CN100585567C - Method and apparatus for delaying access to data and/or instructions of a multiprocessor system - Google Patents

Abstract

A method and a device for delaying access to data and/or instructions of a multiprocessor system having a first and a second processor, to which a memory unit is allocated, wherein the second processor operates with a clock offset, and the device is designed such that the first processor accesses the memory unit and the second processor obtains the data and/or instructions with a clock offset.

Description

Method and apparatus for delaying access to data and/or instructions of a multiprocessor system

technical field

The invention relates to a method for delaying access to data and/or instructions of a multicomputer system and to a corresponding delay unit.

Background technique

In technical applications, such as in particular in automobiles or in the field of industrial quality (ie, for example in the field of machinery) and in the field of automation, for safety-critical applications, more and more microprocessor-based Or a computerized control and regulation system. Here, dual computer systems or dual-processor systems (dual-core) are today common computer systems for safety-critical applications, especially in automobiles such as anti-lock braking systems, electronic stability programs (ESP), e.g. Commonly used computer systems such as X-by-wire systems such as Drive-by-Wire or Steer-by-Wire and Break-by-Wire, or in other networked systems It is also a commonly used computer system. In order to meet the high safety requirements in future applications, powerful error mechanisms and error handling mechanisms are necessary, especially in order to cope with transient errors which occur, for example, when the semiconductor structures of computer systems are downsized. Here, securing the core itself (ie, the processor) is relatively difficult. As mentioned, the solution to this is to apply a dual computer system or dual core system to detect errors.

Therefore, such a processor unit with at least two integrated execution units is called a dual-core architecture or a multi-core architecture. According to today's existing technology, this dual-core architecture or multi-core architecture is proposed mainly for the following two reasons:

Thus, on the one hand, an increase in power can be achieved by increasing the performance in that the two execution units or cores are considered and processed as two computing units on one semiconductor module. In this configuration, the two execution units or cores execute different programs or tasks. Thereby, a power boost can be achieved, so this configuration is called power mode or performance mode.

A second reason for implementing a dual-core or multi-core architecture is increased safety in that the two execution units execute the same program redundantly. The results of the two execution units or CPUs (ie cores) are compared and errors can be identified when comparing for consistency. This configuration is referred to below as a safety mode (Safety-Mode) or also as an error detection mode.

Therefore, today there are dual-processor or multi-processor systems (see dual-core or master-checker systems) that work redundantly in order to recognize hardware errors on the one hand, and on the other hand there are Dual-processor or multi-processor systems with different data.

Contents of the invention

If these two modes of operation are now combined in a dual-processor or multi-processor system according to the following embodiments of the present invention (only dual-processor systems are mentioned now for reasons of simplicity, but the following inventions can be used in exactly the same way) for multiprocessor systems), the two processors get different data in performance mode and the same data in error recognition mode.

Such a device or unit enables efficient operation of a dual-processor system such that it can switch between two modes (ie security mode and performance mode) during operation. Here, further reference is made to a processor, but this also conceptually includes cores or computing units.

When implementing, in particular, a dual-processor system (dual-core), a cache is usually provided for each processor. One cache is usually not enough, since the cache must be spatially arranged between the two processors. Due to the long runtime between the cache and the two processors, the two processors can only operate at a limited clock frequency. Here, in this system, the cache is used as a fast intermediate memory so that the processor does not always have to fetch data from the slow main memory. To be able to achieve this, the cache must be implemented with great attention to its access duration. The access duration consists of the actual access time when the data is fetched from the cache and the time when the data is handed over to the processor. If the cache is now placed spatially away from the processor, the transfer of data continues for a long time and the processor can no longer work on its full clock. Due to timing issues, it is common to have a dedicated cache for each processor in a dual processor system.

The object of the present invention is to specify a method and a device by means of which a cache memory can be saved in a dual-processor system or a redundant cache memory can be saved in a multiprocessor system. Savings are achieved by utilizing clock skew.

