WO2013073009A1 - Microcomputer system and monitoring microcomputer - Google Patents

Microcomputer system and monitoring microcomputer Download PDF

Info

Publication number
WO2013073009A1
WO2013073009A1 PCT/JP2011/076310 JP2011076310W WO2013073009A1 WO 2013073009 A1 WO2013073009 A1 WO 2013073009A1 JP 2011076310 W JP2011076310 W JP 2011076310W WO 2013073009 A1 WO2013073009 A1 WO 2013073009A1
Authority
WO
WIPO (PCT)
Prior art keywords
microcomputer
monitoring
monitored
breakpoint
value
Prior art date
Application number
PCT/JP2011/076310
Other languages
French (fr)
Japanese (ja)
Inventor
本谷 謙治
Original Assignee
トヨタ自動車株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by トヨタ自動車株式会社 filed Critical トヨタ自動車株式会社
Priority to PCT/JP2011/076310 priority Critical patent/WO2013073009A1/en
Publication of WO2013073009A1 publication Critical patent/WO2013073009A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents

Definitions

  • the present invention relates to a microcomputer system having a monitored microcomputer having a debug port and a monitoring microcomputer connected via the debug port.
  • the watchdog timer it can be confirmed that the periodic task is being executed, but the code coverage of the software is low.
  • the lockstep method requires two or more CPUs having the same performance, which increases costs.
  • Patent Document 2 discloses a monitoring method in which a monitoring unit gives an example to a monitored CPU and monitors the arithmetic function of the CPU based on an answer to the example.
  • Patent Document 3 discloses an abnormality monitoring method in which the CPU of the monitoring microcomputer monitors whether there is no contradiction in the control of the main microcomputer and determines whether there is an abnormality.
  • the monitoring method disclosed in Patent Document 2 or 3 is insufficient as a monitoring method for a microcomputer that executes a program.
  • the monitoring method of Patent Document 2 it is only possible to compare calculation results, and it can only be understood that the code used for the calculation can be executed normally.
  • Patent Document 3 does not describe how to determine whether or not there is a contradiction in the control. If the version difference between the monitored microcomputer and the monitored microcomputer is the meaning of control contradiction, it is not sufficient as a monitoring method for the monitoring microcomputer.
  • an object of the present invention is to provide a microcomputer system that monitors a microcomputer by improving code coverage at a low cost.
  • the present invention is an in-vehicle microcomputer system having a monitored microcomputer having a debug port and a monitoring microcomputer connected via the debug port, and the monitoring microcomputer has a plurality of breakpoints registered in advance.
  • a breakpoint registration table ; and a first transmission means for transmitting the breakpoint of the breakpoint registration table to a monitored microcomputer, wherein the monitored microcomputer stores a breakpoint received from the monitoring microcomputer And a second transmission means for transmitting the value of the program counter to the monitoring microcomputer when the breakpoint stored in the register coincides with the program counter of the monitored microcomputer.
  • FIG. 1 is an example of a diagram illustrating schematic features of the microcomputer system of the present embodiment.
  • the microcomputer system 200 includes a monitored microcomputer 50 and a monitoring microcomputer 100, and the monitoring microcomputer 100 is connected to the debug port 20 of the monitored microcomputer 50. Since the monitoring microcomputer 100 communicates with the debug port 20 of the monitored microcomputer 50, it is possible to avoid occupying the general-purpose port of the monitored microcomputer 50 for monitoring. Moreover, the debug port 20 that has been conventionally discarded can be used. Note that the monitoring microcomputer 100 is one of the features that the price is lower than that of the monitored microcomputer 50.
  • the monitoring microcomputer 100 monitors the monitored microcomputer 50 mainly by two methods.
  • Monitoring by breakpoints (1-1)
  • the monitoring microcomputer 100 sets several breakpoints in the debug port 20 (FIG. 1A). This break point is an address of an instruction executed by the monitored microcomputer 50. As the break point, for example, a command immediately before the control of the actuator is set in advance. In addition, a break point is set at the entrance / exit of the function of the main flow for the flow determination for determining whether or not it is in a steady state.
  • the debug port 20 monitors the address of the instruction executed by the monitored microcomputer 50 with a PC (Program Counter) 34, and transmits the value of the PC 34 to the monitoring microcomputer 100 when the breakpoint is matched (FIG.
  • PC Program Counter
  • the monitored microcomputer 50 stops its operation when it reaches the breakpoint.
  • the monitoring microcomputer 100 requests the values of one or more variables used by the monitoring microcomputer for the calculation target based on the value of the PC 34. When the value of the variable is acquired, it is checked whether or not the value of the variable is an abnormal value (FIG. 1 (c)). That is, it is determined whether or not the values of one or more variables are within an assumed range at the stage of calculation target, calculation progress, and calculation result. (1-4) Upon confirming that there is no abnormality, the monitoring microcomputer 100 permits the debug port 20 to resume operation (FIG. 1 (d)). The monitored microcomputer 50 restarts the operation from the interrupted instruction.
  • the monitoring microcomputer 100 mainly monitors whether the transition of the PC 34 of the monitored microcomputer 50 is appropriate. There are two methods for regular monitoring, either of which may be adopted. (i) The monitoring microcomputer 100 sets a cycle time in the debug port 20.
  • the debug port 20 reads the PC 34 of the monitored microcomputer 50 every cycle time and transmits it to the monitoring microcomputer 100. (ii) The monitoring microcomputer 100 periodically requests the PC 34 from the debug port 20.
  • the debug port 20 reads the PC 34 of the monitored microcomputer 50 and transmits it to the monitoring microcomputer 100 in response to a request from the monitoring microcomputer 100.
  • the monitoring microcomputer 100 can periodically acquire the PC 34, it is possible to monitor whether or not the change in the PC 34 is within the assumed range.
  • the microcomputer system 200 of the present embodiment monitors the monitored microcomputer 50 using the debug port 20, the debug port 20 is not wasted. Since the performance of the monitoring microcomputer 100 may be lower than that of the monitored microcomputer 50, the cost can be greatly reduced as compared with the lockstep method. In addition, by setting an appropriate breakpoint, it is possible to monitor a microcomputer that is already mounted on the vehicle in the same way as debugging, and it is possible to monitor instruction execution history and detect abnormalities in important variables. .
  • FIG. 2 shows an example of a schematic configuration diagram of the microcomputer system 200.
  • the same components as those in FIG. This figure explains the schematic functions of the monitored microcomputer 50 and the monitoring microcomputer 100.
  • the monitored microcomputer 50 mainly executes a function for monitoring whether or not a breakpoint has been reached (whether an event has occurred), a function for interpreting a command transmitted from the monitoring microcomputer 100, and a function executed when the breakpoint is reached. And a function of reading a variable from the RAM.
  • the monitoring microcomputer 100 mainly has a function of determining whether or not the value transition of the PC 34 of the monitored microcomputer 50 is appropriate, a function of determining whether or not the variable is an abnormal value, and the like.
  • the value of the PC 34 and the value of the variable are mainly transmitted from the monitored microcomputer 50 to the monitoring microcomputer 100 as monitoring data.
  • Control data including a command is mainly transmitted from the monitoring microcomputer 100 to the monitored microcomputer 50, and a breakpoint is set as an example.
  • FIG. 3 shows an example of a schematic block diagram of the microcomputer system 200.
  • the monitoring microcomputer 100 includes a CPU 44, a ROM 45, a RAM 46, an INTC 41, and a DMAC 43 connected to the bus 47, and an I / O port 42 is connected to the DMAC 43.
  • the I / O port 42 is connected to the debug port 20 of the monitored microcomputer 50 by serial communication.
  • serial communication As a communication method, for example, UART and I2C are known, but communication may be performed by any standard.
  • the control data or the monitoring data can be transmitted when the transmission request is first made to the partner of the port 23 and the I / O port 42.
  • the port 23 and the I / O port 42 may give the transmission right to the other party every predetermined time.
  • the monitoring microcomputer 100 is a microcomputer having performance at least equal to or lower than that of the monitored microcomputer 50, and can be purchased at a lower price than the monitored microcomputer 50. This is because the monitoring microcomputer 100 only needs to have a function for monitoring the monitored microcomputer 50, and it is not necessary to control on-vehicle devices such as the engine, the electric steering, and the brake hydraulic pressure with high accuracy.
  • the monitoring microcomputer 100 has a 32-bit CPU core 31, the CPU 44 of the monitored microcomputer 50 may be 16-bit, and if the monitoring microcomputer 100 has a multi-core, the monitored microcomputer 100 is monitored.
  • the microcomputer 50 may be a single core. If the clock frequency of the monitoring microcomputer 100 is 1 GHz, the clock frequency of the monitored microcomputer 50 may be, for example, 0.5 GHz. If the memory capacity of the monitoring microcomputer 100 is 2 Gbytes, the monitored microcomputer The memory capacity of 50 may be 1 Gbyte, and if the process generation of the monitored microcomputer 50 is 40 nm, the process generation of the monitoring microcomputer 100 may be 100 nm. Since the price of a microcomputer also depends on the sales method and the number of lots, the performance difference is not absolute in determining the price.
  • the CPU 44 performs processing necessary for monitoring the monitored microcomputer 50 by executing a program stored in the ROM 45. As will be described later, the monitoring microcomputer 100 is activated before the monitored microcomputer 50 and makes various settings in the debug port 20.
  • the RAM 46 is a working memory when the CPU 44 executes a program.
  • the CPU 44 When the CPU 44 transmits control data to the debug port 20, it records the control data in the RAM 46 and requests the DAMC 43 to transmit the control data address on the RAM and the debug port 20. As a result, the DMAC 43 reads the control data from the RAM 46 and sets the control data in the I / O port 42. The I / O port 42 establishes communication with the port 23 and transmits control data.
  • the I / O port 42 When the I / O port 42 receives monitoring data from the debug port 20, the I / O port 42 requests the DMAC 43 to store the monitoring data in the RAM 46.
  • the I / O port 42 notifies the INTC 41 of reception of monitoring data.
  • the INTC 41 interrupts the CPU 44 in consideration of the priority of the interrupt and notifies the reception of the monitoring data.
  • the CPU 44 detects the interruption, interrupts the processing so far, reads the monitoring data from the RAM 46, and performs necessary processing.
  • the debug port 20 of the monitored microcomputer 50 includes a port 23, a control unit 22, a buffer 21, a timer 24, and a breakpoint register 25.
  • the monitored microcomputer 50 includes a CPU core 31 and a RAM, but other microcomputer configurations (ROM, INTC, bridge circuit, DMA controller, AD converter, etc.) are omitted. is doing.
  • the CPU core 31 has a PC 34, an ALU 35, and a register 36.
  • the CPU core 31 outputs the address of an instruction stored in the PC 34 to an address bus and reads a program from the ROM 32.
  • the CPU core 31 reads and writes data of variables and parameters from the RAM (or cache) 33 by designating an address.
  • the bus 38 connecting the CPU core 31 and the ROM 32 or RAM 33 is monitored by the control unit 22 so that the control unit 22 can obtain at least the value of the PC 34.
  • an address can be output to the bus 38 and data (variable) at a desired address can be read from the RAM 33.
  • the buffer 21 is a memory that temporarily stores control data transmitted from the monitoring microcomputer 100 and that temporarily stores monitoring data transmitted from the debug port 20 to the monitoring microcomputer 100.
  • the timer 24 notifies the control unit 22 that the cycle time has elapsed.
  • the cycle time is set by the control unit 22 according to an instruction from the monitoring microcomputer 100. Note that when the monitoring microcomputer 100 periodically requests control data from the debug port 20, the timer 24 is unnecessary.
  • the breakpoint register 25 is a set of a plurality of registers for setting several breakpoints.
  • the breakpoint register 25 has, for example, about ten to several hundred registers.
  • Each register stores an address (break point) of an instruction executed by the monitored microcomputer 50.
  • FIG. 4A is an example of a diagram for schematically explaining the control data.
  • the control data is, for example, 32 bits long and has a command part and a parameter part.
  • a command is set in the command part and an address and a timer value are set in the parameter part, but nothing may be set.
  • the commands include, for example, a command for setting a breakpoint register, a command for setting a timer, a command for requesting a PC value, a command for requesting a RAM value, a command for requesting interruption, and a command for requesting restart.
  • the control unit 22 reads out the control data transmitted from the monitoring microcomputer 100 from the buffer 21, and extracts, for example, several bits from the head of the control data as a command unit. Various processes are performed according to the analysis result of the command part.
  • the command is a command for storing a breakpoint in the breakpoint register 25, the control unit 22 sets the parameter part in the breakpoint register 25.
  • the control unit 22 sets the parameter unit in the timer 24.
  • the control unit 22 acquires the value of the PC 34 and stores it in the buffer 21, and transmits it to the monitoring microcomputer 100 when the transmission right is obtained. Further, when the command is a command requesting the value of the RAM 33, the control unit 22 reads the data (value of the variable) from the address of the RAM 33 specified by the parameter unit, stores it in the buffer 21, and obtains the transmission right. It transmits to the monitoring microcomputer 100.
  • the control unit 22 acquires the value of the PC 34 and stores it in the buffer 21, and transmits it to the monitoring microcomputer 100 when the transmission right is obtained. Further, the control unit 22 compares the value of any one of the breakpoint registers 25 with the PC 34, obtains the value of the PC 34 when the two coincide with each other, stores the value in the buffer 21, and obtains the transmission right. To 100.
  • the monitoring microcomputer 100 knows the address of the instruction currently being executed by the monitored microcomputer 50, and thus can perform processing such as requesting the value of the RAM 33.
  • the control part 22 will interrupt the process of CPU core 31, if the value of PC34 corresponds with a breakpoint. Specifically, the execution of the CPU core 31 is interrupted by stopping the supply of the clock signal by switching the interruption signal line 26 from Low to High. Moreover, the interruption is canceled by switching from High to Low, and execution is resumed.
  • the processing may be interrupted by software processing that causes the CPU core 31 to execute an instruction such as NOP (Non Operation).
  • FIG. 4B is an example of a diagram schematically illustrating the monitoring data.
  • the monitoring data is divided into, for example, a data ID part and a data part.
  • the value of the PC 34 and the value of the variable are stored.
  • the data ID is identification information for identifying whether the value of the PC 34 or the value of the variable is stored in the data part.
  • it may be identified by the data ID whether the value of the PC 34 is due to the interruption (periodic transmission) of the timer 24 or the arrival of the breakpoint.
  • FIG. 5 is an example of a functional block diagram of the monitoring microcomputer 100.
  • the monitoring microcomputer 100 includes a start control unit 51, a procedure control unit 52, a command generation unit 53, a PC determination unit 54, a PC recording unit 60, an address conversion unit 55, and a variable check unit 56 as functional blocks. Further, the PC determination unit 54 can access the PC history table 57, and the address conversion unit 55 can access the BP corresponding address table 59.
  • the procedure control unit 52 controls the overall operation of the monitoring microcomputer 100.
  • the procedure control unit 52 causes the activation control unit 51 to activate the monitored microcomputer 50. Since the monitoring microcomputer 100 monitors the monitored microcomputer 50 in the microcomputer system 200, it is preferable that the monitoring microcomputer 100 is activated before the monitored microcomputer 50. For this reason, when the reset terminal of the monitoring microcomputer 100 becomes Low due to IG-ON or the like, the monitoring microcomputer 100 is activated first, and the monitored microcomputer 50 is activated with the permission of the monitoring microcomputer 100. For example, the activation control unit 51 activates the monitored microcomputer 50 by setting a reset terminal of the monitored microcomputer 50 to Low.
  • a delay circuit that counts the time to the extent that the monitoring microcomputer 100 is activated is arranged, and the monitored microcomputer 50 does not start activation until the delay circuit counts this time after the reset terminal becomes Low. You may do it.
  • the example in the figure is for the case where the monitoring microcomputer 100 permits the start of the monitored microcomputer 50, and the activation control unit 51 may be unnecessary.
