the machine language program with other instruction codes, or by replacing some reference memory addresses included in the source program with other reference memory addresses Converting to a source program that cannot be expanded,
    Compiling a source program incapable of deploying an airbag into an inexecutable machine language program;
    And a step of creating restoration data for restoring the machine language program to the machine language program capable of forcibly deploying an airbag.
  2.  前記復元データは、
     前記実行不能化機械語プログラムと、前記機械語プログラムとの差分を示したデータを含む
     ことを特徴とする請求項1に記載のプログラム実行不能化方法。     The restored data is
    The program execution disabling method according to claim 1, further comprising data indicating a difference between the disabling machine language program and the machine language program.
  3.  前記復元データは、
     前記実行不能化機械語プログラムと、前記機械語プログラムとの排他的論理和を含む
      ことを特徴とする請求項1に記載のプログラム実行不能化方法。     The restored data is
    The program execution disablement method according to claim 1, comprising an exclusive OR of the disable execution machine language program and the machine language program.
  4.  請求項1乃至請求項3のいずれか一つに記載のプログラム実行不能化方法を用いて作成された前記実行不能化機械語プログラム及び復元データを記憶部に格納させるステップを有する
     ことを特徴とするプログラム格納方法。     A step of storing in the storage unit the non-executable machine language program and the restoration data created by using the program execution disable method according to any one of claims 1 to 3. Program storage method.
  5.  コンピュータに、前記復元データを用いて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元する処理を実行させるための復元機械語プログラムを記憶部に格納させるステップを有する
     ことを特徴とする請求項4に記載のプログラム格納方法。     A step of storing in the storage unit a restored machine language program for causing the computer to execute a process of restoring the non-executable machine language program to the machine language program using the restored data. The program storage method according to claim 4.
  6.  請求項1乃至請求項3のいずれか一つに記載のプログラム実行不能化方法を用いて作成された前記実行不能化機械語プログラム及び復元データを格納した記憶部と、
     該記憶部が格納している前記実行不能化機械語プログラム及び復元データに基づいて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元し、該機械語プログラムを実行する制御部と、
     前記機械語プログラムを実行した前記制御部の制御に従ってエアバッグを展開させる回路と
     を備えることを特徴とするエアバッグ制御装置。     A storage unit storing the non-executable machine language program and restoration data created by using the program non-executable method according to any one of claims 1 to 3.
    Based on the non-executable machine language program and the restoration data stored in the storage unit, the non-executable machine language program is restored to the machine language program and the machine language program is executed.
    An air bag control apparatus comprising: a circuit that deploys an air bag according to control of the control unit that executes the machine language program.
  7.  エアバッグを廃棄する際に、該エアバッグを強制的に展開させる処理を実行するための機械語プログラムに含まれる一部の命令コードを他の命令コードに置換、又は該機械語プログラムに含まれる一部の参照メモリアドレスを他の参照メモリアドレスに置換することによって得られた実行不能化機械語プログラム、及び該実行不能化機械語プログラムを、前記機械語プログラムに復元するための復元データを格納した記憶部と、
     該記憶部が格納している前記実行不能化機械語プログラム及び復元データに基づいて、前記実行不能化機械語プログラムを、前記機械語プログラムに復元し、該機械語プログラムを実行する制御部と、
     前記機械語プログラムを実行した前記制御部の制御に従ってエアバッグを展開させる回路と
     を備えることを特徴とするエアバッグ制御装置。
          When discarding an airbag, a part of the instruction code included in the machine language program for executing the process of forcibly deploying the airbag is replaced with another instruction code, or included in the machine language program A non-executable machine language program obtained by replacing some reference memory addresses with other reference memory addresses, and restoration data for restoring the non-executable machine language program into the machine language program are stored. Storage unit
    Based on the non-executable machine language program and the restoration data stored in the storage unit, the non-executable machine language program is restored to the machine language program and the machine language program is executed.
    An air bag control apparatus comprising: a circuit that deploys an air bag according to control of the control unit that executes the machine language program.
PCT/JP2010/069261 2009-11-20 2010-10-29 Method of disabling execution of program, method of storing program, and airbag control device WO2011062044A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2011541867A JP5468086B2 (en) 2009-11-20 2010-10-29 Program execution disable method, program storage method and airbag control device
CN201080052705.8A CN102666211B (en) 2009-11-20 2010-10-29 Method of disabling execution of program, method of storing program, and airbag control device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009265329 2009-11-20
JP2009-265329 2009-11-20