To solve this task, the present invention describes a method and a device for delaying access to data and/or instructions of a multiprocessor system having a first and a second processor A storage unit is allocated, wherein the second processor operates with a clock offset, and the device is configured such that the first processor accesses the storage unit, while the second processor obtains data and/or instructions with a clock offset. Advantageously, the storage unit is a cache memory, whereby the advantages of this storage technology can be combined with the advantages of the invention.

Suitably, the memory unit is addressed by at least one processor and is directly coupled to the processor addressing the memory unit.

It is advantageous if a delay element is included and the device is configured in such a way that a clock offset is used by the delay element in order to enable a jump of data and/or instructions from the memory unit to the runtime of the second processor.

It is also advantageous if a comparison device is provided, by means of which the data and/or instructions are compared and which is arranged spatially close to the subsequent processor.

Expediently, the device is designed such that the clock offset is used in order to route the comparison data from the first processor to the second processor.

Advantageously, according to the refinement, when accessing, write operations and read operations are delayed or only read operations or only write operations are delayed.

If the two processors are now operated with a clock offset, then with the proposed method and the corresponding device it is possible to dispense with a second cache for the slave processor.

In a dual computer system, there are two processors that can perform the same or different tasks. The two processors of a dual computer system can perform these tasks clock synchronously or with clock skew. If a dual-processor system is designed for error detection, it is advantageous for the two processors to operate with a clock offset in order to avoid common-mode errors. This method is most efficient if a non-integer clock offset > 1 is chosen. That is, in the first application form, the two processors or cores perform the same task.

If the two processors perform different tasks, it is advantageous that the two processors can run clock edge synchronously, since external components such as memory can be controlled using only the processor's clock. If, for example, a dual-processor system is used which can switch between these two modes, an operating mode is thus optimized.

According to the invention, this is compensated for by, in a dual processor system (or multiprocessor system), the dual processor system being able to switch between two modes such as a security mode and a performance mode, Both processors work with clock skew in safe mode and without clock skew in performance mode. No clock skew in performance mode is advantageous because external components such as memory mostly run at lower clock frequencies and are designed to match the clock edges only to the processor. In addition, the second clock-offset processor would have a wait cycle on each memory access because the second processor controls external components half a clock later.

By switching clocks for dual-processor systems, the best state in error identification is achieved in safe mode and the maximum in performance is achieved in performance mode.

Therefore, the present invention advantageously starts from a method and a device for delaying access to data and/or instructions of a multiprocessor system having first and second processors to which A storage unit in which the first and second processors operate with a clock offset, and the device is constructed such that both processors access the same storage unit with a clock offset.

Suitably, write operations and read operations are hereby delayed when accessed, wherein the device is capable of switching between delaying access and not delaying access. Among other things, a multiprocessor system having such a device is disclosed.

In at least one mode, the two processors operate with clock skew. The clock offsets can be both full clocks and partial clocks relative to each other. Another variant is to use different clock frequencies in the two modes. In safety-critical modes, for example, a lower clock rate is used for interference suppression than in performance mode. Here, too, the two variants can be combined with one another.

In this case, the first operating mode corresponds to a safety mode in which both computing units execute the same program and/or data, and comparison means are provided which compare the states formed during the execution of the same program. Compare consistency.

The unit according to the invention or the method according to the invention can optimally realize both modes in a dual processor system.

If the two processors work in error recognition mode (F mode), the two processors get the same data/instructions, and if the two processors work in performance mode (P mode), each processor can access the memory. This unit then manages access to memory or peripherals that are only briefly present.

In F-mode, the unit receives data/addresses from the processor (referred to herein as the host) and forwards these data/addresses to components such as memory, bus, etc. A second processor (referred to herein as a slave) wants to make the same access. The data distribution unit receives this access at the second port, but does not forward the query to other components. The data distribution unit hands over the same data as the master to the slave and compares the data of the two processors. If these data differ, the data allocation unit (here DVE) indicates this by an error signal. Therefore, only the master works on the bus/memory, and the slaves get the same data (as in the way a dual-core system operates).

In P mode, the two processors execute different program parts. Therefore, memory access is also different. Thus, the DVE receives the request from the processor and sends the result/requested data back to the processor that the DVE has requested. Now if both processors want to access a component at the same time, one processor is put in a wait state until the other processor has been used.