  • the procedure control unit 52 performs a process of setting a breakpoint in the breakpoint register 25 of the monitored microcomputer 50. Therefore, the command generation unit 53 is requested to transmit the value of the PC 34 to the debug port 20.
  • the monitoring microcomputer 100 has a BP correspondence address table 59 in advance.
  • the value of the PC 34 and the variable address are stored in association with each other.
  • the value of PC34 is a breakpoint.
  • the break point is a value of the PC 34 corresponding to immediately after activation of the monitoring microcomputer 100, a value of the PC 34 immediately before the monitoring microcomputer 100 executes an important process, or the like.
  • the value of the PC 34 “0x0000000” is the value of the PC 34 immediately after startup. This is because the microcomputer normally executes the program from the beginning (zero) of the address.
  • the variable address associated with the value of the PC 34 is the RAM address or the register number of the CPU core 31 in which the variable to be monitored is stored when the monitored microcomputer 50 executes the instruction of the PC 34. .
  • the command generation unit 53 sets a command for requesting setting to the breakpoint register 25 to the command unit, sets the value of the PC 34 read from the BP corresponding address table 59 to the parameter unit, and transmits to the debug port 20. This is repeated for all values of the PC 34 in the BP correspondence address table 59.
  • the control unit 22 of the debug port 20 can set the values of all the PCs 34 in the BP correspondence address table 59 in the breakpoint register 25.
  • the periodic monitoring may be requested by the monitoring microcomputer 100 and the timer 24 may be used for periodic monitoring.
  • the procedure control unit 52 requests the command generation unit 53 to transmit the setting value (cycle time) of the timer 24 to the debug port 20.
  • the monitored microcomputer 50 executes a control program for the in-vehicle device after starting.
  • the control unit 22 transmits the value of the PC 34 at that time to the monitoring microcomputer 100.
  • the procedure control unit 52 outputs the value of the PC 34 to the PC recording unit 60 and the PC determination unit 54.
  • the PC recording unit 60 stores past PC 34 values in the PC history table 57 in time series. When the storage area is exhausted, the oldest one is overwritten.
  • the PC determination unit 54 refers to the PC determination table 58 to determine whether or not the value transition of the PC 34 is normal.
  • the procedure control unit 52 counts the elapse of the cycle period and debugs to the command generation unit 53.
  • the port 20 is requested for the value of the PC 34. Since the control unit 22 transmits the value of the PC 34 at that time, the procedure control unit 52 outputs the value of the PC 34 to the PC recording unit 60 and the PC determination unit 54.
  • the PC recording unit 60 stores past PC 34 values in the PC history table 57 in time series.
  • the PC determination unit 54 refers to the PC determination table 58 to determine whether or not the transition of the PC 34 is normal. Therefore, the normal determination of the transition of the PC 34 is possible by any method.
  • the PC determination unit 54 has a reference (determination logic) for determining in advance whether or not the transition of the value of the PC 34 is normal.
  • a program executed by the monitoring microcomputer 100 is fixed in the ROM 32 (a new program is rarely installed like a general personal computer). For this reason, the value of PC34 changes within a cycle period, and the next possible value is limited to a certain range.
  • the PC determination unit 54 has a range in which the value of the PC 34 changes in normal operation as determination logic. Since it is difficult to record the normal transition destination for each value of the PC 34, the address of the instruction executed by the monitoring microcomputer 100 (value that the PC can take) is divided into several areas (A to E areas). Then, it is determined whether or not the transition between the regions is normal.
  • the PC determination unit 54 describes the following determination logic. -After the A area, transition to the B area or C area-After the A area, do not transition to the E area-After the C area, always transition to the D area Therefore, the PC determination unit 54 Each area is determined from the value of the PC 34 immediately before recorded in the above and the latest value of the PC 34, and it is determined whether or not the transition of the value of the PC 34 is normal based on whether or not the determination criteria are met.
  • the monitoring microcomputer 100 stores the PC history table so that it is not overwritten. In this case, monitoring is further continued, and if an abnormality is detected again in the transition of the value of the PC 34 (or more than once), the monitored microcomputer 50 is reset. Alternatively, if an abnormality is detected in the transition of the value of the PC 34, the value of the variable may also become abnormal. Therefore, the monitored microcomputer 50 may be reset when the abnormality of the variable is detected.
  • the control unit 22 of the debug port 20 transmits the value of the PC 34 to the monitoring microcomputer 100 when the value of the PC 34 of the monitored microcomputer 50 matches the value stored in any of the registers of the breakpoint register 25.
  • the procedure control unit 52 can acquire the value of the PC 34 that is a breakpoint from the debug port 20.
  • the procedure control unit 52 determines whether the value of the PC 34 for periodic monitoring by the timer 24 or the value of the PC 34 for passing a breakpoint is from the data ID portion of the monitoring data.
  • the procedure control unit 52 always requests the address conversion unit 55 for address conversion when the value of the PC 34 is received. That is, as will be described below, the address conversion unit 55 can detect that the PC 34 is registered in the BP correspondence address table 59 and determine that it is not periodic monitoring.
  • the procedure control unit 52 when acquiring the value of the PC 34 by the passage of the break point from the debug port 20, outputs it to the address conversion unit 55.
  • the address conversion unit 55 retrieves the received value of the PC 34 from the BP correspondence address table 59, and reads the variable address associated with the value of the PC 34 that has hit the search. For example, when the value of the breakpoint PC 34 is “0x00000000”, the variable address is “address A, B, C”.
  • the address conversion unit 55 sends the variable address to the procedure control unit 52.
  • the procedure control unit 52 requests the command generation unit 53 to generate a command for requesting the value of the variable stored in the variable address of the RAM 33. Therefore, the command generation unit 53 transmits, to the debug port 20 as a set of control data, a command unit storing a command for requesting a value of a variable stored in the RAM 33 and a parameter unit storing a variable address. . If there are three variable addresses, all addresses A, B, and C are transmitted to the debug port 20.
  • the control unit 22 of the debug port 20 reads the values of the variables stored in the addresses A, B, and C of the RAM 33 from the RAM 33 and transmits them to the monitoring microcomputer 100.
  • the procedure control unit 52 sends the received variable value and the PC 34 already acquired as a breakpoint to the variable check unit 56.
  • the variable check unit 56 checks whether or not the value of the variable is valid.
  • the check method can be changed according to the value of the PC 34 associated with the variable address. For example, the variable check unit 56 performs the following check on the variable in the PC 34 corresponding to the break point immediately before the actuator control.
  • This steering angle is a value detected by the sensor because of the X-By-Wire system in which the steering angle of the steering wheel of the driver is detected and the actuator drives the steering shaft. If the steering angle is not correctly detected, the actuator cannot be steered to an appropriate angle, so at least two sensors detect the steering angle.
  • the G sensor for detecting the establishment of the airbag deployment condition is the same.
  • the airbag deployment ECU determines whether or not the airbag should be deployed by combining the detection results of signals from a plurality of G sensors that detect deceleration in the same direction in order to suppress erroneous deployment.
  • the monitoring microcomputer 100 determines whether or not the sensor values of a plurality of sensors arranged to detect an important physical quantity substantially match, so that all the sensors can correctly detect the physical quantity. Can be confirmed. (ii) When the variable acquired from the monitoring microcomputer 50 includes a result of midway calculation using the sensor value, the variable check unit 56 determines whether the midway calculation result is correct. That is, the variable check unit 56 uses the same calculation process as that of the monitored microcomputer 50 to determine whether the calculation results up to the middle are equal. (iii) When the variable acquired from the monitoring microcomputer 50 includes a final calculation result for controlling the actuator, the variable check unit 56 determines whether the calculation result is correct. That is, the variable check unit 56 uses the same calculation process as that of the monitored microcomputer 50 to determine whether or not the final calculation results are equal.
  • variable check unit 56 increases the calculation load of the variable check unit 56, so it is not necessary to perform exactly the same calculation as the monitored microcomputer 50. For example, it is effective to reduce the load by performing only integer arithmetic. It is. Thereby, calculation time can be shortened.
  • variable check unit 56 checks whether the variable including the calculation result is not converted into an abnormal value that is not possible as the control value of the actuator without performing the verification of (ii) and (iii). Good. In this case, the load on the monitoring microcomputer 100 can be greatly reduced.
  • the history of the same variable may be checked. For example, when the monitored microcomputer 50 periodically acquires the steering angle from the sensor due to a timer interruption, there should be an upper limit on the amount of fluctuation of the steering angle within a predetermined time. Therefore, it can be determined that a control amount that has changed beyond this upper limit is an abnormal value. When making this determination, the variable check unit 56 holds the value of the last acquired variable.
  • ⁇ Breakpoints are embedded before the actuator is activated, so malfunctions can be prevented. Further, it is possible to operate the actuator while monitoring from the outside whether there is a failure of the monitored microcomputer 50. In other words, in general debugging, the operation of the monitored microcomputer 50 is stopped and the actuator is moved while confirming the operation.
  • the monitoring of this embodiment is the actuator operation and real-time (minimum allowable from actuator operation request to operation execution). Within a limited time). For this reason, more stable actuator control is realizable.
  • the procedure control unit 52 sets a breakpoint at the entry / exit of the function of the main flow (for example, the start address of the function and its front and back, the last address of the function, its front and back, before and after the Return instruction, etc.) 100 can detect that a function has been entered or exited by passing a breakpoint.
  • the monitoring microcomputer 100 can determine whether or not the monitored microcomputer 50 is in a steady state in which the function is executed almost regularly based on whether or not the passage of the breakpoint is detected almost regularly.
  • the procedure control unit 56 performs, for example, the following processing.
  • A. When the variable check unit 56 does not detect any abnormality in the variable, the variable check unit 56 notifies the procedure control unit 52 of the fact.
  • the procedure control unit 52 requests the command generation unit 53 to generate a command for canceling the interruption.
  • the command generation unit 53 sets a command for canceling the interruption in the command unit (sets nothing in the parameter unit) and transmits the command to the debug port 20.
  • the control unit 22 does not refer to the parameter unit for this command and sets the interruption signal line 26 to Low. Therefore, the monitored microcomputer 50 can resume the processing that was interrupted by the passage of the breakpoint.
  • variable check unit 56 detects an abnormality in the variable, the variable check unit 56 notifies the procedure control unit 52 to that effect.
  • the procedure control unit 52 requests the command generation unit 53 to generate a command that requests the same variable in the RAM 33 again. Therefore, since the monitoring microcomputer 100 can acquire the value of the variable again, the variable check unit 56 performs the same check. If the variable check unit 56 detects an abnormality even after n times (2 to 3 times), the monitoring microcomputer 100 determines that the monitored microcomputer 50 is abnormal and resets the monitored microcomputer 50. Do.
  • FIG. 6 is an example of a sequence diagram for explaining the operation procedure of the microcomputer system 200.
  • the procedure in FIG. 6 starts, for example, when the IG-ON or the main system is turned on (in the case of an electric vehicle or a hybrid vehicle).
  • the monitoring microcomputer 100 is activated (S10).
  • the activation control unit 51 of the monitoring microcomputer 100 permits the activation of the monitored microcomputer 50, or the monitored microcomputer 50 is activated with a delay by the delay circuit of the monitored microcomputer 50 (S210).
  • the procedure control unit 52 of the monitoring microcomputer 100 establishes communication with the debug port 20 of the monitored microcomputer 50 (S20). At this time, the monitoring microcomputer 100 is more effective if it requests the debug port 20 to interrupt the operation. That is, since the control unit 22 sets the interruption signal line 26 to High, the operation of the CPU core 31 stops, and the monitoring microcomputer 100 can reliably set a break point during that time.
  • the procedure control unit 52 requests the command generation unit 53 to set a breakpoint. Thereby, the command generation unit 53 transmits all the values of the PC 34 in the BP correspondence address table 59 to the debug port 20 (S30).
  • the procedure control unit 52 requests the command generation unit 53 to transmit a command for canceling the interruption.
  • the command generation unit 53 transmits a command for canceling the interruption (S40).
  • the control unit 22 of the debug port 20 sets the interruption signal line 26 to Low, so that the CPU core 31 starts operation.
  • control unit 22 When the monitored microcomputer 50 starts executing the program, the control unit 22 periodically transmits the value of the PC 34 (S220).
  • the PC recording unit 60 registers the value of the PC 34 received from the debug port 20 in the PC history table 57.
  • the PC determination unit 54 refers to the PC determination table 58 and determines whether or not the transition of the PC 34 is normal based on the value of the PC 34 received from the debug port 20 (S50). The same applies to the periodic monitoring in steps S230 and S60.
  • a pre-actuator interrupt is generated in the CPU core 31 (S240). This is, for example, a timer interrupt for the monitored microcomputer 50 to periodically acquire a sensor value (for example, a steering angle).
  • the monitored microcomputer 50 acquires and calculates the sensor value by interruption, and stores the sensor value and the calculation result in the RAM 33 as variable values.
  • the control unit 22 of the debug port 20 detects that the value of the PC 34 of the CPU core 31 matches the value of the breakpoint register 25, and transmits the value of the PC 34 to the monitoring microcomputer 100 (S250).
  • the transmission of the PC 34 and the transmission of the variable are performed at the same time. However, the transmission of the variable may be performed after a request is received from the monitoring microcomputer 100. Moreover, the processing time can be shortened by transmitting simultaneously.
  • control unit 22 Since the control unit 22 sets the interruption signal line 26 to High due to the passage of the break point, the CPU core 31 of the monitored microcomputer 50 stops operating (S260).
  • the variable check unit 56 of the monitoring microcomputer 100 checks the variable (S70). If there is no abnormality in the variable, the procedure control unit 52 cancels the interruption (S80). Accordingly, the control unit 22 can resume the operation because the interruption signal line 26 is set to Low.
  • the monitored microcomputer 50 controls the actuator by resuming the operation (S270).
  • the monitoring microcomputer 100 and the monitored microcomputer 50 repeat the above processing.
  • the microcomputer system 200 monitors the monitored microcomputer 50 by using the debug port 20 that has been conventionally discarded, so that the debug port 20 is not wasted. Since the performance of the monitoring microcomputer 100 may be lower than that of the monitored microcomputer 50, the cost can be greatly reduced as compared with the lockstep method.
  • the monitored microcomputer 50 can control the actuator after the monitoring microcomputer 50 confirms that there is no abnormality in the variables. Therefore, it is possible to reliably prevent the actuator from being controlled with an inappropriate calculation result caused by sensor abnormality or RAM abnormality.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention is a vehicle-equipped microcomputer system (200) which has a monitored microcomputer (50) which has a debug port, and a monitoring microcomputer (100) connected via the debug port. The monitoring microcomputer has a breakpoint registration table (59) in which a plurality of breakpoints has been registered beforehand, and first transmission means (53) for transmitting the breakpoints in the breakpoint registration table to the monitored microcomputer. The monitored microcomputer has: a register (25) which stores the breakpoints received from the monitoring microcomputer; and second transmission means (23) for, if a program counter (34) of the monitored microcomputer and a breakpoint stored in the register match, transmitting the value of the program counter to the monitoring microcomputer.