Publications (1)

Publication Number Publication Date
WO2011062044A1 true WO2011062044A1 (en) 2011-05-26

Family

ID=44059527

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/069261 WO2011062044A1 (en) 2009-11-20 2010-10-29 Method of disabling execution of program, method of storing program, and airbag control device

Country Status (3)

Country Link
JP (1) JP5468086B2 (en)
CN (1) CN102666211B (en)
WO (1) WO2011062044A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104670145B (en) * 2013-11-27 2019-06-07 博世汽车部件(苏州)有限公司 The method and apparatus of automotive safety buffering are provided

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1129003A (en) * 1997-05-15 1999-02-02 Toyota Motor Corp Starting device of occupant protective device
JPH11301390A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301391A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301388A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301387A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
WO2004087468A1 (en) * 2003-04-01 2004-10-14 Robert Bosch Gmbh Control unit for a restraint system
JP2006256371A (en) * 2005-03-15 2006-09-28 Toyota Motor Corp Starter of occupant crash protection device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19849079A1 (en) * 1998-10-24 2000-04-27 Bayerische Motoren Werke Ag Process for disarming pyrotechnic actuators in a vehicle
JP4266357B2 (en) * 2004-03-29 2009-05-20 三菱電機株式会社 In-vehicle electronic control unit

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1129003A (en) * 1997-05-15 1999-02-02 Toyota Motor Corp Starting device of occupant protective device
JPH11301390A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301391A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301388A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
JPH11301387A (en) * 1998-04-24 1999-11-02 Keihin Corp Air bag disposal device
WO2004087468A1 (en) * 2003-04-01 2004-10-14 Robert Bosch Gmbh Control unit for a restraint system
JP2006256371A (en) * 2005-03-15 2006-09-28 Toyota Motor Corp Starter of occupant crash protection device

Also Published As

Publication number Publication date
JP5468086B2 (en) 2014-04-09
JPWO2011062044A1 (en) 2013-04-04
CN102666211B (en) 2014-09-17
CN102666211A (en) 2012-09-12

Similar Documents

Publication Publication Date Title
CN111164577B (en) Vehicle-mounted electronic control device and abnormal time processing method thereof
EP2221724B1 (en) Vehicular Memory Management Apparatus
JP2012060841A (en) Electronic control device for vehicle
JP6139386B2 (en) Programmable controller
US9654047B2 (en) Drive device
US9778642B2 (en) Protection unit for a programmable data-processing system
JP5468086B2 (en) Program execution disable method, program storage method and airbag control device
ITMI20001380A1 (en) PROCEDURE AND DEVICE FOR CHANGING THE MEMORY CONTENT OF CONTROL DEVICES.
US7263421B2 (en) Control unit for a restraint system
JP2002323902A (en) Electronic controller
JP2007066021A (en) External data falsification detecting device and method
JP2012183877A (en) Detection processing device of vehicle occupant protection system
WO2019064644A1 (en) Electronic control device and control program verification method
US20220300612A1 (en) Security processing device
JP2016126692A (en) Electronic control device
JP2009289049A (en) Memory control device
JP6714950B2 (en) Control device for vehicle generator
CN114077729A (en) Accelerated verification of automotive software in a vehicle
KR101233591B1 (en) Tuning protection method and apparatus for electronic control unit
JP4708088B2 (en) Failure recovery method and microcomputer
JP4955417B2 (en) Memory check system for electronic control unit
KR102465668B1 (en) Apparatus for operating air-bag of vehicle
JP2020030589A (en) Control device
JP7423959B2 (en) vehicle reprogramming system
JP7176444B2 (en) VEHICLE ELECTRONIC CONTROLLER, DEMAND DEVICE, AND FAULT DETECTION SYSTEM

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080052705.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10831439

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011541867

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10831439

Country of ref document: EP

Kind code of ref document: A1