The switchover between these two modes and thus the different modes of operation of the data distribution unit is effected via control signals. This can be generated by one of the two processors or can be generated externally.

If a dual-processor system operates with clock skew in F-mode and without clock skew in P-mode, the DVE unit delays the slave's data accordingly or stores the master's output data so long until the master's The output data can be compared with the output data of the slave for identifying errors.

Description of drawings

Figure 1 shows a dual computer system,

Figure 2 shows an exemplary implementation for a Data Distribution Unit (DVE),

Figure 3 shows an example of clock conversion,

Figure 4 shows the caches provided in each processor,

Figure 5 shows an embodiment using one cache for two processors, and

Figure 6 shows an embodiment using two flip-flops in case of clock skew.

Detailed ways

Clock skewing is further explained for a dual computer system with reference to FIG. 1 .

FIG. 1 shows a dual computer system with a first computer 100 (in particular a master computer) and a second computer 101 (in particular a slave computer). Here, the entire system operates with a clock that can be scheduled or with a clock cycle (clock cycle) CLK that can be scheduled. The clock is supplied to the dual computer system via the clock input CLK1 of the computer 100 and via the clock input CLK2 of the computer 101 . In addition, specific features for detecting errors are included in the dual computer system as an example, wherein the first computer 100 and the second computer 101 are time-shifted (in particular by a predeterminable time-shift) Or can be operated with a predetermined clock offset. In this case, each arbitrary instant can be predetermined for a time offset, and also each arbitrary clock can be predetermined with respect to the offset of the clock cycle. This can be an integer offset of clock cycle (clock cycle), but also as shown in this example, for example an offset of 1.5 clock cycles, wherein here the first computer 100 is exactly at the second computer 101 The previous 1.5 clock cycles worked or ran. This offset can avoid that in-phase errors (so-called common mode failures) interfere in the same way with the computer or the processor (ie the cores of a dual-core system) and are therefore not detected. This means that, due to the offset, such an in-phase error hits the computer at different times in the program sequence and thus has different effects on the two computers, whereby the error can be detected. This avoids that an erroneous effect of the same type without a clock offset would not be detectable in the comparison. To implement a time or clock offset (here in particular 1.5 clock cycles) in a dual computer system, the offset modules 112 to 115 are implemented.

In order to detect the mentioned in-phase errors, the system is designed, for example, to work with a predetermined time offset or clock cycle offset, in particular here 1.5 clock cycles, that is, during these 1.5 clock cycles, the computer For example, the computer 100 responds directly to the components, in particular the external components 103 and 104 , for which the second computer 101 operates with a delay of exactly 1.5 clock cycles. In order to produce the desired delay of one half cycle (ie 1.5 clock cycles) in this case, the computer 101 is supplied with an inverted clock at the clock input CLK2. However, at the above-mentioned terminals of the computer, it is therefore also necessary to delay its data or instructions via the bus by the stated clock cycles, ie here in particular by 1.5 clock cycles, for which an offset is set exactly as stated Or delay modules 112 to 115. In addition to the two computers or processors 100 and 101, there are also provided components 103 and 104, which are connected to this via a bus 116 consisting of bus lines 116A and 116B and 116C and a bus 117 consisting of bus lines 117A and 117B. Two computers 100 and 101 form a connection. Here, 117 is an instruction bus, in which an instruction address bus is identified by 117A, and a partial instruction (data) bus is identified by 117B. The address bus 117A is connected to the computer 100 through an instruction address terminal IA1 (instruction address 1), and is connected to the computer 101 through an instruction address terminal IA2 (instruction address 2). The commands themselves are transmitted via the part of command bus 117B which is connected to computer 100 via command terminal II (command 1 ) and to computer 101 via command terminal I2 (command 2 ). Components 103 , such as instruction memories, especially reliable instruction memories, etc., are interconnected in an instruction bus 117 composed of 117A and 117B. These components (in particular as instruction memory) also operate with the clock CLK in this example. Furthermore, a data bus is denoted by 116 which includes a data address bus or data address line 116A and a data bus or data line 116B. Here, 116A (that is, the data address line) is connected to the computer 100 through the data address terminal DA1 (data address 1), and is connected to the computer 101 through the data address terminal DA2 (data address 2). Likewise, data bus or data line 116B is connected to computer 100 via data terminal DO1 (data output 1) and to computer 101 via data terminal DO2 (data output 2). Furthermore, data bus line 116C belongs to data bus 116 , which is connected to computer 100 or computer 101 via data terminal DI1 (data input 1 ) and data terminal D12 (data input 2 ), respectively. Components 104 (eg, data storage, especially reliable data storage, etc.) are interconnected in a data bus 116 consisting of lines 116A, 116B, and 116C. Component 104 is also provided with clock CLK in this example.