Description

マイコンシステム、監視マイコンMicrocomputer system, monitoring microcomputer
 本発明は、デバッグポートを有する被監視マイコンと、デバッグポートを介して接続された監視マイコンとを有するマイコンシステムに関する。 The present invention relates to a microcomputer system having a monitored microcomputer having a debug port and a monitoring microcomputer connected via the debug port.
 燃費向上や運転者の負担軽減、安全性の向上などをもたらすため、車両にはマイコンを応用した多くの電子制御装置が搭載されている。マイコンが故障するとこれらの制御が損なわれるため、マイコンの動作状態を監視してマイコンの動作を保証する技術が講じられている。例えば、CPUが正常に動作していることを定期的なタイマリセットによりウォッチドッグタイマが確認する技術(例えば、特許文献1参照)、CPUを2つ以上搭載し演算結果を比較するロックステップ方式などが知られている。 In order to improve fuel efficiency, reduce driver burden, improve safety, etc., many electronic control devices using microcomputers are installed in vehicles. Since these controls are impaired when a microcomputer breaks down, a technique for monitoring the operation state of the microcomputer and guaranteeing the operation of the microcomputer has been taken. For example, a technique in which the watchdog timer confirms that the CPU is operating normally by periodically resetting the timer (see, for example, Patent Document 1), a lockstep method in which two or more CPUs are mounted, and the calculation results are compared. It has been known.
 しかしながら、ウォッチドッグタイマでは、定期タスクが実行されていることは確認できるがソフトウェアのコードカバレッジが低い。また、ロックステップ方式は同一性能のCPUが2つ以上必要になるためコスト増になる。 However, with the watchdog timer, it can be confirmed that the periodic task is being executed, but the code coverage of the software is low. In addition, the lockstep method requires two or more CPUs having the same performance, which increases costs.
 また、ロックステップよりも低コストにCPUを監視する技術が提案されている(例えば、特許文献2参照。)。特許文献2には、被監視CPUに対して監視部が例題を出題し、例題に対する回答に基づいてCPUの演算機能を監視する監視方法が開示されている。 Also, a technique for monitoring the CPU at a lower cost than the lockstep has been proposed (see, for example, Patent Document 2). Patent Document 2 discloses a monitoring method in which a monitoring unit gives an example to a monitored CPU and monitors the arithmetic function of the CPU based on an answer to the example.
 また、被監視マイコンと監視マイコンとを配置して監視マイコンが被監視マイコンを監視する技術も知られている(特許文献3参照。)。特許文献3には、監視マイコンのCPUが、メインマイコンの制御に矛盾を生じていないことを監視して異常の有無を判定する異常の監視方法が開示されている。 Also, a technique is known in which a monitored microcomputer and a monitoring microcomputer are arranged so that the monitored microcomputer monitors the monitored microcomputer (see Patent Document 3). Patent Document 3 discloses an abnormality monitoring method in which the CPU of the monitoring microcomputer monitors whether there is no contradiction in the control of the main microcomputer and determines whether there is an abnormality.
 しかしながら、特許文献2又は3に開示された監視方法では、プログラムを実行するマイコンの監視方法としては不十分である。例えば、特許文献2の監視方法では演算結果物を比較することしかできず、演算に使用したコードが正常に実行可能であることしか分からない。 However, the monitoring method disclosed in Patent Document 2 or 3 is insufficient as a monitoring method for a microcomputer that executes a program. For example, in the monitoring method of Patent Document 2, it is only possible to compare calculation results, and it can only be understood that the code used for the calculation can be executed normally.
 また、特許文献3の異常監視機能では、具体的にどのように制御に矛盾を生じていないかを判定するか記載がない。仮に、被監視マイコンと監視マイコンのプログラムのバージョン違いが制御の矛盾の意味だとすると、それだけでは監視マイコンの監視方法として不十分である。 Also, the abnormality monitoring function of Patent Document 3 does not describe how to determine whether or not there is a contradiction in the control. If the version difference between the monitored microcomputer and the monitored microcomputer is the meaning of control contradiction, it is not sufficient as a monitoring method for the monitoring microcomputer.
 したがって、ロックステップよりも低コストに、かつ、ウォッチドッグタイマよりもコードカバレッジを向上することが要請される。ここで、CPUやプログラムの開発段階では、CPUが実行した命令をトレースする(実行された命令の履歴を一覧する)作業が行われることがある。これにより、条件成立により処理が分岐したか否か、分岐後に実行した命令のアドレス等が明らかになるので、開発者はCPU及びプログラムが想定した処理を行っているか否かを把握できる。 Therefore, it is required to lower the cost than the lock step and improve the code coverage more than the watchdog timer. Here, in the development stage of the CPU or program, there is a case where an operation of tracing instructions executed by the CPU (listing a history of executed instructions) is performed. As a result, it becomes clear whether or not the process has branched due to the establishment of the condition, the address of the instruction executed after the branch, and the like, so that the developer can grasp whether or not the CPU and the program are performing the assumed process.
 しかしながら、これまで、マイコンが車両などに搭載された状態において、命令単位で実行結果を検証できる監視方法はロックステップ方式しかなく、低コストにコードカバレッジを向上する方法が確立されていない。
特開2004-280783号公報 特開2010-128627号公報 特開2007-092621号公報 However, until now, the only monitoring method that can verify the execution result in units of instructions when the microcomputer is mounted on a vehicle or the like is the lockstep method, and a method for improving code coverage at low cost has not been established.
Japanese Patent Laid-Open No. 2004-280783 JP 2010-128627 A JP 2007-092621 A
 本発明は上記課題に鑑み、上記課題に鑑み、低コストにコードカバレッジを向上させてマイコンを監視するマイコンシステムを提供することを目的とする。 In view of the above problems, an object of the present invention is to provide a microcomputer system that monitors a microcomputer by improving code coverage at a low cost.
 本発明は、デバッグポートを有する被監視マイコンと、前記デバッグポートを介して接続された監視マイコンとを有する車載されたマイコンシステムであって、前記監視マイコンは、予め複数のブレイクポイントが登録されたブレイクポイント登録テーブルと、前記ブレイクポイント登録テーブルのブレイクポイントを被監視マイコンに送信する第1の送信手段と、を有し、前記被監視マイコンは、前記監視マイコンから受信したブレイクポイントを記憶するレジスタと、前記被監視マイコンのプログラムカウンタとレジスタに記憶されたブレイクポイントが一致した場合、プログラムカウンタの値を前記監視マイコンに送信する第2の送信手段と、を有する。 The present invention is an in-vehicle microcomputer system having a monitored microcomputer having a debug port and a monitoring microcomputer connected via the debug port, and the monitoring microcomputer has a plurality of breakpoints registered in advance. A breakpoint registration table; and a first transmission means for transmitting the breakpoint of the breakpoint registration table to a monitored microcomputer, wherein the monitored microcomputer stores a breakpoint received from the monitoring microcomputer And a second transmission means for transmitting the value of the program counter to the monitoring microcomputer when the breakpoint stored in the register coincides with the program counter of the monitored microcomputer.
 本発明によれば、低コストにコードカバレッジを向上させてマイコンを監視するマイコンシステムを提供することができる。 According to the present invention, it is possible to provide a microcomputer system for monitoring a microcomputer with improved code coverage at a low cost.
マイコンシステムの概略的な特徴を説明する図の一例である。It is an example of the figure explaining the schematic characteristic of a microcomputer system. マイコンシステムの概略構成図の一例である。It is an example of the schematic block diagram of a microcomputer system. マイコンシステムの概略ブロック図の一例である。It is an example of the schematic block diagram of a microcomputer system. 制御データ、監視データを模式的に説明する図の一例である。It is an example of the figure which illustrates control data and monitoring data typically. 監視マイコンの機能ブロック図の一例である。It is an example of a functional block diagram of a monitoring microcomputer. マイコンシステムの動作手順を説明するシーケンス図の一例である。It is an example of the sequence diagram explaining the operation | movement procedure of a microcomputer system.
 20  デバッグポート
 22  制御部
 23  ポート
 24  タイマ
 25  ブレイクポイントレジスタ
 26  中断信号線
 34  プログラムカウンタ
 50  被監視マイコン
 100 監視マイコン
 200 マイコンシステム 20 Debug Port 22 Control Unit 23 Port 24 Timer 25 Break Point Register 26 Interruption Signal Line 34 Program Counter 50 Monitored Microcomputer 100 Monitor Microcomputer 200 Microcomputer System
 以下、本発明を実施するための形態について図面を参照しながら説明する。
図1は、本実施形態のマイコンシステムの概略的な特徴を説明する図の一例である。マイコンシステム200は被監視マイコン50と監視マイコン100を有し、監視マイコン100は被監視マイコン50のデバッグポート20と接続されている。監視マイコン100は被監視マイコン50のデバッグポート20と通信するので、被監視マイコン50の汎用ポートを監視用に占有することを回避できる。また、従来、付け捨てになっていたデバッグポート20を活用できる。なお、監視マイコン100は、被監視マイコン50よりも価格が安いマイコンであることが特徴の1つになっている。 Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.
FIG. 1 is an example of a diagram illustrating schematic features of the microcomputer system of the present embodiment. The microcomputer system 200 includes a monitored microcomputer 50 and a monitoring microcomputer 100, and the monitoring microcomputer 100 is connected to the debug port 20 of the monitored microcomputer 50. Since the monitoring microcomputer 100 communicates with the debug port 20 of the monitored microcomputer 50, it is possible to avoid occupying the general-purpose port of the monitored microcomputer 50 for monitoring. Moreover, the debug port 20 that has been conventionally discarded can be used. Note that the monitoring microcomputer 100 is one of the features that the price is lower than that of the monitored microcomputer 50.
 監視マイコン100は被監視マイコン50を主に2つの方法で監視する。
(1)ブレイクポイントによる監視
(1-1) 監視マイコン100はデバッグポート20にいくつかのブレイクポイントを設定する(図1(a))。このブレイクポイントは、被監視マイコン50が実行する命令のアドレスである。ブレイクポイントとしては、例えばアクチュエータの制御の直前の命令が予め設定されている。また、定常状態か否かを判定するためのフロー判定用に、主要フローの関数の出入り口にブレイクポイントを設定する。
(1-2) デバッグポート20は、被監視マイコン50が実行する命令のアドレスをPC(Program Counter)34で監視し、ブレイクポイントに一致するとPC34の値を監視マイコン100に送信する(図1(b))。なお、被監視マイコン50はブレイクポイントへの到達により動作を中断する。
(1-3) 監視マイコン100は、PC34の値に基づき監視マイコンが演算の対象などに使用する1つ以上の変数の値を要求する。変数の値を取得すると、変数の値が異常値になっていないか等をチェックする(図1(c))。すなわち、1つ以上の変数の値が、演算対象、演算の途中経過、及び、演算結果の段階で、想定される範囲か否かを判定する。
(1-4) 監視マイコン100は、異常がないことを確認すると、デバッグポート20に動作の再開を許可する(図1(d))。被監視マイコン50は、中断した後の命令から動作を再開する。
(2)定期的監視
 監視マイコン100は、主に、被監視マイコン50のPC34の遷移が妥当か否かを監視する。定期的な監視には2つの手法があるがどちらを採用してもよい。
(i) 監視マイコン100が、デバッグポート20にサイクル時間を設定する。 The monitoring microcomputer 100 monitors the monitored microcomputer 50 mainly by two methods.
(1) Monitoring by breakpoints
(1-1) The monitoring microcomputer 100 sets several breakpoints in the debug port 20 (FIG. 1A). This break point is an address of an instruction executed by the monitored microcomputer 50. As the break point, for example, a command immediately before the control of the actuator is set in advance. In addition, a break point is set at the entrance / exit of the function of the main flow for the flow determination for determining whether or not it is in a steady state.
(1-2) The debug port 20 monitors the address of the instruction executed by the monitored microcomputer 50 with a PC (Program Counter) 34, and transmits the value of the PC 34 to the monitoring microcomputer 100 when the breakpoint is matched (FIG. 1 ( b)). The monitored microcomputer 50 stops its operation when it reaches the breakpoint.
(1-3) The monitoring microcomputer 100 requests the values of one or more variables used by the monitoring microcomputer for the calculation target based on the value of the PC 34. When the value of the variable is acquired, it is checked whether or not the value of the variable is an abnormal value (FIG. 1 (c)). That is, it is determined whether or not the values of one or more variables are within an assumed range at the stage of calculation target, calculation progress, and calculation result.
(1-4) Upon confirming that there is no abnormality, the monitoring microcomputer 100 permits the debug port 20 to resume operation (FIG. 1 (d)). The monitored microcomputer 50 restarts the operation from the interrupted instruction.
(2) Periodic monitoring The monitoring microcomputer 100 mainly monitors whether the transition of the PC 34 of the monitored microcomputer 50 is appropriate. There are two methods for regular monitoring, either of which may be adopted.
(i) The monitoring microcomputer 100 sets a cycle time in the debug port 20.
 この場合、デバッグポート20はサイクル時間毎に被監視マイコン50のPC34を読み出し監視マイコン100に送信する。
(ii) 監視マイコン100が、定期的にデバッグポート20に対しPC34を要求する。 In this case, the debug port 20 reads the PC 34 of the monitored microcomputer 50 every cycle time and transmits it to the monitoring microcomputer 100.
(ii) The monitoring microcomputer 100 periodically requests the PC 34 from the debug port 20.
 この場合、デバッグポート20は、監視マイコン100からの要求に応じて、被監視マイコン50のPC34を読み出し監視マイコン100に送信する。 In this case, the debug port 20 reads the PC 34 of the monitored microcomputer 50 and transmits it to the monitoring microcomputer 100 in response to a request from the monitoring microcomputer 100.
 いずれの態様でも監視マイコン100は定期的にPC34を取得できるので、PC34の変化が想定範囲か否かを監視することができる。 In any aspect, since the monitoring microcomputer 100 can periodically acquire the PC 34, it is possible to monitor whether or not the change in the PC 34 is within the assumed range.
 このように、本実施形態のマイコンシステム200は、デバッグポート20を利用して被監視マイコン50を監視するのでデバッグポート20を無駄にすることがない。監視マイコン100の性能は被監視マイコン50よりも低くてよいのでロックステップ方式と比較してコストを大きく低減できる。また、適切なブレイクポイントを設定することで、すでに車載してあるマイコンに対しデバッグ作業と同等の監視が可能であり、命令実行履歴の監視、及び、重要な変数の異常を検出することができる。 As described above, since the microcomputer system 200 of the present embodiment monitors the monitored microcomputer 50 using the debug port 20, the debug port 20 is not wasted. Since the performance of the monitoring microcomputer 100 may be lower than that of the monitored microcomputer 50, the cost can be greatly reduced as compared with the lockstep method. In addition, by setting an appropriate breakpoint, it is possible to monitor a microcomputer that is already mounted on the vehicle in the same way as debugging, and it is possible to monitor instruction execution history and detect abnormalities in important variables. .
 〔構成例〕
 図2は、マイコンシステム200の概略構成図の一例を示す。図2において図1と同一構成には同一の符号を付しその説明は省略する。この図は、被監視マイコン50と監視マイコン100の概略的な機能を説明したものである。 [Configuration example]
FIG. 2 shows an example of a schematic configuration diagram of the microcomputer system 200. In FIG. 2, the same components as those in FIG. This figure explains the schematic functions of the monitored microcomputer 50 and the monitoring microcomputer 100.
 被監視マイコン50は、主に、ブレイクポイントに到達したか否か(イベントが発生したか)を監視する機能、監視マイコン100から送信されたコマンドを解釈する機能、ブレイクポイントに到達した時、実行を中断する機能、及び、RAMから変数を読み出す機能を有する。 The monitored microcomputer 50 mainly executes a function for monitoring whether or not a breakpoint has been reached (whether an event has occurred), a function for interpreting a command transmitted from the monitoring microcomputer 100, and a function executed when the breakpoint is reached. And a function of reading a variable from the RAM.
 監視マイコン100は、主に、被監視マイコン50のPC34の値の遷移が適切か否かを判定する機能、及び、変数が異常値か否かを判定する機能、等を有する。 The monitoring microcomputer 100 mainly has a function of determining whether or not the value transition of the PC 34 of the monitored microcomputer 50 is appropriate, a function of determining whether or not the variable is an abnormal value, and the like.
 また、被監視マイコン50から監視マイコン100へは、監視データとして、主にPC34の値、変数の値が送信される。監視マイコン100から被監視マイコン50へは、主に、コマンドを含む制御データが送信され、その一例としてブレイクポイントが設定される。 Further, the value of the PC 34 and the value of the variable are mainly transmitted from the monitored microcomputer 50 to the monitoring microcomputer 100 as monitoring data. Control data including a command is mainly transmitted from the monitoring microcomputer 100 to the monitored microcomputer 50, and a breakpoint is set as an example.