Here, the components 103 and 104 represent arbitrary components which are connected to the computers of the dual computer system via a data bus and/or an instruction bus and which are based on data and/or Instruction access can obtain or issue erroneous data and/or instructions. In order to avoid mistakes, although error identification generators 105, 106 and 107 are provided, these error identification generators 105, 106 and 107 generate error identifications such as parity bits or also produce errors such as error correction codes (ie ECC, Error-Correction -Code) and so on for another error code. Corresponding error detection devices or checking devices 108 and 109 are then also provided for this purpose for checking the corresponding error detection (ie for example a parity bit or another error code such as ECC).

As shown in FIG. 1 , in a dual computer system the data and/or instructions are compared in comparators or modules 110 and 111 for redundant execution. But now, if there is a time offset between the computers 100 and 101, in particular a clock offset or a clock period offset, which is caused by an asynchronous dual processor system or in a synchronized dual processor system by Errors in the synchronization are also caused, as in the specific example, by the desired time offset or clock cycle offset for error detection, especially here by 1.5 clock cycles, at which time offset or clock offset In this case, a computer (here especially computer 100) but also other users or actuators or sensors can write or read faulty data and/or instructions into components (in particular external components such as here in particular memory 103 or 104). In this way, the computer incorrectly executes write access by means of a clock offset instead of the provided read access. It goes without saying that these situations lead to errors of the entire system, and thus also recovery problems, especially if there is no apparent possibility of precisely changing the indication of data and/or commands by mistake.

In order to solve this problem, delay unit 102 will now be connected as shown in the lines of the data bus and/or in the command bus. For reasons of clarity, only the access data bus is shown. In terms of the command bus, this is of course also possible and conceivable exactly the same. The delay unit 102 (Delay Unit) delays the access (here in particular the memory access) in such a way that a possible time offset or clock offset is compensated for, for example, by comparators 110 and 111, for example, at least so long in the event of an error detection, until An error signal is generated in a dual computer system, ie error recognition is performed in a dual computer system. Various variants are possible here:

Writes and reads are delayed, writes only, or if that is not preferred also reads. In this case, a delayed write operation can be converted into a read operation by changing a signal (in particular an error signal) in order to inhibit erroneous writes.

Now, below with reference to Fig. 2, it is shown about the exemplary realization scheme of data distribution unit (DVE), and this data distribution unit (DVE) preferably is used for (through IllOPDetect) the device that detects conversion desire, mode conversion unit and Iram and Dram control module constitutes.

IllOpDetect: The transition between two modes is identified by the "Switch-Detect" unit. This unit sits between the cache on the instruction bus and the processor and looks to see if instruction 111Op is loaded into the processor. If an instruction is detected, the event is notified to the mode switching unit. There is a separate "transition detection" unit for each processor. The “switchover detection” unit does not have to be implemented in a fault-tolerant manner, since it is duplicated and therefore present redundantly. On the other hand, it is conceivable to implement the units fault-tolerantly and thus individually, but a redundant embodiment is preferred.

ModeSwitch: The transition between these two modes is triggered by the "Transition Detection" unit. If a transition from locked mode to split mode should be made, the transition is detected by the two "transition detection" units because the two processors execute the same program code in locked mode. Processor 1's "Transition Detect" unit recognizes this 1.5 clocks before Processor 2's "Transition Detect" unit. The "mode switch" unit stops processor 1 for two clocks by means of a wait signal. Processor 2 is also stalled 1.5 clocks later, but only half a clock, so that it is synchronized with the system clock. Then, for other components, the status signal is connected to split mode, and the two processors continue to work. Now in order for the two processors to perform different tasks, the two processors have to run sequentially in the program code. This is achieved by enabling read access to the processor ID directly after transitioning to split mode. The read processor ID is different for each of the two processors. Now if a comparison is made for a given processor ID, the corresponding processor is then directed to another program location using a conditional jump instruction. This is first discovered by the processor or one of the two processors when transitioning from split mode to locked mode. The processor executes program code that includes conversion instructions. This is now registered by the "switch detection" unit and notifies this to the mode switch unit. The mode switching unit halts the associated processor and informs the second processor of the desire for synchronization via an interrupt. The second processor gets the interrupt and can now execute a software routine for ending its task. The processor now also jumps to the program location where the instruction for conversion is located. Its "changeover detection" unit now likewise signals the desire for a mode changeover to the mode changeover unit. The first rising system clock edge now deactivates the wait signal for processor 1, and 1.5 clocks later deactivates the wait signal for processor 2. Now, the two processors again work synchronously with a clock offset of 1.5 clocks.

If the system is in locked mode, the mode switching unit must be informed by the two "transition detection" units that they want to enter the split mode. If only one unit implements the switchover request, the error is detected by the comparison unit, since one of the two processors continues to supply data to the comparison unit and the comparator unit does not agree with the aborted processor.

If the two processors are in split mode and one processor does not return to locked mode, this can be identified by an external watchdog timer. In each processor's trigger signal, the watchdog timer notices that waiting processors no longer report. If only one watchdog timer signal is present for the processor system, triggering of the watchdog timer is only allowed in locked mode. Therefore, the watchdog timer may recognize that a mode transition has not been achieved. Mode signals exist as dual-rail signals. Here, "10" represents a lock mode and "01" represents a split mode. In the case of "00" and "01", an error occurs.

IramControl: Access to the instruction memory of these two processors is controlled through IRAMControl. The IRAMControl must be designed reliably since it is a single point of failure. IRAMControl consists of two per-processor state automata: synchronous iram1clkreset and asynchronous readiram1 each as a clock. In the safety-critical mode, the state machines of the two processors monitor each other, while in the performance mode, the state machines of the two processors work separately.

The reloading of the processor's two caches is controlled by two state machines, namely the synchronous state machine iramclkreset and the asynchronous state machine readiram. With these two state machines, memory accesses are also assigned to split patterns. In this case, processor 1 has higher priority. After the access to the main memory by processor 1, processor 2 is now assigned a memory access permission (if both processors want to access the main memory again). These two state automata are implemented for each processor. In lock mode, the output signals of the automaton are compared in order to be able to identify errors that have occurred.

Data for updating cache 2 in locked mode is delayed by 1.5 clocks in the IRAM control unit.

Encoded in bit 5 in register 0 of SysControl, which cores are involved. Core 1 is bit 0 and is high at core 2. This register is mapped into the memory range at address 65528.

On core 2's memory access, it first checks which mode the computer is in. If the computer is in lock mode, its memory access is inhibited. This signal exists as a common rail signal because it is a safety-critical signal.

Processor 1's program counter is delayed by 1.5 clocks so that it can be compared with Processor 2's program counter in locked mode.

In split mode, the caches of the two processors can be reloaded differently. If you now switch to locked mode, the two caches are not associated with each other. As a result, the two processors can run one after the other, and thus the comparator signals an error. In order to avoid this, a mark table is established in IRAMControl. In this mark table it is noted that the cache column in locked mode or in detached mode has been written. In locked mode, the entry corresponding to the cache line is set to 0 on a cache line reload, and to 1 in split mode (even a cache update of only one cache line). Now if the processor only performs memory accesses in locked mode, it is checked, whether the cache line is updated in locked mode, ie whether the cache line is the same in both caches. In split mode, the processor always accesses the cache column regardless of the Flag_Vector. This table must exist only once, since in the event of an error the two processors are run one after the other and therefore the error is reliably detected at the comparator. Since the access time to the central table is relatively high, this table is also replicated to each cache.