 図3は、マイコンシステム200の概略ブロック図の一例を示す。監視マイコン100は、バス47に接続された、CPU44、ROM45、RAM46、INTC41、及び、DMAC43を有し、DMAC43にはI/Oポート42が接続されている。このI/Oポート42は被監視マイコン50のデバッグポート20とシリアル通信で接続されている。通信方法としては、例えばUARTやI2Cが知られているがどのような規格で通信してもよい。一線式の通信の場合、ポート23とI/Oポート42のうち先に相手に対し送信要求した方が制御データ又は監視データを送信することができる。または、ポート23とI/Oポート42が所定時間毎に送信権を相手に与えてもよい。 FIG. 3 shows an example of a schematic block diagram of the microcomputer system 200. The monitoring microcomputer 100 includes a CPU 44, a ROM 45, a RAM 46, an INTC 41, and a DMAC 43 connected to the bus 47, and an I / O port 42 is connected to the DMAC 43. The I / O port 42 is connected to the debug port 20 of the monitored microcomputer 50 by serial communication. As a communication method, for example, UART and I2C are known, but communication may be performed by any standard. In the case of one-line communication, the control data or the monitoring data can be transmitted when the transmission request is first made to the partner of the port 23 and the I / O port 42. Alternatively, the port 23 and the I / O port 42 may give the transmission right to the other party every predetermined time.
 監視マイコン100は、被監視マイコン50と比較して少なくとも同等以下の性能を備えたマイコンであり、被監視マイコン50よりも低価格で購入可能である。監視マイコン100は、被監視マイコン50を監視するための機能を有していればよく、エンジン、電動ステアリング、ブレーキ油圧、などの車載装置を高精度に制御する必要はないためである。 The monitoring microcomputer 100 is a microcomputer having performance at least equal to or lower than that of the monitored microcomputer 50, and can be purchased at a lower price than the monitored microcomputer 50. This is because the monitoring microcomputer 100 only needs to have a function for monitoring the monitored microcomputer 50, and it is not necessary to control on-vehicle devices such as the engine, the electric steering, and the brake hydraulic pressure with high accuracy.
 価格決定の要因となる性能をいくつか挙げれば、監視マイコン100が32bitのCPUコア31を有すれば、被監視マイコン50のCPU44は16bitでよく、監視マイコン100がマルチコアを有すれば、被監視マイコン50はシングルコアでよく、監視マイコン100のクロック周波数が1GHzであれば、被監視マイコン50のクロック周波数は例えば0.5GHzでよく、監視マイコン100のメモリ容量が2Gbyteであれば、被監視マイコン50のメモリ容量は1Gbyteでよく、被監視マイコン50のプロセス世代が40nmであれば、監視マイコン100のプロセス世代は100nmでよい。なお、マイコンの価格は販売手法やロット数にも依存するため、性能差は価格を決定する上で絶対的なものではない。 Some performance factors that determine the price are as follows. If the monitoring microcomputer 100 has a 32-bit CPU core 31, the CPU 44 of the monitored microcomputer 50 may be 16-bit, and if the monitoring microcomputer 100 has a multi-core, the monitored microcomputer 100 is monitored. The microcomputer 50 may be a single core. If the clock frequency of the monitoring microcomputer 100 is 1 GHz, the clock frequency of the monitored microcomputer 50 may be, for example, 0.5 GHz. If the memory capacity of the monitoring microcomputer 100 is 2 Gbytes, the monitored microcomputer The memory capacity of 50 may be 1 Gbyte, and if the process generation of the monitored microcomputer 50 is 40 nm, the process generation of the monitoring microcomputer 100 may be 100 nm. Since the price of a microcomputer also depends on the sales method and the number of lots, the performance difference is not absolute in determining the price.
 CPU44は、ROM45に記憶されたプログラムを実行することで被監視マイコン50の監視に必要な処理を行う。後述するように、監視マイコン100は被監視マイコン50よりも先に起動して、デバッグポート20に種々の設定を行っておく。RAM46は、CPU44がプログラムを実行する際の作業メモリである。 The CPU 44 performs processing necessary for monitoring the monitored microcomputer 50 by executing a program stored in the ROM 45. As will be described later, the monitoring microcomputer 100 is activated before the monitored microcomputer 50 and makes various settings in the debug port 20. The RAM 46 is a working memory when the CPU 44 executes a program.
 CPU44が、デバッグポート20に制御データを送信する場合、RAM46に制御データを記録すると共に、DAMC43にRAM上の制御データのアドレスとデバッグポート20への送信を要求する。これによりDMAC43はRAM46から制御データを読み出してI/Oポート42に制御データを設定する。I/Oポート42はポート23と通信を確立して制御データを送信する。 When the CPU 44 transmits control data to the debug port 20, it records the control data in the RAM 46 and requests the DAMC 43 to transmit the control data address on the RAM and the debug port 20. As a result, the DMAC 43 reads the control data from the RAM 46 and sets the control data in the I / O port 42. The I / O port 42 establishes communication with the port 23 and transmits control data.
 I/Oポート42がデバッグポート20から監視データを受信した場合、I/Oポート42はDMAC43に、監視データをRAM46に記憶するよう要求する。また、I/Oポート42はINTC41に監視データの受信を知らせる。これにより、INTC41は割込みの優先度を考慮してCPU44に割込みし、監視データの受信を知らせる。CPU44は割込みを検出してそれまでの処理を中断してRAM46から監視データを読み出し、必要な処理を行う。 When the I / O port 42 receives monitoring data from the debug port 20, the I / O port 42 requests the DMAC 43 to store the monitoring data in the RAM 46. The I / O port 42 notifies the INTC 41 of reception of monitoring data. As a result, the INTC 41 interrupts the CPU 44 in consideration of the priority of the interrupt and notifies the reception of the monitoring data. The CPU 44 detects the interruption, interrupts the processing so far, reads the monitoring data from the RAM 46, and performs necessary processing.
 一方、被監視マイコン50のデバッグポート20は、ポート23、制御部22、バッファ21、タイマ24、及び、ブレイクポイントレジスタ25を有する。また、被監視マイコン50は、デバッグポート20の他に、CPUコア31及びRAMを有しているが、この他のマイコンの構成(ROM、INTC、ブリッジ回路、DMAコントローラ、ADコンバータ等)は省略している。 On the other hand, the debug port 20 of the monitored microcomputer 50 includes a port 23, a control unit 22, a buffer 21, a timer 24, and a breakpoint register 25. In addition to the debug port 20, the monitored microcomputer 50 includes a CPU core 31 and a RAM, but other microcomputer configurations (ROM, INTC, bridge circuit, DMA controller, AD converter, etc.) are omitted. is doing.
 CPUコア31はPC34、ALU35、レジスタ36を有している。一般に、CPUコア31はPC34に記憶されている命令のアドレスをアドレスバスに出力して、ROM32からプログラムを読み出す。また、CPUコア31は、アドレスを指定してRAM(又はキャッシュ)33から変数やパラメータのデータを読み出し、また書き込む。CPUコア31とROM32又はRAM33を結ぶバス38は、制御部22により監視されており、制御部22は少なくともPC34の値を取得することができるようになっている。また、バス38にアドレスを出力して、RAM33から所望のアドレスのデータ(変数)を読み出すことができる。 The CPU core 31 has a PC 34, an ALU 35, and a register 36. In general, the CPU core 31 outputs the address of an instruction stored in the PC 34 to an address bus and reads a program from the ROM 32. The CPU core 31 reads and writes data of variables and parameters from the RAM (or cache) 33 by designating an address. The bus 38 connecting the CPU core 31 and the ROM 32 or RAM 33 is monitored by the control unit 22 so that the control unit 22 can obtain at least the value of the PC 34. In addition, an address can be output to the bus 38 and data (variable) at a desired address can be read from the RAM 33.
 バッファ21は監視マイコン100から送信された制御データを一時的に記憶し、また、デバッグポート20が監視マイコン100に送信する監視データを一時的に記憶するメモリである。タイマ24は、制御部22にサイクル時間が経過したことを通知する。サイクル時間は、制御部22が監視マイコン100からの指示により設定する。なお、監視マイコン100が、定期的にデバッグポート20に対し制御データを要求する場合、タイマ24は不要になる。 The buffer 21 is a memory that temporarily stores control data transmitted from the monitoring microcomputer 100 and that temporarily stores monitoring data transmitted from the debug port 20 to the monitoring microcomputer 100. The timer 24 notifies the control unit 22 that the cycle time has elapsed. The cycle time is set by the control unit 22 according to an instruction from the monitoring microcomputer 100. Note that when the monitoring microcomputer 100 periodically requests control data from the debug port 20, the timer 24 is unnecessary.
 ブレイクポイントレジスタ25は、いくつかのブレイクポイントを設定するための複数のレジスタの集合である。ブレイクポイントレジスタ25は、例えば、十~数百程度の数のレジスタを有する。各レジスタには、それぞれ、被監視マイコン50が実行する命令のアドレス(ブレイクポイント)が記憶される。 The breakpoint register 25 is a set of a plurality of registers for setting several breakpoints. The breakpoint register 25 has, for example, about ten to several hundred registers. Each register stores an address (break point) of an instruction executed by the monitored microcomputer 50.
 〔制御データに対する制御部の機能、監視データ〕
 図4(a)は、制御データを模式的に説明する図の一例である。制御データは例えば32bit長でありコマンド部とパラメータ部を有する。コマンド部にはコマンドが設定され、パラメータ部にはアドレスやタイマ値が設定されるが、何も設定されない場合もある。コマンドには、例えば、ブレイクポイントレジスタへ設定するコマンド、タイマへ設定するコマンド、PCの値を要求するコマンド、RAMの値を要求するコマンド、中断要求するコマンド、再開要求するコマンドなどがある。 [Function of control unit for control data, monitoring data]
FIG. 4A is an example of a diagram for schematically explaining the control data. The control data is, for example, 32 bits long and has a command part and a parameter part. A command is set in the command part and an address and a timer value are set in the parameter part, but nothing may be set. The commands include, for example, a command for setting a breakpoint register, a command for setting a timer, a command for requesting a PC value, a command for requesting a RAM value, a command for requesting interruption, and a command for requesting restart.
 制御部22は、監視マイコン100から送信された制御データをバッファ21から読み出して、制御データの例えば、先頭から数ビットをコマンド部として取り出す。コマンド部の解析結果に応じて種々の処理を行う。コマンドが、ブレイクポイントレジスタ25へブレイクポイントを記憶するコマンドの場合、制御部22はパラメータ部をブレイクポイントレジスタ25に設定する。コマンドがタイマ24へサイクル時間を設定するコマンドの場合、制御部22はパラメータ部をタイマ24に設定する。 The control unit 22 reads out the control data transmitted from the monitoring microcomputer 100 from the buffer 21, and extracts, for example, several bits from the head of the control data as a command unit. Various processes are performed according to the analysis result of the command part. When the command is a command for storing a breakpoint in the breakpoint register 25, the control unit 22 sets the parameter part in the breakpoint register 25. When the command is a command for setting the cycle time in the timer 24, the control unit 22 sets the parameter unit in the timer 24.
 また、コマンドがPC34の値を要求するコマンドの場合、制御部22は、PC34の値を取得してバッファ21に記憶しておき、送信権が得られると監視マイコン100に送信する。また、コマンドがRAM33の値を要求するコマンドの場合、制御部22は、パラメータ部が指定するRAM33のアドレスからデータ(変数の値)を読み出し、バッファ21に記憶しておき送信権が得られると監視マイコン100に送信する。 If the command is a command requesting the value of the PC 34, the control unit 22 acquires the value of the PC 34 and stores it in the buffer 21, and transmits it to the monitoring microcomputer 100 when the transmission right is obtained. Further, when the command is a command requesting the value of the RAM 33, the control unit 22 reads the data (value of the variable) from the address of the RAM 33 specified by the parameter unit, stores it in the buffer 21, and obtains the transmission right. It transmits to the monitoring microcomputer 100.
 また、制御部22は、タイマ24がサイクル時間の経過を通知すると、PC34の値を取得してバッファ21に記憶しておき、送信権が得られると監視マイコン100に送信する。また、制御部22はブレイクポイントレジスタ25のいずれかのレジスタの値とPC34を比較して、一致した時のPC34の値を取得してバッファ21に記憶しておき送信権が得られると監視マイコン100に送信する。 Further, when the timer 24 notifies the elapse of the cycle time, the control unit 22 acquires the value of the PC 34 and stores it in the buffer 21, and transmits it to the monitoring microcomputer 100 when the transmission right is obtained. Further, the control unit 22 compares the value of any one of the breakpoint registers 25 with the PC 34, obtains the value of the PC 34 when the two coincide with each other, stores the value in the buffer 21, and obtains the transmission right. To 100.
 これにより、監視マイコン100は、被監視マイコン50が現在実行している命令のアドレスが分かるので、RAM33の値を要求するなどの処理が可能になる。 
 なお、制御部22は、PC34の値がブレイクポイントと一致すると、CPUコア31の処理を中断させる。具体的には中断信号線26をLowからHighに切り換えることでクロック信号の供給を停止するなどしてCPUコア31の実行を中断させる。また、HighからLowに切り換えることで中断を解除して、実行を再開させる。この他、CPUコア31にNOP(Non Operation)などの命令を実行させるソフト的な処理により処理を中断してもよい。 As a result, the monitoring microcomputer 100 knows the address of the instruction currently being executed by the monitored microcomputer 50, and thus can perform processing such as requesting the value of the RAM 33.
In addition, the control part 22 will interrupt the process of CPU core 31, if the value of PC34 corresponds with a breakpoint. Specifically, the execution of the CPU core 31 is interrupted by stopping the supply of the clock signal by switching the interruption signal line 26 from Low to High. Moreover, the interruption is canceled by switching from High to Low, and execution is resumed. In addition, the processing may be interrupted by software processing that causes the CPU core 31 to execute an instruction such as NOP (Non Operation).
 図4(b)は、監視データを模式的に説明する図の一例である。監視データは、例えば、データID部とデータ部に区分されている。データ部には、PC34の値や変数の値が格納される。データIDは、データ部に、PC34の値又は変数の値のどちらが格納されているかを識別する識別情報である。このデータ部に格納されたデータの識別の他、PC34の値がタイマ24の割込み(定期送信)によるものか、ブレイクポイントの到達によるものかを、データIDで識別してもよい。 FIG. 4B is an example of a diagram schematically illustrating the monitoring data. The monitoring data is divided into, for example, a data ID part and a data part. In the data part, the value of the PC 34 and the value of the variable are stored. The data ID is identification information for identifying whether the value of the PC 34 or the value of the variable is stored in the data part. In addition to the identification of the data stored in the data part, it may be identified by the data ID whether the value of the PC 34 is due to the interruption (periodic transmission) of the timer 24 or the arrival of the breakpoint.
 〔監視マイコン100の詳細機能〕
 図5は、監視マイコン100の機能ブロック図の一例である。監視マイコン100は、機能ブロックとして、起動制御部51、手順制御部52、コマンド生成部53、PC判定部54、PC記録部60、アドレス変換部55、及び、変数チェック部56を有する。また、PC判定部54はPC履歴テーブル57にアクセス可能であり、アドレス変換部55はBP対応アドレステーブル59にアクセス可能である。 [Detailed functions of monitoring microcomputer 100]
FIG. 5 is an example of a functional block diagram of the monitoring microcomputer 100. The monitoring microcomputer 100 includes a start control unit 51, a procedure control unit 52, a command generation unit 53, a PC determination unit 54, a PC recording unit 60, an address conversion unit 55, and a variable check unit 56 as functional blocks. Further, the PC determination unit 54 can access the PC history table 57, and the address conversion unit 55 can access the BP corresponding address table 59.
 手順制御部52は監視マイコン100の全体の動作を制御する。手順制御部52は、監視マイコン100の起動が完了すると、起動制御部51に被監視マイコン50を起動させる。マイコンシステム200は監視マイコン100が被監視マイコン50を監視するため、監視マイコン100の方が被監視マイコン50よりも先に起動することが好ましい。このため、IG-ON等により監視マイコン100のリセット端子がLowになると、監視マイコン100が先に起動し、被監視マイコン50は監視マイコン100の許可を得て起動する。例えば、起動制御部51は、被監視マイコン50のリセット端子をLowにするなどして被監視マイコン50を起動する。または、監視マイコン100が起動する程度の時間をカウントする遅延回路を配置しておき、被監視マイコン50は、リセット端子がLowになってから、遅延回路がこの時間をカウントするまで起動を開始しないようにしてもよい。図の例は、監視マイコン100が被監視マイコン50の起動を許可する場合のものであり、起動制御部51は不要となる場合がある。 The procedure control unit 52 controls the overall operation of the monitoring microcomputer 100. When the activation of the monitoring microcomputer 100 is completed, the procedure control unit 52 causes the activation control unit 51 to activate the monitored microcomputer 50. Since the monitoring microcomputer 100 monitors the monitored microcomputer 50 in the microcomputer system 200, it is preferable that the monitoring microcomputer 100 is activated before the monitored microcomputer 50. For this reason, when the reset terminal of the monitoring microcomputer 100 becomes Low due to IG-ON or the like, the monitoring microcomputer 100 is activated first, and the monitored microcomputer 50 is activated with the permission of the monitoring microcomputer 100. For example, the activation control unit 51 activates the monitored microcomputer 50 by setting a reset terminal of the monitored microcomputer 50 to Low. Alternatively, a delay circuit that counts the time to the extent that the monitoring microcomputer 100 is activated is arranged, and the monitored microcomputer 50 does not start activation until the delay circuit counts this time after the reset terminal becomes Low. You may do it. The example in the figure is for the case where the monitoring microcomputer 100 permits the start of the monitored microcomputer 50, and the activation control unit 51 may be unnecessary.