DramControl: In this component, parity is formed for each processor's address signal, data signal, and memory control signal.

For both processors there is a process for blocking memory. This process does not have to be implemented reliably, since in locked mode erroneous memory accesses are detected by means of comparators, while in split mode no security-critical applications are implemented. Here, it is checked whether a processor wants to block the memory of another processor. Blocking of the data memory is achieved by accessing the memory address $FBFF$=64511. This signal should be present for exactly one clock long, even if a wait command was imposed on the processor at the time of the call. A state automaton for managing data memory access consists of two main states:

- Processor State Lock: The two processors work in locked mode. That is, the function of data memory locking is not required. Processor 1 coordinates memory accesses.

- Processor State Separation: Access conflict resolution to data memory is now required and must be able to implement memory blocking.

The state in split mode is further divided into 7 states that resolve access conflicts and can block the data memory for another processor respectively. The order listed also indicates priority when both processors are desired to access at the same time.

-Core1\_Lock: Processor 1 has blocked data memory. If processor 2 wants to access the memory in this state, processor 2 is blocked by waiting for a signal until processor 1 releases the data memory again.

-Core2\_Lock: If the same state as before except that now processor 2 has blocked the data memory and processor 1 is stalled while working on the data memory.

-lock1\_wait: When processor 1 also wants to reserve data memory for itself, the data memory is blocked by processor 2. Therefore, processor 1 is pre-registered for the next memory stall.

-nex: This is the same for processor 2. The data store is blocked by processor 1 during the blocking attempt. Processor 2 is pre-booked for memory. In a normal non-blocking memory access, processor 2 can access here before processor 1 if processor 1 was on it before.

- Memory access by processor 1: the memory is not blocked in this case. Processor 1 allows access to data memory. If the processor 1 wants to block memory, the processor 1 can do so in this state.

- Memory access by processor 2: At the same clock, processor 1 does not want to access memory, so the memory is free for processor 2.

- No processor wants to access data memory.

As mentioned, the DVE consists of the switchover request (IllOPDetect) and the Iram and DramControl of the detection mode switchover unit.

In FIG. 3 , clock transitions are now shown as an example, so that clock transitions are implemented in one mode compared to other modes. Here, two modes are shown, namely a clock clk and two processor clocks or core clocks.

In one mode, the two processors operate with clock skew. The clock offsets are both full clocks and partial clocks relative to each other. Another variant is to use different clock frequencies in the two modes. In safety-critical modes, for example, a lower clock rate is used for interference suppression than in performance mode. Here, the two variants can also be combined with one another.

In addition, however, the specific implementation shown also solves the task stated at the outset.

When implementing, in particular, a dual-processor system (dual-core), a cache is provided for each processor, as is also shown schematically in FIG. 4 . One cache is usually not enough, since the cache must be spatially arranged between the two processors. Due to the long runtime between the cache and the two processors, the two processors can only operate at a limited clock frequency.

The cache is used as a fast scratchpad so that the processor does not always have to fetch data from the slow main memory. To be able to achieve this, the cache must be implemented with great attention to its access duration. The access duration consists of the actual access time to fetch the data from the cache and the time the data is delivered to the processor. Now if the cache is placed spatially away from the processor, the transfer of data takes a very long time and the processor can no longer work on its full clock. Due to timing issues, it is common to have a dedicated cache for each processor in a dual processor system.

If the two processors are now operated with a clock offset, the method suggested in FIG. 5 can now dispense with the second cache memory of the slave processor.

A cache requires multiple die surfaces and also requires multiple currents. As a result, the cache also generates a lot of waste heat, which has to be extracted. Now dual processor systems can be implemented significantly cheaper if the cache can be dispensed with.

In the dual computer system described here, one processor is the master and one processor is the slave. The host first executes the data and thus also controls peripheral components like memory, cache, DMA controller, and so on. The slave executes the same data with a clock offset of, for example, 1.5 clocks. This also means that the slave acquires the data from the common memory and likewise acquires the data of the external components after this duration. Output data (such as memory addresses, data, etc.) of the two processors are compared with each other. In order to be able to compare the data with each other, the result of the master must also be temporarily stored for 1.5 clocks. An example system of this kind is described below.