 次に、手順制御部52は、被監視マイコン50のブレイクポイントレジスタ25にブレイクポイントを設定する処理を行う。このため、コマンド生成部53に、PC34の値をデバッグポート20に送信するように要求する。図示するように、監視マイコン100は予め、BP対応アドレステーブル59を有している。BP対応アドレステーブル59には、PC34の値と変数アドレスが対応づけて記憶されている。このPC34の値がブレイクポイントである。ブレイクポイントは、監視マイコン100の起動直後に相当するPC34の値、監視マイコン100が重要な処理を実行する直前のPC34の値などである。例えば、「0x0000000」のPC34の値は、起動直後のPC34の値である。これは、通常、マイコンはアドレスの先頭(ゼロ)からプログラムを実行するためである。 Next, the procedure control unit 52 performs a process of setting a breakpoint in the breakpoint register 25 of the monitored microcomputer 50. Therefore, the command generation unit 53 is requested to transmit the value of the PC 34 to the debug port 20. As shown in the figure, the monitoring microcomputer 100 has a BP correspondence address table 59 in advance. In the BP correspondence address table 59, the value of the PC 34 and the variable address are stored in association with each other. The value of PC34 is a breakpoint. The break point is a value of the PC 34 corresponding to immediately after activation of the monitoring microcomputer 100, a value of the PC 34 immediately before the monitoring microcomputer 100 executes an important process, or the like. For example, the value of the PC 34 “0x0000000” is the value of the PC 34 immediately after startup. This is because the microcomputer normally executes the program from the beginning (zero) of the address.
 PC34の値と対応づけられた変数アドレスは、被監視マイコン50がそのPC34の命令を実行している際に、監視すべき変数が記憶されたRAMのアドレス又はCPUコア31のレジスタ番号などである。例えば、PC34の値が「0x0000000」の場合、変数アドレスは「アドレスA、B、C」となっている。これは、被監視マイコン50がPC=「0x0000000」の命令を実行する場合、監視マイコン100は「アドレスA、B、C」に記憶された変数を監視することを意味している。この起動直後の変数を確認することで、起動直後のRAMの変数が適切であるか否か(スリープ中に書き換わっていないか)を確認することができる。 The variable address associated with the value of the PC 34 is the RAM address or the register number of the CPU core 31 in which the variable to be monitored is stored when the monitored microcomputer 50 executes the instruction of the PC 34. . For example, when the value of the PC 34 is “0x0000000”, the variable address is “address A, B, C”. This means that when the monitored microcomputer 50 executes the instruction PC = “0x0000000”, the monitoring microcomputer 100 monitors the variables stored in “addresses A, B, and C”. By confirming the variable immediately after the activation, it is possible to confirm whether or not the variable of the RAM immediately after the activation is appropriate (whether it has been rewritten during sleep).
 コマンド生成部53は、ブレイクポイントレジスタ25への設定を要求するコマンドをコマンド部に、BP対応アドレステーブル59から読み出したPC34の値をパラメータ部にそれぞれ設定し、デバッグポート20に送信する。これをBP対応アドレステーブル59の全てのPC34の値について繰り返す。デバッグポート20の制御部22は、BP対応アドレステーブル59の全てのPC34の値をブレイクポイントレジスタ25に設定することができる。 The command generation unit 53 sets a command for requesting setting to the breakpoint register 25 to the command unit, sets the value of the PC 34 read from the BP corresponding address table 59 to the parameter unit, and transmits to the debug port 20. This is repeated for all values of the PC 34 in the BP correspondence address table 59. The control unit 22 of the debug port 20 can set the values of all the PCs 34 in the BP correspondence address table 59 in the breakpoint register 25.
 <定期的監視>
 定期的監視には、監視マイコン100が要求する場合と、タイマ24を利用する場合があることを説明した。タイマ24を使用する場合、PC34の値の設定に続き、手順制御部52はコマンド生成部53に、タイマ24の設定値(サイクル時間)をデバッグポート20に送信するように要求する。 <Regular monitoring>
It has been described that the periodic monitoring may be requested by the monitoring microcomputer 100 and the timer 24 may be used for periodic monitoring. When the timer 24 is used, following the setting of the value of the PC 34, the procedure control unit 52 requests the command generation unit 53 to transmit the setting value (cycle time) of the timer 24 to the debug port 20.
 被監視マイコン50は、起動後、車載装置の制御用のプログラムを実行する。タイマ24がサイクル時間の経過をカウントすると、制御部22がその時のPC34の値を監視マイコン100に送信する。手順制御部52は、PC34の値をPC記録部60とPC判定部54に出力する。PC記録部60は、PC履歴テーブル57に過去のPC34の値を時系列に記憶する。記憶領域がなくなると古いものから上書きする。また、PC判定部54は、PC判定テーブル58を参照して、PC34の値の遷移が正常か否かを判定する。 The monitored microcomputer 50 executes a control program for the in-vehicle device after starting. When the timer 24 counts the passage of the cycle time, the control unit 22 transmits the value of the PC 34 at that time to the monitoring microcomputer 100. The procedure control unit 52 outputs the value of the PC 34 to the PC recording unit 60 and the PC determination unit 54. The PC recording unit 60 stores past PC 34 values in the PC history table 57 in time series. When the storage area is exhausted, the oldest one is overwritten. In addition, the PC determination unit 54 refers to the PC determination table 58 to determine whether or not the value transition of the PC 34 is normal.
 一方、タイマ24を使用せず、監視マイコン100がサイクル周期毎にデバッグポート20に対しPC34の値を要求する場合、手順制御部52がサイクル周期の経過をカウントして、コマンド生成部53にデバッグポート20に対しPC34の値を要求させる。制御部22はその時のPC34の値を送信するので、手順制御部52は、PC34の値をPC記録部60とPC判定部54に出力する。PC記録部60は、PC履歴テーブル57に過去のPC34の値を時系列に記憶する。また、PC判定部54は、PC判定テーブル58を参照して、PC34の遷移が正常か否かを判定する。よって、いずれの方法でもPC34の遷移の正常判定は可能である。 On the other hand, when the monitoring microcomputer 100 requests the value of the PC 34 from the debug port 20 for each cycle period without using the timer 24, the procedure control unit 52 counts the elapse of the cycle period and debugs to the command generation unit 53. The port 20 is requested for the value of the PC 34. Since the control unit 22 transmits the value of the PC 34 at that time, the procedure control unit 52 outputs the value of the PC 34 to the PC recording unit 60 and the PC determination unit 54. The PC recording unit 60 stores past PC 34 values in the PC history table 57 in time series. Further, the PC determination unit 54 refers to the PC determination table 58 to determine whether or not the transition of the PC 34 is normal. Therefore, the normal determination of the transition of the PC 34 is possible by any method.
 PC判定部54は、予めPC34の値の遷移が正常か否かを判定する基準(判定ロジック)を有している。監視マイコン100が実行するプログラムはROM32に固定されている(一般のパソコンのように新しくプログラムがインストールされることは少ない)。このため、サイクル周期内に、PC34の値が遷移して、次に取り得る値はある範囲に限定される。PC判定部54には正常な動作において、PC34の値が遷移する範囲を判定ロジックとして有している。PC34の個別の値について、正常な遷移先を記録することは困難なので、監視マイコン100が実行する命令のアドレス(PCが取りうる値)をいくつかの領域(A~E領域)に区分しておき、領域間で遷移が正常か否かを判定する。PC判定部54には以下のような判定ロジックが記述されている。
・A領域の後はB領域又はC領域に遷移する
・A領域の後はE領域には遷移しない
・C領域の後は必ずD領域に遷移する
 したがって、PC判定部54は、PC履歴テーブル57に記録した直前のPC34の値と、最新のPC34の値から、それぞれの領域を判定し、判定基準に適合するか否かに基づき、PC34の値の遷移が正常か否かを判定する。 The PC determination unit 54 has a reference (determination logic) for determining in advance whether or not the transition of the value of the PC 34 is normal. A program executed by the monitoring microcomputer 100 is fixed in the ROM 32 (a new program is rarely installed like a general personal computer). For this reason, the value of PC34 changes within a cycle period, and the next possible value is limited to a certain range. The PC determination unit 54 has a range in which the value of the PC 34 changes in normal operation as determination logic. Since it is difficult to record the normal transition destination for each value of the PC 34, the address of the instruction executed by the monitoring microcomputer 100 (value that the PC can take) is divided into several areas (A to E areas). Then, it is determined whether or not the transition between the regions is normal. The PC determination unit 54 describes the following determination logic.
-After the A area, transition to the B area or C area-After the A area, do not transition to the E area-After the C area, always transition to the D area Therefore, the PC determination unit 54 Each area is determined from the value of the PC 34 immediately before recorded in the above and the latest value of the PC 34, and it is determined whether or not the transition of the value of the PC 34 is normal based on whether or not the determination criteria are met.
 なお、このような遷移だけでなく、PC34の値そのものが正常か否かを判定してもよい。すなわち、PC34の値が、被監視マイコン50のROM32におけるプログラムの記憶範囲外(例えばA~E外)に相当すれば、PC34の値そのものが正常でないと判定することができる。 Note that not only such a transition but also whether the value of the PC 34 itself is normal or not may be determined. That is, if the value of the PC 34 corresponds to outside the program storage range (for example, outside A to E) in the ROM 32 of the monitored microcomputer 50, it can be determined that the value of the PC 34 itself is not normal.
 PC34の値の遷移が異常である場合、監視マイコン100はPC履歴テーブルを上書きされないように保存する。この場合、さらに監視を継続し、再度(又は2回以上)、PC34の値の遷移に異常が検出された場合、被監視マイコン50をリセットする。または、PC34の値の遷移に異常が検出された場合、変数の値も異常になるおそれがあるので、変数の異常が検出されたら被監視マイコン50をリセットしてもよい。 When the value transition of the PC 34 is abnormal, the monitoring microcomputer 100 stores the PC history table so that it is not overwritten. In this case, monitoring is further continued, and if an abnormality is detected again in the transition of the value of the PC 34 (or more than once), the monitored microcomputer 50 is reset. Alternatively, if an abnormality is detected in the transition of the value of the PC 34, the value of the variable may also become abnormal. Therefore, the monitored microcomputer 50 may be reset when the abnormality of the variable is detected.
 <ブレイクポイントによる監視>
 デバッグポート20の制御部22は、被監視マイコン50のPC34の値がブレイクポイントレジスタ25のいずれかのレジスタに記憶された値と一致すると、PC34の値を監視マイコン100に送信する。これにより、手順制御部52はデバッグポート20からブレイクポイントであるPC34の値を取得できる。なお、手順制御部52は、タイマ24による定期的監視のPC34の値か、ブレイクポイントの通過によるPC34の値かを、監視データのデータID部から判定する。 <Monitoring with breakpoints>
The control unit 22 of the debug port 20 transmits the value of the PC 34 to the monitoring microcomputer 100 when the value of the PC 34 of the monitored microcomputer 50 matches the value stored in any of the registers of the breakpoint register 25. As a result, the procedure control unit 52 can acquire the value of the PC 34 that is a breakpoint from the debug port 20. The procedure control unit 52 determines whether the value of the PC 34 for periodic monitoring by the timer 24 or the value of the PC 34 for passing a breakpoint is from the data ID portion of the monitoring data.
 なお、定期的監視のPC34の値か、ブレイクポイントの通過によるPC34の値かを、判定しなくてもよい。この場合、手順制御部52は、PC34の値を受信した場合、常に、アドレス変換部55にアドレス変換を要求する。すなわち、次述するように、アドレス変換部55がBP対応アドレステーブル59にPC34が登録されていることを検出して、定期的監視でないと判定することもできる。 It should be noted that it is not necessary to determine whether the value of PC 34 for periodic monitoring or the value of PC 34 due to the passage of breakpoints. In this case, the procedure control unit 52 always requests the address conversion unit 55 for address conversion when the value of the PC 34 is received. That is, as will be described below, the address conversion unit 55 can detect that the PC 34 is registered in the BP correspondence address table 59 and determine that it is not periodic monitoring.
 手順制御部52は、ブレイクポイントの通過によるPC34の値をデバッグポート20から取得すると、アドレス変換部55に出力する。アドレス変換部55は、受信したPC34の値をBP対応アドレステーブル59から検索し、検索にヒットしたPC34の値に対応づけられた変数アドレスを読み出す。例えば、ブレイクポイントのPC34の値が「0x00000000」の場合、変数アドレスは「アドレスA、B、C」となっている。 The procedure control unit 52, when acquiring the value of the PC 34 by the passage of the break point from the debug port 20, outputs it to the address conversion unit 55. The address conversion unit 55 retrieves the received value of the PC 34 from the BP correspondence address table 59, and reads the variable address associated with the value of the PC 34 that has hit the search. For example, when the value of the breakpoint PC 34 is “0x00000000”, the variable address is “address A, B, C”.
 アドレス変換部55は、変数アドレスを手順制御部52に送出する。手順制御部52は、コマンド生成部53に、RAM33のこの変数アドレスに記憶されている変数の値を要求するコマンドの生成を要求する。よって、コマンド生成部53は、RAM33に記憶されている変数の値を要求するコマンドが格納されたコマンド部と、変数アドレスが格納されたパラメータ部を1組の制御データとしてデバッグポート20に送信する。変数アドレスが3つあれば、全てのアドレスA,B,Cをデバッグポート20に送信する。 The address conversion unit 55 sends the variable address to the procedure control unit 52. The procedure control unit 52 requests the command generation unit 53 to generate a command for requesting the value of the variable stored in the variable address of the RAM 33. Therefore, the command generation unit 53 transmits, to the debug port 20 as a set of control data, a command unit storing a command for requesting a value of a variable stored in the RAM 33 and a parameter unit storing a variable address. . If there are three variable addresses, all addresses A, B, and C are transmitted to the debug port 20.
 これにより、デバッグポート20の制御部22はRAM33のアドレスA,B,Cに記憶されている変数の値をRAM33から読み出し、監視マイコン100に送信する。手順制御部52は、受信した変数の値、及び、ブレイクポイントとしてすでに取得しているPC34を変数チェック部56に送出する。変数チェック部56は、変数の値が妥当か否かをチェックする。チェック方法は、変数アドレスに対応づけられたPC34の値によって変えることができる。例えば、アクチュエータの制御の直前のブレイクポイントに対応するPC34における変数に対し、変数チェック部56は以下のようなチェックを行う。
(i) 変数に含まれる同じ物理量の2つのセンサ値(例えば、操舵角、エアバッグ展開用のGセンサ)がほぼ等しいか否かを判定することで、センサ異常の有無を判定する。なお、この操舵角は、運転者のステアリングホイールの操舵角を検出してアクチュエータがステアリングシャフトを駆動するX-By-Wire方式のため、センサが検出する値である。操舵角が正しく検出されていないと、アクチュエータが適切な角度に操舵できないので、少なくとも2つのセンサが操舵角を検出する。この他、エアバッグの展開条件の成立を検出するためのGセンサも同様である。エアバッグ展開用のECUは、誤展開を抑制するため、同じ方向の減速度を検出する複数のGセンサの信号の検出結果を総合してエアバッグを展開すべきか否かを判定している。 As a result, the control unit 22 of the debug port 20 reads the values of the variables stored in the addresses A, B, and C of the RAM 33 from the RAM 33 and transmits them to the monitoring microcomputer 100. The procedure control unit 52 sends the received variable value and the PC 34 already acquired as a breakpoint to the variable check unit 56. The variable check unit 56 checks whether or not the value of the variable is valid. The check method can be changed according to the value of the PC 34 associated with the variable address. For example, the variable check unit 56 performs the following check on the variable in the PC 34 corresponding to the break point immediately before the actuator control.
(i) It is determined whether or not there is a sensor abnormality by determining whether or not two sensor values (for example, a steering angle and a G sensor for airbag deployment) of the same physical quantity included in the variable are substantially equal. This steering angle is a value detected by the sensor because of the X-By-Wire system in which the steering angle of the steering wheel of the driver is detected and the actuator drives the steering shaft. If the steering angle is not correctly detected, the actuator cannot be steered to an appropriate angle, so at least two sensors detect the steering angle. In addition, the G sensor for detecting the establishment of the airbag deployment condition is the same. The airbag deployment ECU determines whether or not the airbag should be deployed by combining the detection results of signals from a plurality of G sensors that detect deceleration in the same direction in order to suppress erroneous deployment.
 本実施形態の監視マイコン100は、重要な物理量を検出するために配置されている複数のセンサのセンサ値がほぼ一致するか否かを判定することで、全てのセンサが物理量を正しく検出できていることを確認できる。
(ii) 
監視マイコン50から取得した変数に、センサ値を使用した途中計算の結果が含まれる場合、変数チェック部56は途中までの計算結果が正しいか否かを判定する。すなわち、変数チェック部56は、被監視マイコン50と同様の計算処理を使用して、途中までの計算結果が等しいか否かを判定する。
(iii)  監視マイコン50から取得した変数に、アクチュエータを制御するための最終的な計算結果が含まれる場合、変数チェック部56はこの計算結果が正しいか否かを判定する。すなわち、変数チェック部56は、被監視マイコン50と同様の計算処理を使用して、最終的な計算結果が等しいか否かを判定する。 The monitoring microcomputer 100 according to the present embodiment determines whether or not the sensor values of a plurality of sensors arranged to detect an important physical quantity substantially match, so that all the sensors can correctly detect the physical quantity. Can be confirmed.
(ii)
When the variable acquired from the monitoring microcomputer 50 includes a result of midway calculation using the sensor value, the variable check unit 56 determines whether the midway calculation result is correct. That is, the variable check unit 56 uses the same calculation process as that of the monitored microcomputer 50 to determine whether the calculation results up to the middle are equal.
(iii) When the variable acquired from the monitoring microcomputer 50 includes a final calculation result for controlling the actuator, the variable check unit 56 determines whether the calculation result is correct. That is, the variable check unit 56 uses the same calculation process as that of the monitored microcomputer 50 to determine whether or not the final calculation results are equal.
 (ii)(iii)は、変数チェック部56の計算負荷を増大させるので、被監視マイコン50と全く同じ計算を行う必要はなく、例えば、整数演算のみを行うことで負荷を低減することが有効である。これにより計算時間を短縮できる。 (ii) (iii) increases the calculation load of the variable check unit 56, so it is not necessary to perform exactly the same calculation as the monitored microcomputer 50. For example, it is effective to reduce the load by performing only integer arithmetic. It is. Thereby, calculation time can be shortened.
 また、変数チェック部56は、(ii)(iii)の検証を行うことなく、計算結果が含まれる変数が、アクチュエータの制御値としてあり得ない異常値に化けていないかどうかをチェックしてもよい。この場合、監視マイコン100の負荷を大幅に低減できる。 In addition, the variable check unit 56 checks whether the variable including the calculation result is not converted into an abnormal value that is not possible as the control value of the actuator without performing the verification of (ii) and (iii). Good. In this case, the load on the monitoring microcomputer 100 can be greatly reduced.
 また、(ii)(iii)の検証を行わない場合、同じ変数の履歴をチェックしてもよい。例えば、タイマ割込みにより被監視マイコン50が定期的に操舵角をセンサから取得する場合、所定時間内の操舵角の変動量は上限があるはずである。したがって、この上限を超えて変化したような制御量は異常値であると判定することができる。なお、この判定を行う場合、変数チェック部56は、最後に取得した変数の値を保持しておく。 Also, if the verification of (ii) and (iii) is not performed, the history of the same variable may be checked. For example, when the monitored microcomputer 50 periodically acquires the steering angle from the sensor due to a timer interruption, there should be an upper limit on the amount of fluctuation of the steering angle within a predetermined time. Therefore, it can be determined that a control amount that has changed beyond this upper limit is an abnormal value. When making this determination, the variable check unit 56 holds the value of the last acquired variable.
 アクチュエータ動作前にブレイクポイントを埋め込むため、誤動作を防止することが可能である。また、被監視マイコン50の故障がないかを外部から監視しつつ、かつ、アクチュエータを動作させることが可能である。すなわち、一般のデバッグでは被監視マイコン50の動作を止めて動作確認しながらアクチュエータを動かすことになるが、本実施形態の監視はアクチュエータ動作とリアルタイム(アクチュエータ動作要求から動作実行までの最低限許容される時間内)に行うことが可能である。このため、より安定したアクチュエータ制御を実現可能である。 ¡Breakpoints are embedded before the actuator is activated, so malfunctions can be prevented. Further, it is possible to operate the actuator while monitoring from the outside whether there is a failure of the monitored microcomputer 50. In other words, in general debugging, the operation of the monitored microcomputer 50 is stopped and the actuator is moved while confirming the operation. However, the monitoring of this embodiment is the actuator operation and real-time (minimum allowable from actuator operation request to operation execution). Within a limited time). For this reason, more stable actuator control is realizable.
 また、手順制御部52が、例えば、主要フローの関数の出入り口(関数の先頭アドレスやその前後、関数の最後のアドレスやその前後、Return命令の前後等)にブレイクポイントを設定した場合、監視マイコン100はブレイクポイントの通過により関数に入ったこと又は抜けたことを検知できる。監視マイコン100は、例えば、ブレイクポイントの通過が略定期的に検知されるか否かに基づき被監視マイコン50がほぼ定期的に関数を実行している定常状態か否かを判定することができる。また、高い頻度で実行される関数や各関数の実行時間なども検出することができ、例えば、ある関数で実行が滞っていることを検知できる。 Further, when the procedure control unit 52 sets a breakpoint at the entry / exit of the function of the main flow (for example, the start address of the function and its front and back, the last address of the function, its front and back, before and after the Return instruction, etc.) 100 can detect that a function has been entered or exited by passing a breakpoint. For example, the monitoring microcomputer 100 can determine whether or not the monitored microcomputer 50 is in a steady state in which the function is executed almost regularly based on whether or not the passage of the breakpoint is detected almost regularly. . In addition, it is possible to detect functions that are frequently executed, the execution time of each function, and the like. For example, it is possible to detect that execution is delayed in a certain function.
 <異常チェックの結果について>
 変数チェック部56のチェック結果に応じて、手順制御部56は例えば以下のような処理を行う。
A.変数チェック部56が、変数に異常を検出しない場合、手順制御部52にその旨を通知する。手順制御部52は、コマンド生成部53に、中断を解除するコマンドを生成するよう要求する。コマンド生成部53は、コマンド部に中断を解除するコマンドを設定し(パラメータ部には何も設定しない)デバッグポート20に送信する。制御部22はこのコマンドに対しパラメータ部を参照せず、中断信号線26をLowにする。したがって、被監視マイコン50はブレイクポイントの通過により中断していた処理を再開できる。
B.変数チェック部56が、変数に異常を検出した場合、手順制御部52にその旨を通知する。手順制御部52は、コマンド生成部53に、再度、RAM33の同じ変数を要求するコマンドの生成を要求する。よって、監視マイコン100は、再度、変数の値を取得できるので、変数チェック部56が同様のチェックを行う。n回(2~3回)行っても、変数チェック部56が異常を検出する場合、監視マイコン100は被監視マイコン50に異常があると判定して被監視マイコン50をリセットするなどの処理を行う。 <About the results of abnormality check>
Depending on the check result of the variable check unit 56, the procedure control unit 56 performs, for example, the following processing.
A. When the variable check unit 56 does not detect any abnormality in the variable, the variable check unit 56 notifies the procedure control unit 52 of the fact. The procedure control unit 52 requests the command generation unit 53 to generate a command for canceling the interruption. The command generation unit 53 sets a command for canceling the interruption in the command unit (sets nothing in the parameter unit) and transmits the command to the debug port 20. The control unit 22 does not refer to the parameter unit for this command and sets the interruption signal line 26 to Low. Therefore, the monitored microcomputer 50 can resume the processing that was interrupted by the passage of the breakpoint.
B. If the variable check unit 56 detects an abnormality in the variable, the variable check unit 56 notifies the procedure control unit 52 to that effect. The procedure control unit 52 requests the command generation unit 53 to generate a command that requests the same variable in the RAM 33 again. Therefore, since the monitoring microcomputer 100 can acquire the value of the variable again, the variable check unit 56 performs the same check. If the variable check unit 56 detects an abnormality even after n times (2 to 3 times), the monitoring microcomputer 100 determines that the monitored microcomputer 50 is abnormal and resets the monitored microcomputer 50. Do.
 〔動作手順〕
 図6は、マイコンシステム200の動作手順を説明するシーケンス図の一例である。図6の手順は、例えば、IG-ON又はメインシステムのオン(電気自動車やハイブリッド車の場合)によりスタートする。 [Operation procedure]
FIG. 6 is an example of a sequence diagram for explaining the operation procedure of the microcomputer system 200. The procedure in FIG. 6 starts, for example, when the IG-ON or the main system is turned on (in the case of an electric vehicle or a hybrid vehicle).
 まず、監視マイコン100が起動する(S10)。これにより、監視マイコン100の起動制御部51が被監視マイコン50の起動を許可するか、又は、被監視マイコン50の遅延回路などにより被監視マイコン50が遅れて起動する(S210)。 First, the monitoring microcomputer 100 is activated (S10). As a result, the activation control unit 51 of the monitoring microcomputer 100 permits the activation of the monitored microcomputer 50, or the monitored microcomputer 50 is activated with a delay by the delay circuit of the monitored microcomputer 50 (S210).
 監視マイコン100の手順制御部52は、被監視マイコン50のデバッグポート20と通信を確立する(S20)。この時、監視マイコン100は、デバッグポート20に動作の中断を要求しておけばさらに有効である。すなわち、制御部22は中断信号線26をHighにするので、CPUコア31の動作が停止し、その間に、監視マイコン100が確実にブレイクポイントを設定できる。 The procedure control unit 52 of the monitoring microcomputer 100 establishes communication with the debug port 20 of the monitored microcomputer 50 (S20). At this time, the monitoring microcomputer 100 is more effective if it requests the debug port 20 to interrupt the operation. That is, since the control unit 22 sets the interruption signal line 26 to High, the operation of the CPU core 31 stops, and the monitoring microcomputer 100 can reliably set a break point during that time.
 通信が確認されると、手順制御部52はコマンド生成部53に、ブレイクポイントの設定を要求する。これにより、コマンド生成部53は、BP対応アドレステーブル59のPC34の値を全てデバッグポート20に送信する(S30)。 When the communication is confirmed, the procedure control unit 52 requests the command generation unit 53 to set a breakpoint. Thereby, the command generation unit 53 transmits all the values of the PC 34 in the BP correspondence address table 59 to the debug port 20 (S30).
 手順制御部52は、コマンド生成部53に、中断を解除するコマンドを送信するよう要求する。コマンド生成部53は中断を解除するコマンドを送信する(S40)。これにより、デバッグポート20の制御部22が中断信号線26をLowにするので、CPUコア31が動作を開始する。 The procedure control unit 52 requests the command generation unit 53 to transmit a command for canceling the interruption. The command generation unit 53 transmits a command for canceling the interruption (S40). As a result, the control unit 22 of the debug port 20 sets the interruption signal line 26 to Low, so that the CPU core 31 starts operation.
 被監視マイコン50がプログラムの実行を開始すると、制御部22は定期的にPC34の値を送信する(S220)。PC記録部60はデバッグポート20から受信したPC34の値をPC履歴テーブル57に登録する。 When the monitored microcomputer 50 starts executing the program, the control unit 22 periodically transmits the value of the PC 34 (S220). The PC recording unit 60 registers the value of the PC 34 received from the debug port 20 in the PC history table 57.
 また、PC判定部54は、PC判定テーブル58を参照して、デバッグポート20から受信したPC34の値に基づきPC34の遷移が正常か否かを判定する(S50)。ステップS230,S60の定期的監視についても同様である。 Further, the PC determination unit 54 refers to the PC determination table 58 and determines whether or not the transition of the PC 34 is normal based on the value of the PC 34 received from the debug port 20 (S50). The same applies to the periodic monitoring in steps S230 and S60.
 そして、被監視マイコン50のPC34の値がブレイクポイントに近づくと、CPUコア31にはアクチュエータ動作前割込みが発生する(S240)。これは、例えば、被監視マイコン50が定期的にセンサ値(例えば、操舵角)を取得するためのタイマ割込みである。被監視マイコン50は、割込みによりセンサ値の取得及び演算、を行い、RAM33に変数の値としてセンサ値及び演算結果を記憶する。 Then, when the value of the PC 34 of the monitored microcomputer 50 approaches the break point, a pre-actuator interrupt is generated in the CPU core 31 (S240). This is, for example, a timer interrupt for the monitored microcomputer 50 to periodically acquire a sensor value (for example, a steering angle). The monitored microcomputer 50 acquires and calculates the sensor value by interruption, and stores the sensor value and the calculation result in the RAM 33 as variable values.
 この後、被監視マイコン50のPC34の値がブレイクポイントに到達する。これにより、デバッグポート20の制御部22は、CPUコア31のPC34の値とブレイクポイントレジスタ25の値が一致したことを検出して、PC34の値を監視マイコン100に送信する(S250)。図では、PC34の送信と変数の送信が同時に行われているが、変数の送信は、監視マイコン100から要求があってからでもよい。また、同時に送信することで処理時間を短縮できる。 Thereafter, the value of the PC 34 of the monitored microcomputer 50 reaches the break point. As a result, the control unit 22 of the debug port 20 detects that the value of the PC 34 of the CPU core 31 matches the value of the breakpoint register 25, and transmits the value of the PC 34 to the monitoring microcomputer 100 (S250). In the figure, the transmission of the PC 34 and the transmission of the variable are performed at the same time. However, the transmission of the variable may be performed after a request is received from the monitoring microcomputer 100. Moreover, the processing time can be shortened by transmitting simultaneously.
 ブレイクポイントの通過により、制御部22が中断信号線26をHighに設定するので、被監視マイコン50のCPUコア31は動作を停止する(S260)。 Since the control unit 22 sets the interruption signal line 26 to High due to the passage of the break point, the CPU core 31 of the monitored microcomputer 50 stops operating (S260).
 監視マイコン100の変数チェック部56は、変数に対しチェックを行う(S70)。変数に異常がなければ、手順制御部52は中断を解除する(S80)。これにより、制御部22は中断信号線26をLowにするので動作を再開できる。 The variable check unit 56 of the monitoring microcomputer 100 checks the variable (S70). If there is no abnormality in the variable, the procedure control unit 52 cancels the interruption (S80). Accordingly, the control unit 22 can resume the operation because the interruption signal line 26 is set to Low.
 被監視マイコン50は、動作の再開により、アクチュエータを制御する(S270)。監視マイコン100と被監視マイコン50は以上のような処理を繰り返す。 The monitored microcomputer 50 controls the actuator by resuming the operation (S270). The monitoring microcomputer 100 and the monitored microcomputer 50 repeat the above processing.
 以上説明したように、本実施形態のマイコンシステム200は、従来、付け捨てになっていたデバッグポート20を利用して被監視マイコン50を監視するのでデバッグポート20を無駄にすることがない。監視マイコン100の性能は被監視マイコン50よりも低くてよいのでロックステップ方式と比較してコストを大きく低減できる。また、被監視マイコン50は、監視マイコン50が変数に異常がないことを確認してからアクチュエータを制御できる。よって、センサ異常やRAM異常などにより生じた不適切な計算結果でアクチュエータを制御することを確実に防止できる。 As described above, the microcomputer system 200 according to the present embodiment monitors the monitored microcomputer 50 by using the debug port 20 that has been conventionally discarded, so that the debug port 20 is not wasted. Since the performance of the monitoring microcomputer 100 may be lower than that of the monitored microcomputer 50, the cost can be greatly reduced as compared with the lockstep method. The monitored microcomputer 50 can control the actuator after the monitoring microcomputer 50 confirms that there is no abnormality in the variables. Therefore, it is possible to reliably prevent the actuator from being controlled with an inappropriate calculation result caused by sensor abnormality or RAM abnormality.