According to FIG. 5 , in order to now be able to use one cache for both processors, as in a single processor, the instruction and data caches are arranged directly on the host. Therefore, the host does not have to tolerate a performance penalty in terms of runtime between the cache and the processor. Since the slave is only 1.5 clocks late executing the data, this time is now used to direct the data to the second processor, which is now further in space from the cache.

For this, two flip-flops are used with an exemplary clock offset of 1.5 clocks, as shown in FIG. 6 . The first flip-flop is controlled by the clock of the master, and the second flip-flop is controlled by the clock of the slave. The first flip-flop is positioned directly at the output of the source. The second flip-flop is now positioned correspondingly closer to the slave according to the length the signal can travel within the difference between these two clocks. With a time offset of 1.5 clocks, this corresponds to a runtime of half a clock, and with a clock offset of 2 clocks, to a runtime of one clock. Next, the second flip-flop receives the signal. Now also consider once the distance that the signal can travel during the whole clock. In the figure, 1.) this is shown by being placed close to the receiver, 2.) this corresponds to the length that can be passed in the clock difference, and 3.) this is in one clock after the second flip-flop The length that can pass.

Claims (20)

1. A method for operating a multiprocessor system having first and second processors, assigning storage units to said first and second processors, wherein said first and second processors are capable of mode in which the two processors execute different programs, wherein the first and second processors are capable of operating in a safe mode in which the two processors execute redundantly The same program, characterized in that, in secure mode, said second processor operates with a clock offset from said first processor; and said first processor accesses said storage unit while said first processor The two processors obtain the data with clock skew; and in performance mode, the two processors work without clock skew. 2. The method of claim 1, wherein in performance mode, each of the two processors accesses the storage unit. 3. The method according to claim 1, wherein the clock skew is generated by a delay element, and the clock skew is used to implement data and/or instructions from the storage unit to the first The spanning of the runtime of the two processors. 4. The method of claim 1, wherein write operations and read operations are delayed by a clock offset of the second processor. 5. The method of claim 1, wherein only write operations are delayed by a clock offset of the second processor. 6. The method of claim 1, wherein only read operations are delayed by a clock offset of the second processor. 7. The method of claim 1, wherein the clock offset is predetermined to be one or more half clocks. 8. The method of claim 1, wherein the clock offset is predetermined as an integer. 9. The method of claim 1, wherein the clock offset is predetermined to be 1.5 clocks. 10. The method of claim 1, wherein for a transition from performance mode to safe mode or for a transition from safe mode to performance mode, one of the two processors is halted. 11. A multiprocessor system having a first and a second processor to which storage units are allocated, wherein the first and second processor are capable of running in performance mode, in In the performance mode, the two processors execute different programs, wherein the first and second processors are capable of operating in a safe mode, in which the two processors redundantly execute the same program, which characterized in that, in secure mode, the second processor operates with a clock offset from the first processor; and the first processor accesses the storage unit while the second processor is clocked Data is obtained with an offset; and in performance mode, the two processors operate without clock offset. 12. The multiprocessor system as claimed in claim 11, characterized in that the memory unit is designed as a cache memory, which is arranged directly on the first processor and generates the clock skew, and said clock skew is used to effectuate a run-time crossover of data and/or instructions from said storage unit to said second processor. 13. The multiprocessor system of claim 11, wherein write operations and read operations are delayed by a clock offset of the second processor. 14. The multiprocessor system of claim 11, wherein only write operations are delayed by a clock offset of the second processor. 15. The multiprocessor system of claim 11, wherein only read operations are delayed by a clock offset of the second processor. 16. The multiprocessor system of claim 11, wherein the clock offset is predetermined to be one or more half clocks. 17. The multiprocessor system of claim 11, wherein the clock offset is predetermined by an integer. 18. The multiprocessor system of claim 11, wherein the clock offset is predetermined to be 1.5 clocks. 19. The multiprocessor system of claim 11, wherein for a transition from performance mode to safe mode or for a transition from safe mode to performance mode, one of the two processors is halted. 20. The multiprocessor system of claim 11, wherein the storage unit is a cache.

Images