Claims (10)

  1.  デバッグポートを有する被監視マイコンと、前記デバッグポートを介して接続された監視マイコンとを有する車載されたマイコンシステムであって、
     前記監視マイコンは、
     予め複数のブレイクポイントが登録されたブレイクポイント登録テーブルと、
     前記ブレイクポイント登録テーブルのブレイクポイントを被監視マイコンに送信する第1の送信手段と、を有し、
     前記被監視マイコンは、
     前記監視マイコンから受信したブレイクポイントを記憶するレジスタと、
     前記被監視マイコンのプログラムカウンタとレジスタに記憶されたブレイクポイントが一致した場合、プログラムカウンタの値を前記監視マイコンに送信する第2の送信手段と、
     を有するマイコンシステム。     An on-board microcomputer system having a monitored microcomputer having a debug port and a monitoring microcomputer connected via the debug port,
    The monitoring microcomputer is
    A breakpoint registration table in which a plurality of breakpoints are registered in advance;
    First transmission means for transmitting a breakpoint of the breakpoint registration table to a monitored microcomputer;
    The monitored microcomputer is
    A register for storing a breakpoint received from the monitoring microcomputer;
    A second transmission means for transmitting the value of the program counter to the monitoring microcomputer when the program counter of the monitored microcomputer matches the breakpoint stored in the register;
    A microcomputer system having
  2.  前記第1の送信手段は、前記被監視マイコンからプログラムカウンタの値を受信すると、前記ブレイクポイント登録テーブルにて、受信したプログラムカウンタの値と一致するブレイクポイントに対応づけられた1つ以上のアドレスを被監視マイコンに送信し、
     前記第2の送信手段は、メモリの前記アドレスに記憶されているデータを読み出し、前記監視マイコンに送信する、
     ことを特徴とする請求項1記載のマイコンシステム。     When the first transmission means receives the value of the program counter from the monitored microcomputer, the first transmission means has one or more addresses associated with the breakpoint that matches the received value of the program counter in the breakpoint registration table To the monitored microcomputer,
    The second transmission means reads data stored at the address of the memory and transmits the data to the monitoring microcomputer.
    The microcomputer system according to claim 1.
  3.  前記監視マイコンは、
     前記被監視マイコンから受信した1つ以上のデータを閾値と比較して、正常か否かを判定するデータ異常判定手段を有する、
     ことを特徴とする請求項2記載のマイコンシステム。     The monitoring microcomputer is
    Comparing one or more data received from the monitored microcomputer with a threshold value, the data abnormality determining means for determining whether or not normal,
    The microcomputer system according to claim 2.
  4.  前記データ異常判定手段は、
     前記被監視マイコンから受信した第一のデータ及び第二のデータを互いに比較すること、及び、前記第一のデータ又は前記第二のデータの一方に演算を施して得られた値と、前記被監視マイコンから受信した第三のデータを比較することで、前記被監視マイコンから受信した1つ以上のデータが正常か否かを判定する、
     ことを特徴とする請求項3記載のマイコンシステム。     The data abnormality determining means is
    Comparing the first data and the second data received from the monitored microcomputer with each other, and calculating one of the first data and the second data; By comparing the third data received from the monitoring microcomputer, it is determined whether one or more data received from the monitored microcomputer is normal.
    The microcomputer system according to claim 3.
  5.  前記被監視マイコンは、
     前記被監視マイコンのプログラムカウンタとレジスタに記憶されたブレイクポイントが一致した場合、次の命令の実行を中断する実行中断手段を有し、
     前記監視マイコンから再開許可を受信した場合、命令の実行を再開する、
     ことを特徴とする請求項4記載のマイコンシステム。     The monitored microcomputer is
    When the program counter of the monitored microcomputer matches the breakpoint stored in the register, it has an execution interruption means for interrupting the execution of the next instruction,
    If resumption permission is received from the monitoring microcomputer, execution of the instruction is resumed.
    The microcomputer system according to claim 4.
  6.  前記第2の送信手段は、
     前記監視マイコンからの定期的な要求により、又は、予め決められたサイクル時間毎に、前記被監視マイコンのプログラムカウンタの値を前記監視マイコンに送信し、
     前記監視マイコンは、プログラムカウンタの遷移に基づき、命令の実行履歴が正常か否かを判定するプログラムカウンタ判定手段、を有する、
     ことを特徴とする請求項1~5いずれか1項記載のマイコンシステム。     The second transmission means includes
    Sending the value of the program counter of the monitored microcomputer to the monitoring microcomputer by a periodic request from the monitoring microcomputer or every predetermined cycle time,
    The monitoring microcomputer has a program counter determination means for determining whether or not an instruction execution history is normal based on a transition of a program counter.
    The microcomputer system according to any one of claims 1 to 5, wherein:
  7.  前記ブレイクポイントは、アクチュエータを動作させる命令若しくは該命令の直前のアドレス、関数が実行開始される命令若しくは該命令の直前のアドレス、又は、関数の実行が終了される命令若しくは該命令の直後のアドレス、である、
     ことを特徴とする請求項1記載のマイコンシステム。     The breakpoint is an instruction for operating an actuator or an address immediately before the instruction, an instruction at which a function starts to be executed or an address immediately before the instruction, an instruction at which execution of a function is terminated, or an address immediately after the instruction , Is,
    The microcomputer system according to claim 1.
  8.  前記監視マイコンは、前記被監視マイコンよりも先に起動を完了させる、ことを特徴とする請求項1記載のマイコンシステム。 The microcomputer system according to claim 1, wherein the monitoring microcomputer completes activation before the monitored microcomputer.
  9.  前記監視マイコンは、前記被監視マイコンよりも演算性能が低い、ことを特徴とする請求項1記載のマイコンシステム。 The microcomputer system according to claim 1, wherein the monitoring microcomputer has lower calculation performance than the monitored microcomputer.
  10.  デバッグポートと、
     監視マイコンから受信したブレイクポイントを記憶するレジスタと、
     当該被監視マイコンのプログラムカウンタとレジスタに記憶されたブレイクポイントが一致した場合、プログラムカウンタの値を前記監視マイコンに送信する第2の送信手段と、を有する被監視マイコンと、
     前記デバッグポートを介して接続された監視マイコンであって、
     予め複数のブレイクポイントが登録されたブレイクポイント登録テーブルと、
     前記ブレイクポイント登録テーブルのブレイクポイントを被監視マイコンに送信する第1の送信手段と、
     を有することを特徴とする監視マイコン。     A debug port,
    A register for storing a breakpoint received from the monitoring microcomputer;
    A monitored microcomputer having second transmission means for transmitting the value of the program counter to the monitoring microcomputer when the breakpoint stored in the register matches the program counter of the monitored microcomputer;
    A monitoring microcomputer connected via the debug port,
    A breakpoint registration table in which a plurality of breakpoints are registered in advance;
    First transmission means for transmitting the breakpoint of the breakpoint registration table to the monitored microcomputer;
    A monitoring microcomputer characterized by comprising:
PCT/JP2011/076310 2011-11-15 2011-11-15 Microcomputer system and monitoring microcomputer WO2013073009A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2011/076310 WO2013073009A1 (en) 2011-11-15 2011-11-15 Microcomputer system and monitoring microcomputer

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2011/076310 WO2013073009A1 (en) 2011-11-15 2011-11-15 Microcomputer system and monitoring microcomputer

Publications (1)

Publication Number Publication Date
WO2013073009A1 true WO2013073009A1 (en) 2013-05-23

Family

ID=48429121

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2011/076310 WO2013073009A1 (en) 2011-11-15 2011-11-15 Microcomputer system and monitoring microcomputer

Country Status (1)

Country Link
WO (1) WO2013073009A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6463445B1 (en) * 2017-11-09 2019-02-06 三菱電機株式会社 In-vehicle control device
CN113742159A (en) * 2020-07-06 2021-12-03 北京沃东天骏信息技术有限公司 Data acquisition method and device

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6441032A (en) * 1987-08-05 1989-02-13 Mitsubishi Electric Corp Debugging supporting device
JPH11306042A (en) * 1998-04-16 1999-11-05 Toshiba Corp Software development support device and debugging method
JP2000029734A (en) * 1998-07-13 2000-01-28 Nissan Motor Co Ltd Cpu abnormality monitoring system
JP2003015909A (en) * 2001-06-29 2003-01-17 Matsushita Electric Ind Co Ltd On-board debugging system and on-board debugging method
JP2003058522A (en) * 2001-08-21 2003-02-28 Nec Corp Method and device for monitoring internal ram
JP2006079180A (en) * 2004-09-07 2006-03-23 Nec Electronics Corp Microcomputer
JP2007272581A (en) * 2006-03-31 2007-10-18 Fujitsu Ltd Monitoring program, method and device
JP2008152544A (en) * 2006-12-18 2008-07-03 Hitachi Ltd Verification device of control microcomputer and onboard control device
JP2011155066A (en) * 2010-01-26 2011-08-11 Renesas Electronics Corp Semiconductor processing apparatus and semiconductor processing system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6441032A (en) * 1987-08-05 1989-02-13 Mitsubishi Electric Corp Debugging supporting device
JPH11306042A (en) * 1998-04-16 1999-11-05 Toshiba Corp Software development support device and debugging method
JP2000029734A (en) * 1998-07-13 2000-01-28 Nissan Motor Co Ltd Cpu abnormality monitoring system
JP2003015909A (en) * 2001-06-29 2003-01-17 Matsushita Electric Ind Co Ltd On-board debugging system and on-board debugging method
JP2003058522A (en) * 2001-08-21 2003-02-28 Nec Corp Method and device for monitoring internal ram
JP2006079180A (en) * 2004-09-07 2006-03-23 Nec Electronics Corp Microcomputer
JP2007272581A (en) * 2006-03-31 2007-10-18 Fujitsu Ltd Monitoring program, method and device
JP2008152544A (en) * 2006-12-18 2008-07-03 Hitachi Ltd Verification device of control microcomputer and onboard control device
JP2011155066A (en) * 2010-01-26 2011-08-11 Renesas Electronics Corp Semiconductor processing apparatus and semiconductor processing system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6463445B1 (en) * 2017-11-09 2019-02-06 三菱電機株式会社 In-vehicle control device
CN113742159A (en) * 2020-07-06 2021-12-03 北京沃东天骏信息技术有限公司 Data acquisition method and device

Similar Documents

Publication Publication Date Title
US9058419B2 (en) System and method for verifying the integrity of a safety-critical vehicle control system
JP5962697B2 (en) Electronic control unit
JPS5968004A (en) Fail-safe method of on-vehicle computer
CN105868060B (en) Method for operating a data processing unit of a driver assistance system and data processing unit
JP5662181B2 (en) Electronic control device for moving body
JP2009129463A (en) Processing method of temporary error in real time system of vehicle controller
JP7155902B2 (en) electronic controller
WO2013073009A1 (en) Microcomputer system and monitoring microcomputer
JP5532144B2 (en) Processor, electronic control device, creation program
US11372706B2 (en) Vehicle control device
JP5537140B2 (en) SAFETY CONTROL DEVICE AND SAFETY CONTROL PROGRAM
JP6729407B2 (en) Microcomputer
JP2010113419A (en) Multicore controller
JP2019168835A (en) Electronic control device
US11726853B2 (en) Electronic control device
US20130055017A1 (en) Device and method for restoring information in a main storage unit
JP5880885B2 (en) Load drive device
JP4820679B2 (en) Electronic control device for vehicle
US10514970B2 (en) Method of ensuring operation of calculator
JP6102667B2 (en) Electronic control unit
US10528467B2 (en) Information processing device and information processing method
JP5978873B2 (en) Electronic control unit
JP2016203764A (en) Vehicular electronic control device
JP5713432B2 (en) Drive unit control apparatus and control method
JP2019191942A (en) Control device and function inspection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11876030

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11876030

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP