JP2010282551A - Information processing device - Google Patents

Abstract

An object of the present invention is to provide an information processing apparatus that can determine whether the bug is an operating environment bug or a compiler bug.
An information processing apparatus includes a first operating environment and a second operating environment, and a first application and a second application that are converted by different compilers, respectively. The applications 31 and 32 are executed in 41, the applications 31 and 32 are executed in the second operating environment 42, and the processing result comparison means 61 is connected to the applications 31 and 32 on the first operating environment 41 and the second operating environment 42. When the same data is input to each of the applications 31 and 32, the processing result in the first operating environment 41 in which the first application 31 is executed and the first operating environment 41 in which the second application 32 is executed And the processing result in the second operating environment 42 in which the first application 31 is executed and the processing result in the second operating environment 42 in which the second application 32 is executed are compared. .
[Selection] Figure 1

Description

  The present invention relates to an information processing apparatus.

  Some control systems that require high reliability include two CPUs in order to prevent malfunctions caused by erroneous calculation values when a hardware CPU [Central Processing Unit] fails. Some control systems are equipped with an OS (Operating System). In a dual CPU system, each CPU is equipped with an OS. When an application (hereinafter referred to as “application”) is executed on the OS, a machine language execution program is generated by converting the source code of the application by a compiler, and the machine language program is executed on the OS.

  The control system as described above includes an OS, an application source code, and a compiler (machine language program) as software. However, even if a bug is included in these software, the application machine language program is executed on the OS. If it is executed with, an incorrect operation value is output. In control system development, among software OS, application source code, and compiler, bugs are removed by thorough testing by the developer for application source code, but the OS and compiler are black boxes. Therefore, various methods for detecting bugs in the OS and compiler have been proposed. For example, in Patent Document 1, a plurality of machine language programs are generated by converting the source code of one application by a plurality of compilers, the same data is input to the plurality of machine language programs, and each is executed. It is described that bugs of a plurality of compilers are indirectly detected by comparing a plurality of operation values. Since it is very unlikely that the same bug exists in the same part of different compilers, it can be presumed that there is a bug in one of the compilers when the operation values of a plurality of machine language programs (plural compilers) are different.

  Further, as a method for detecting a bug between the compiler and the OS, the following method can be considered. FIG. 16 shows a control system 100 that includes two CPUs 151 and 152, and different OSs 141 and 141 are mounted on the CPUs 151 and 152. In this control system 100, the source code 110 of the application is converted by the first compiler 121 to generate the first application 131 of the machine language program, and the source code 110 is converted by the second compiler 122 to convert the source code 110 of the machine language program. Two applications 132 are generated. Then, by executing the two applications 131 and 132 on different OSs 141 and 142, a bug between the OS and the compiler is detected.

  The fail safe process in the control system 100 will be described along the flowchart of FIG. First, when the same data is input to the first application 131 and the second application 132, the first CPU 151 executes the first application 131 on the first OS 141 and outputs the control calculation value a (S210), and the second CPU 152 The two applications 132 are executed on the second OS 142 and the control calculation value b is output (S220). The first CPU 151 transmits the control calculation value a to the second CPU 152 (S211) and receives the control calculation value b from the second CPU 152 (S212). The second CPU 152 transmits the control calculation value b to the first CPU 151 (S221) and receives the control calculation value a from the first CPU 151 (S222).

  Then, the first CPU 151 (comparison unit 160) compares the two control calculation values a and b (S213), and determines whether a and b are the same value (S214). The second CPU 152 (comparison unit 160) also compares the two control calculation values a and b (S223), and determines whether a and b are the same value (S224). If the comparison unit 160 (first CPU 151, second CPU 152) determines that a and b are the same value in S214 and a and b are the same value in S224 (S230), there is no bug in the OS and the compiler. And the control calculation value a (b) is output (S231). When the comparison unit 160 determines that a and b are different values in S214 and determines that a and b are different values in S224 (S232), it determines that at least one of the OS and the compiler has a bug and shuts down the system. (S233).

JP-A-2005-141406 JP 2004-355233 A

  In the detection method as described above, it is possible to detect that there is a bug in at least one of the two OSs 141 and 142 and the two machine language program applications 131 and 132 (compilers 121 and 122). Cannot determine whether this is a compiler bug. In other words, since different machine language programs converted by different compilers are executed on different OSs that can process the same contents, bugs were incorporated into one of the machine language programs due to a bug in one of the compilers. It is impossible to determine whether or not a different calculation value is output due to a bug in one of the OSs. For this reason, if it is determined that there is a bug, it can only be dealt with by a process on the safe side (such as shutdown).

  Therefore, an object of the present invention is to provide an information processing apparatus that can determine whether the bug is an operating environment bug or a compiler bug.

  The information processing apparatus according to the present invention is the same when executed in the operating environment and the first operating environment and the second operating environment that output the same processing result through different processing steps when the same data is input. When the first data is input, the information processing apparatus includes a first application and a second application that output the same processing result data to the operating environment through different processing processes. In the first operating environment, the first application and the second application Two applications are executed, and in the second operating environment, at least the first application is executed, and the first application executed on the first operating environment and the second application and the first application executed on the second operating environment Processing results in the first operating environment in which the first application is executed when the same data is input Characterized by comprising a processing result in the first operating environment in which the second application is executed, the processing result comparison means for comparing the processing results in the second operating environment in which the first application is executed.

  This information processing apparatus has a plurality of operating environments (for example, OS) and a plurality of applications. If there is no bug in the first operating environment and the second operating environment, when the same data is input, the first operating environment and the second operating environment are processed in different processing steps but output the same processing result. The first application and the second application are, for example, applications obtained by converting the source code of the same application by different compilers, and are executed in the operating environment. When there is no bug and the same data is input, the first application and the second application are processed in different processing steps, but output the same processing result data to the operating environment. In particular, in the information processing apparatus, the first application and the second application are executed on the first operating environment, and at least the first application is executed on the second operating environment. Here, in the information processing device, the same data is stored in the first application executed on the first operating environment, the second application executed on the first operating environment, and the first application executed on the second operating environment. Enter each. Then, in the first operating environment, when the first application is executed and the processing result data is output, the processing result is output according to the predetermined result data, and when the second application is executed and the processing result data is output, the processing is performed. The processing result is output according to the result data. In the second operating environment, when the first application is executed and processing result data is output, the processing result is output according to the processing result data. In the information processing apparatus, the three processing results are compared by the processing result comparison means. In this comparison, if the three processing results are the same, it can be determined that there is no bug in the operating environment and the application, and if the three processing results are not the same, which processing result (the processing result by which application in which operating environment) ) Are different, it can be determined whether it is a bug in the operating environment or a bug in the application (and hence a bug in the compiler). As described above, in the information processing apparatus, the first and second applications are arranged in the first operating environment, and at least the first application is arranged in the second operating environment, and the processing results are compared, thereby causing a bug in the operating environment. Or a bug in the compiler.

  In the information processing apparatus according to the present invention, the first application and the second application are executed in the second operating environment, and the processing result comparison unit includes the first application and the second application executed in the first operating environment, and the first application. When the same data is input to each of the first application and the second application executed in the two operating environments, the processing result in the first operating environment in which the first application is executed and the second application are executed. The processing result in the first operating environment, the processing result in the second operating environment in which the first application is executed, and the processing result in the second operating environment in which the second application is executed are compared.

  In this information processing apparatus, the first application and the second application are executed on the first operating environment, and the first application and the second application are also executed on the second operating environment. Here, in the information processing apparatus, the first application executed on the first operating environment, the second application executed on the first operating environment, the first application executed on the second operating environment, and the second operation The same data is input to the second application executed on the environment. Then, in the first operating environment, similarly to the above, the processing result by the first application is output and the processing result by the second application is output. In the second operating environment, when the first application is executed and the processing result data is output, the processing result is output according to the processing result data. When the second application is executed and the processing result data is output, the processing result data is output. The processing result is output according to. In the information processing apparatus, the four processing results are compared by the processing result comparison means. In this comparison, when the four processing results are the same, it can be determined that there is no bug in the operating environment and the application, and when the four processing results are not the same, the combination of the processing results that are different from the processing results that are the same value. It is possible to determine whether the bug is an operating environment bug or an application bug (and hence a compiler bug), and depending on the combination pattern, it is possible to determine which operating environment bug. As described above, in the information processing apparatus, the first and second applications are arranged in the first operating environment and the second operating environment, respectively, and the processing results are compared to determine whether the operating environment bug or the compiler bug exists. There is also a pattern that can be determined with higher accuracy, and when it is determined as a bug in the operating environment, which operating environment bug is determined.

  According to the present invention, it is possible to determine whether the bug is an operating environment bug or a compiler bug by arranging the first and second applications in different operating environments and comparing the processing results.

It is a block diagram of ECU of the ABS system which concerns on 1st Embodiment. 2 is a list of discrimination patterns for comparison of control calculation values by a combination of two compilers and two OSs in the ECU of FIG. 1. It is a flowchart which shows the flow of a process in 1st CPU in ECU of FIG. It is a flowchart which shows the flow of a process in 2nd CPU in ECU of FIG. It is a block diagram of ECU of the ABS system + ACC system which concerns on 2nd Embodiment. 6 is a list of discrimination patterns for comparison of control operation values on the ABS side by a combination of two compilers and two OSs in the ECU of FIG. 5. 6 is a list of discrimination patterns for comparison of control calculation values on the ACC side by a combination of two compilers and two OSs in the ECU of FIG. 5. It is a flowchart which shows the flow of the process (first half part) in 1st CPU in ECU of FIG. It is a flowchart which shows the flow of the process (latter half part) in 1st CPU in ECU of FIG. It is a flowchart which shows the flow of the process (first half part) in 2nd CPU in ECU of FIG. It is a flowchart which shows the flow of the process (second half part) in 2nd CPU in ECU of FIG. It is a block diagram of ECU of the ABS system which concerns on 3rd Embodiment. 13 is a list of discrimination patterns for comparison of control calculation values by a combination of two compilers and two OSs in the ECU of FIG. 12. It is a flowchart which shows the flow of a process in 1st CPU in ECU of FIG. It is a flowchart which shows the flow of a process in 2nd CPU in ECU of FIG. It is a block diagram of the conventional control system. It is a flowchart which shows the flow of the fail safe process in the control system of FIG.

  Embodiments of an information processing apparatus according to the present invention will be described below with reference to the drawings. In addition, the same code | symbol is attached | subjected about the element which is the same or it corresponds in each figure, and the overlapping description is abbreviate | omitted.

  In the present embodiment, the information processing apparatus according to the present invention is applied to a system (particularly an ECU [Electronic Control Unit]) mounted on a vehicle. The ECU of the system according to the present embodiment includes two CPUs and is an ECU in which a different OS is mounted on each CPU. In addition, the ECU of the system according to the present embodiment has two different compilers, and has two machine language programs in which the source code of the control application is converted by two different compilers, respectively. Yes. In this embodiment, there are three forms, and the first embodiment is an ECU that performs overall control of an ABS [Anti-lock Brake System] system (two machine language programs are arranged in two OSs, respectively) The second embodiment is an ECU that controls the ABS system and ACC [Adaptive Cruise Control] (two OSs (two ABCs + two ACCs) are arranged in machine language programs). The third embodiment is an ECU that performs overall control of the ABS system (two machine language programs are arranged on one CPU and one machine language program is arranged on the other CPU).

  In the following description, the internal configuration of the ECU and the failsafe process will be described in detail. Since the conventional control is applied to the ABS control and the ACC control, the description of the specific processing of each control is omitted.

  With reference to FIG.1 and FIG.2, ECU1 of the ABS system which concerns on 1st Embodiment is demonstrated. FIG. 1 is a configuration diagram of the ECU of the ABS system according to the first embodiment. FIG. 2 is a list of discrimination patterns for comparison of control calculation values by a combination of two compilers and two OSs in the ECU of FIG.

  The ECU 1 is an electronic control unit and performs overall control of the ABS system. The ECU 1 includes an ABS application 10, a first compiler 21 and a second compiler 22, a first ABS application 31, a second ABS application 32, a first OS 41, and a second OS 42 as software. Further, the ECU 1 includes a first CPU 51 and a second CPU 52 as hardware, a ROM [Read Only Memory], a RAM [Random Access Memory], and the like. Further, the ECU 1 includes a comparison unit 61 and an output processing unit 71 as each application is executed by the CPUs 51 and 52. The comparison unit 61 and the output processing unit 71 are configured on both the first CPU 51 side and the second CPU 52 side, and the same processing is performed on both sides.

  In the first embodiment, the first ABS application 31 and the second ABS application 32 correspond to the first application and the second application described in the claims, and the first OS 41 and the second OS 42 are described in the claims. The comparison unit 61 corresponds to the processing result comparison means described in the claims.

  The ABS application 10 is software created by a developer in a predetermined programming language (for example, C language), and is source code for performing ABS control. In the present embodiment, the fail safe process will be described assuming that there is no bug in the ABS application 10. Note that the ABS application 10 of the source code is also mounted in the ECU 1 and may be converted into the first ABS application 31 and the second ABS application 32 by the first compiler 21 and the second compiler 22 in the ECU 1, or the ABS application 10 may be converted into the ECU 1. The first ABS application 31 and the second ABS application 32 converted in advance by the first compiler 21 and the second compiler 22 may be mounted on the ECU 1 without being mounted on the ECU 1.

  The compilers 21 and 22 are software for converting source code created in a predetermined programming language into machine language programs (object codes) that can be executed by the CPU 51 and CPU 52. The first compiler 21 and the second compiler 22 are different compilers, and convert the same source code into different machine language programs.

  The first ABS application 31 is a machine language program obtained by converting the ABS application 10 of the source code by the first compiler 21. The second ABS application 32 is a machine language program obtained by converting the ABS application 10 of the source code by the second compiler 22. The first ABS application 31 and the second ABS application 32 are mounted on the first OS 41 (first CPU 51) and the second OS 42 (first CPU 52), respectively. The first ABS application 31 and the second ABS application 32 perform processing in different processing steps when the same data is input and executed on the OSs 41 and 42 when there is no bug in the compilers 21 and 22. The same processing result data is output to the OS 41, 42.

  The OSs 41 and 42 are basic software that manages the entire ECU 1. The first OS 41 and the second OS 42 are different OSs. The first OS 41 is mounted on the first CPU 51. The second OS 42 is mounted on the second CPU 52. When there is no bug and the same data is input to the first OS 41 and the second OS 42, the first OS 41 and the second OS 42 perform processing in different processing steps, but output the same processing result.

  In the first CPU 51, each time the same predetermined data (for example, detection data detected by various sensors) is input to the first ABS application 31 and the second ABS application 32, the first ABS application 31 and the second ABS application 32 on the first OS 41. Execute. When the first ABS application 31 is executed on the first OS 41, the processing result data for the input data is output to the first OS 41, and when the processing result data is input, the first OS 41 outputs the control operation value a corresponding to the processing result data. To do. When the second ABS application 32 is executed on the first OS 41, the processing result data for the input data is output to the first OS 41. When the processing result data is input, the first OS 41 outputs the control calculation value b corresponding to the processing result data. To do. The first CPU 51 transmits the control calculation values a and b to the second CPU 52 and receives the control calculation values c and d from the second CPU 52.

  In the second CPU 52, every time the same predetermined data (the same data as the predetermined data input on the first CPU 51 side) is input to the first ABS application 31 and the second ABS application 32, the first ABS application 31 and the second ABS application 31 2ABS application 32 is executed. When the first ABS application 31 is executed on the second OS 42, the processing result data for the input data is output to the second OS 42. When the processing result data is input, the second OS 42 outputs the control calculation value c corresponding to the processing result data. To do. When the second ABS application 32 is executed on the second OS 42, the processing result data for the input data is output to the second OS 42. When the processing result data is input, the second OS 42 outputs the control calculation value d corresponding to the processing result data. To do. Then, the second CPU 52 transmits the control calculation values c and d to the first CPU 51 and receives the control calculation values a and b from the first CPU 51.

  The comparison unit 61 compares the control calculation values a, b, c, and d, and performs each determination process according to the determination pattern shown in FIG. 2 depending on whether the control calculation values a, b, c, and d are the same value or different values. .

  If all of a, b, c, and d have the same value, the comparison unit 61 has no bugs in the first compiler 21 (first ABS application 31), the second compiler 22 (second ABS application 32), the first OS 41, and the second OS 42. It is determined that the normal ABS control is performed.

  When a and c are the same value and b and d are the same value, but a, c and b and d are different values, the comparison unit 61 has no bug in the first OS 41 and the second OS 42. It is determined that either one of the first compiler 21 and the second compiler 22 has a bug. In this case, both the OS 41 and 42 can be executed normally, but since one of the ABS applications 31 and 32 cannot be executed normally, the comparison unit 61 determines to stop the ABS control as a safe process. As a result, since the system itself is not stopped, when an application other than the ABS control is executed on the OS 41 or 42 (for example, an alarm lamp lighting process when the ABS control is abnormal), the application can be executed. it can.

  When a and b are the same value and c and d are the same value, but a, b and c, d are different values, the comparison unit 61 has a bug in the first compiler 21 and the second compiler 22. However, it is determined that either one of the first OS 41 and the second OS 42 has a bug. In this case, since it cannot be determined which of the OSs 41 and 42 cannot be executed normally, the comparison unit 61 determines to stop the system as a safe process.

  When a, b, and c are the same value and only d is a different value, the comparison unit 61 has no bug in the first compiler 21, the second compiler 22, and the first OS 41, but the second OS 42 has a bug. to decide. In this case, since it can be determined that only the second OS 42 cannot be executed normally, the comparison unit 61 determines to continue the ABS control only on the normal first OS 41 side. Although there is a bug in a part of the second OS 42, it can be estimated that a, b, and c have the same value because the first ABS application 31 is executed in the part of the second OS 42 that is operating normally.

  When a, b, and d are the same value and only c is a different value, the comparison unit 61 has no bug in the first compiler 21, the second compiler 22, and the first OS 41, but the second OS 42 has a bug. to decide. In this case, since it can be determined that only the second OS 42 cannot be executed normally, the comparison unit 61 determines to continue the ABS control only on the normal first OS 41 side. Although there is a bug in a part of the second OS 42, it can be estimated that a, b, and d have the same value because the second ABS application 32 is executed in a part in which the second OS 42 operates normally.

  When b, c, and d are the same value and only a is a different value, the comparison unit 61 has no bug in the first compiler 21, the second compiler 22, and the second OS 42, but the first OS 41 has a bug. to decide. In this case, since it can be determined that only the first OS 41 cannot be normally executed, the comparison unit 61 determines that the ABS control is continued only on the normal second OS 42 side. Although there is a bug in a part of the first OS 41, it can be estimated that c, d, and b have the same value because the second ABS application 32 is executed in the normally operating part of the first OS 41.

  When a, c, and d are the same value and only b is a different value, the comparison unit 61 has no bug in the first compiler 21, the second compiler 22, and the second OS 42, but the first OS 41 has a bug. to decide. In this case, since it can be determined that only the first OS 41 cannot be normally executed, the comparison unit 61 determines that the ABS control is continued only on the normal second OS 42 side. Although there is a bug in a part of the first OS 41, it can be estimated that c, d, and a have the same value because the first ABS application 31 is executed in the part of the first OS 41 that is operating normally.

  In the case of patterns other than those described above, both the compilers 21 and 22 have bugs, the OS 41 and 42 both have bugs, or at least one of the compilers 21 and 22 and at least one of the OS 41 and 42 have bugs. There are certain patterns, but such patterns are extremely rare and can be ignored. However, if this pattern becomes a problem, the system may be stopped as a safe process.

  In the output processing unit 71, when the comparison unit 61 determines that normal ABS control is to be performed, the control processing value a (b, c, d) output from one of the OSs 41 and 42 (for example, the first OS 41) is used. A corresponding control signal is output. Further, when the output processing unit 71 determines that the ABS control is to be stopped by the comparison unit 61, the ABS relay is turned off, and the ABS applications 31 and 32 are both terminated. Further, when the output processing unit 71 determines that the comparison unit 61 stops the system, the output processing unit 71 shuts down or turns off the power. Further, in the output processing unit 71, when the comparison unit 61 determines that only the ABS control is continued on the first OS 41 side, the output processing unit 71 outputs a control signal corresponding to the control calculation value a (b) output from the first OS 41. Further, when the output processing unit 71 determines that the ABS control is continued only on the second OS 42 side in the comparison unit 61, the output processing unit 71 outputs a control signal corresponding to the control calculation value c (d) output from the second OS 42.

  With reference to FIG.1 and FIG.2, the flow of the fail safe process in ECU1 is demonstrated. In particular, the processing on the first CPU 51 side will be described with reference to the flowchart of FIG. 3, and the processing on the second CPU 52 side will be described with reference to the flowchart of FIG. FIG. 3 is a flowchart showing a flow of processing in the first CPU in the ECU of FIG. FIG. 4 is a flowchart showing a flow of processing in the second CPU in the ECU of FIG.

  Each time the ABS system is activated and data is input, the first CPU 51 executes the first ABS application 31 and the second ABS application 32 on the first OS 41, and the second CPU 52 executes the first ABS application 31 and the second ABS application 32 on the second OS 42. Is executed.

  The first CPU 51 outputs the control calculation value a by the first ABS application 31 (S10) and also outputs the control calculation value b by the second ABS application 32 (S11). Then, the first CPU 51 transmits the control calculation values a and b to the second CPU 52 (S12). Further, the first CPU 51 receives the control calculation values c and d from the second CPU 52 (S13).

  The second CPU 52 outputs the control calculation value c by the first ABS application 31 (S30) and outputs the control calculation value d by the second ABS application 32 (S31). Then, the second CPU 52 transmits the control calculation values c and d to the first CPU 51 (S32). Further, the second CPU 52 receives the control calculation values a and b from the first CPU 51 (S33).

  The first CPU 51 compares the control calculation values a, b, c, and d (S14). In the first CPU 51, 0 is assigned to Status1 when a = b = c = d, 1 is assigned to Status1 when a = c ≠ b = d, and a = b = c ≠ d. 2 is assigned to Status1, 2 is assigned to Status1 if a = b = d ≠ c, 3 is assigned to Status1 if a ≠ b = c = d, and b ≠ a = If c = d, 3 is assigned to Status1, and if it is any other pattern, 4 is assigned to Status1 (S15). Then, the first CPU 51 transmits Status1 to the second CPU 52 (S16). Further, the first CPU 51 receives Status 2 from the second CPU 52 (S17).

  The second CPU 52 compares the control calculation values a, b, c and d (S34). In the second CPU 52, 0 is assigned to Status2 when a = b = c = d, 1 is assigned to Status2 when a = c ≠ b = d, and a = b = c ≠ d. 2 is assigned to Status2, 2 is assigned to Status2 if a = b = d ≠ c, 3 is assigned to Status2 if a ≠ b = c = d, and b ≠ a = If c = d, 3 is assigned to Status2, and if it is any other pattern, 4 is assigned to Status2 (S35). Then, the second CPU 52 transmits Status2 to the first CPU 51 (S36). Further, the second CPU 52 receives Status1 from the first CPU 51 (S37).

  The first CPU 51 determines whether Status1 and Status2 are the same (S18). When it is determined that Status1 and Status2 are the same, the first CPU 51 determines Status1 (S19). When Status 1 is 0, the first CPU 51 performs normal ABS control using the control calculation value a (b) (S20). When Status 1 is 1, the first CPU 51 turns off the ABS relay, ends the ABS applications 31 and 32, and stops the ABS control (S21). When Status 1 is 2, the first CPU 51 continues the ABS control using the control calculation value a (b) (S22). If Status 1 is 3, the first CPU 51 does nothing (S23). If Status 1 is 4 or if it is determined in S18 that Status 1 and Status 2 are different, the first CPU 51 shuts down the system or turns off the power and stops the system (S24).

  The second CPU 52 determines whether Status2 and Status1 are the same (S38). When it is determined that Status2 and Status1 are the same, the second CPU 52 determines Status2 (S39). If Status 2 is 0, the second CPU 52 performs normal ABS control on the first CPU 51 side, so nothing is performed (S40). When Status 2 is 1, the second CPU 52 turns off the ABS relay, ends the ABS applications 31 and 32, and stops the ABS control (S41). If Status 2 is 2, the second CPU 52 does nothing (S42). When Status 2 is 3, the second CPU 52 continues the ABS control using the control calculation value c (d) (S43). If Status 2 is 4 or if it is determined in S38 that Status 2 and Status 1 are different, the second CPU 52 shuts down the system or turns off the power and stops the system (S44).

  According to this ECU 1, the first ABS application 31 and the second ABS application 32 respectively converted by the different compilers 21 and 22 are arranged in the first OS 41 and the second OS 42, respectively, and four control calculation values a and b in four combinations are provided. , C, d can be discriminated as a bug of OS 41, 42 or a bug of compilers 21, 22. As a result, when there is a bug in the compilers 21 and 22, file safe processing (for example, only ABS control is stopped) when the compiler is abnormal (ABS application abnormality) is executed, and when there is a bug in the OS 41 and 42, the OS File safe processing at the time of abnormality can be implemented. In particular, when there is a bug in the OSs 41 and 42, when it is possible to determine which OS has the bug, the ABS control can be continued with the normal OS.

  The ECU 2 of the ABS system + ACC system according to the second embodiment will be described with reference to FIGS. FIG. 5 is a configuration diagram of the ECU of the ABS system + ACC system according to the second embodiment. FIG. 6 is a list of discrimination patterns for comparison of control calculation values on the ABS side by a combination of two compilers and two OSs in the ECU of FIG. FIG. 7 is a list of discrimination patterns for comparison of control calculation values on the ACC side by a combination of two compilers and two OSs in the ECU of FIG.

  The ECU 2 is an electronic control unit, and performs overall control of the ABS system and the ACC system. The ECU 2 includes, as software, an ABS application 10A and an ACC application 10B, a first compiler 21 and a second compiler 22, a first ABS application 31A and a second ABS application 32A, a first ACC application 31B and a second ACC application 32B, a first OS 41 and a second OS 42. Have. The ECU 2 includes a first CPU 51 and a second CPU 52, ROM, RAM, and the like as hardware. Further, in the ECU 2, a comparison unit 62 and an output processing unit 72 are configured by each application being executed by each of the CPUs 51 and 52. The comparison unit 62 and the output processing unit 72 are configured on both the first CPU 51 side and the second CPU 52 side, and the same processing is performed on both sides.

  In the second embodiment, the first ABS application 31A, the second ABS application 32A, the first ACC application 31B, and the second ACC application 32B correspond to the first application and the second application described in the claims, and the first OS 41 The second OS 42 corresponds to the first operating environment and the second operating environment described in the claims, and the comparison unit 62 corresponds to the processing result comparison means described in the claims.

  The ABS application 10A is the same software as the ABS application 10 described in the first embodiment. The first ABS application 31A and the second ABS application 32A are the same software as the first ABS application 31 and the second ABS application 32 described in the first embodiment.

  The ACC application 10B is software created by a developer in a predetermined programming language, and is source code for performing ACC control. In the present embodiment, the fail safe process will be described assuming that there is no bug in the ABS application 10A and the ACC application 10B. Note that the ABS application 10A and the ACC application 10B of the source code are also installed in the ECU 2. In the ECU 2, the first compiler 21 and the second compiler 22 use the first ABS application 31A, the second ABS application 32A, the first ACC application 31B, and the second ACC application 32B. Alternatively, the ABS application 10A and the ACC application 10B may not be installed in the ECU 2, and the first ABS application 31A, the second ABS application 32A, and the first ACC previously converted by the first compiler 21 and the second compiler 22 may be used. Only the application 31B and the second ACC application 32B may be mounted on the ECU 2.

  The first ACC application 31B is a machine language program obtained by converting the ACC application 10B of the source code by the first compiler 21. The second ACC application 32B is a machine language program in which the ACC application 10B of the source code is converted by the second compiler 22. The first ACC application 31B and the second ACC application 32B are mounted on the first OS 41 (first CPU 51) and the second OS 42 (first CPU 52), respectively. The first ACC application 31B and the second ACC application 32B perform processing in different processing steps when the same data is input and executed on the OSs 41 and 42 when there is no bug in the compilers 21 and 22. The same processing result data is output to the OS 41, 42.

  The first CPU 51 executes the first ABS application 31A and the second ABS application 32A on the first OS 41 each time the same predetermined data is input to the first ABS application 31A and the second ABS application 32A. When the first ABS application 31A is executed on the first OS 41, the control calculation value a is output as in the first embodiment. When the second ABS application 32A is executed on the first OS 41, the control calculation value b is output as in the first embodiment. Then, the first CPU 51 transmits the control calculation values a and b to the second CPU 52 and receives the control calculation values e and f from the second CPU 52.

  The first CPU 51 executes the first ACC application 31B and the second ACC application 32B on the first OS 41 each time the same predetermined data is input to the first ACC application 31B and the second ACC application 32B. When the first ACC application 31B is executed on the first OS 41, the processing result data for the input data is output to the first OS 41. When the processing result data is input, the first OS 41 outputs the control calculation value c corresponding to the processing result data. To do. When the second ACC application 32B is executed on the first OS 41, the processing result data for the input data is output to the first OS 41. When the processing result data is input, the first OS 41 sets the control calculation value d corresponding to the processing result data. Output. Then, the first CPU 51 transmits the control calculation values c and d to the second CPU 52 and receives the control calculation values g and h from the second CPU 52.

  The second CPU 52 executes the first ABS application 31A and the second ABS application 32A on the second OS 42 every time the same predetermined data is input to the first ABS application 31A and the second ABS application 32A. When the first ABS application 31A is executed on the second OS 42, the control calculation value e (however, the control calculation value c is set in the first embodiment) is output as in the first embodiment. When the second ABS application 32A is executed on the second OS 42, the control calculation value f (however, the control calculation value d is used in the first embodiment) is output as in the first embodiment. Then, the second CPU 52 transmits the control calculation values e and f to the first CPU 51 and receives the control calculation values a and b from the first CPU 51.

  The second CPU 52 executes the first ACC application 31B and the second ACC application 32B on the second OS 42 every time the same predetermined data is input to the first ACC application 31B and the second ACC application 32B. When the first ACC application 31B is executed on the second OS 42, the processing result data for the input data is output to the second OS 42. When the processing result data is input, the second OS 42 outputs the control calculation value g corresponding to the processing result data. To do. When the second ACC application 32B is executed on the second OS 42, the processing result data for the input data is output to the second OS 42. When the processing result data is input, the second OS 42 outputs the control calculation value h corresponding to the processing result data. To do. Then, the second CPU 52 transmits the control calculation values g and h to the first CPU 51 and receives the control calculation values c and d from the first CPU 51.

  The comparison unit 62 compares the control calculation values a, b, e, and f on the ABS control side, and according to the discrimination pattern shown in FIG. 6 depending on whether the control calculation values a, b, e, and f are the same value or different values. Judgment processing is performed. The determination processing with each determination pattern corresponds to the case where the control calculation value c is set to e and d is set to f in the description of the comparison unit 61 in the first embodiment.

  Further, the comparison unit 62 compares the control calculation values c, d, g, and h on the ACC control side, and determines whether the control calculation values c, d, g, and h are the same value or different values as shown in FIG. Each process is performed according to.

  When all of c, d, g, and h have the same value, the comparison unit 62 has no bugs in the first compiler 21 (first ACC application 31B), the second compiler 22 (second ACC application 32B), the first OS 41, and the second OS 42. It is determined that the normal ACC control is performed.

  When c and g are the same value and d and h are the same value, but c, g and d and h are different values, the comparison unit 62 has no bug in the first OS 41 and the second OS 42. It is determined that either one of the first compiler 21 and the second compiler 22 has a bug. In this case, one of the ACC applications 31B and 32B has a portion that cannot be normally executed. However, in order to continue the ACC control as much as possible, the comparison unit 62 determines to restart the ACC application. In the case of such a pattern, the ABS control is stopped on the ABS system side because the ABS system is a safety system that requires high safety.

  When c and d are the same value and g and h are the same value, but c, d and g, h are different values, the comparison unit 62 has a bug in the first compiler 21 and the second compiler 22. However, it is determined that either one of the first OS 41 and the second OS 42 has a bug. In this case, since it cannot be determined which of the OSs 41 and 42 cannot be executed normally, the comparison unit 62 determines to stop the system as a safe process.

  When c, d, and g are the same value and only h is a different value, the comparison unit 62 has no bug in the first compiler 21, the second compiler 22, and the first OS 41, but the second OS 42 has a bug. to decide. In this case, since it can be determined that only the second OS 42 cannot be normally executed, the comparison unit 62 determines to continue the ACC control only on the normal first OS 41 side.

  When c, d, and h are the same value and only g is different, the comparison unit 62 has no bug in the first compiler 21, the second compiler 22, and the first OS 41, but the second OS 42 has a bug. to decide. In this case, since it can be determined that only the second OS 42 cannot be normally executed, the comparison unit 62 determines to continue the ACC control only on the normal first OS 41 side.

  When d, g, and h are the same value and only c is different, the comparison unit 62 has no bug in the first compiler 21, the second compiler 22, and the second OS 42, but the first OS 41 has a bug. to decide. In this case, since it can be determined that only the first OS 41 cannot be normally executed, the comparison unit 62 determines to continue the ACC control only on the normal second OS 42 side.

  When c, g, and h are the same value and only d is a different value, in the comparison unit 62, there is no bug in the first compiler 21, the second compiler 22, and the second OS 42, but there is a bug in the first OS 41. to decide. In this case, since it can be determined that only the first OS 41 cannot be normally executed, the comparison unit 62 determines to continue the ACC control only on the normal second OS 42 side.

  In the case of patterns other than those described above, as described in the first embodiment, it is extremely rare and can be ignored. However, in the event that this pattern occurs, the system may be stopped.

  When the output processing unit 72 determines that the normal ABS control is to be performed in the determination on the ABS control side of the comparison unit 62, the control calculation value a (b, e, ABS) output from either one of the OS 41, 42 is used. A control signal corresponding to f) is output. When the output processing unit 72 determines that the ABS control is to be stopped by the determination on the ABS control side of the comparison unit 62, the ABS relay is turned off and the ABS applications 31A and 32A are both terminated. Further, when the output processing unit 72 determines that the system is to be stopped by the determination on the ABS control side of the comparison unit 62, the output processing unit 72 shuts down or turns off the power. Further, when the output processing unit 72 determines that the ABS control is continued only on the first OS 41 side in the determination on the ABS control side of the comparison unit 62, the output processing unit 72 responds to the ABS control operation value a (b) output from the first OS 41. Output control signals. Further, when the output processing unit 72 determines that the ABS control is to be continued only on the second OS 42 side in the determination on the ABS control side of the comparison unit 62, the output processing unit 72 responds to the ABS control operation value e (f) output from the second OS 42. Output control signals.

  In the output processing unit 72, when it is determined that the normal ACC control is performed in the determination on the ACC control side of the comparison unit 62, the control calculation value c (d, g, ACC) output from one of the OSs 41 and 42 is determined. The control signal according to h) is output. Further, when the output processing unit 72 determines that the ACC application is to be restarted in the determination on the ACC control side of the comparison unit 62, the output processing unit 72 restarts the ACC applications 31B and 32B. Further, when the output processing unit 72 determines that the system is to be stopped by the determination on the ACC control side of the comparison unit 62, the output processing unit 72 shuts down or turns off the power. Further, in the output processing unit 72, when it is determined in the determination on the ACC control side of the comparison unit 62 that the ACC control is continued only on the first OS 41 side, the control calculation value c (d) on the ACC control side output from the first OS 41 is set. A corresponding control signal is output. Further, in the output processing unit 72, when it is determined in the determination on the ACC control side of the comparison unit 62 that the ACC control is continued only on the second OS 42 side, the control calculation value g (h) on the ACC control side output from the second OS 42 is set. A corresponding control signal is output.

  With reference to FIGS. 5-7, the flow of the fail safe process in ECU2 is demonstrated. In particular, the processing on the first CPU 51 side will be described with reference to the flowcharts of FIGS. 8 and 9, and the processing on the second CPU 52 side will be described with reference to the flowcharts of FIGS. 10 and 11. FIG. 8 is a flowchart showing the flow of processing (first half) in the first CPU in the ECU of FIG. FIG. 9 is a flowchart showing a flow of processing (second half) in the first CPU in the ECU of FIG. FIG. 10 is a flowchart showing the flow of processing (first half) in the second CPU in the ECU of FIG. FIG. 11 is a flowchart showing a flow of processing (second half) in the second CPU in the ECU of FIG.

  Each time the ABS system is activated and ABS data is input, the first CPU 51 executes the first ABS application 31A and the second ABS application 32A on the first OS 41, and the second CPU 52 executes the first ABS application 31A and the second ABS on the second OS 42. The 2ABS application 32A is executed. Each time the ACC system is activated and data on the ACC side is input, the first CPU 51 executes the first ACC application 31B and the second ACC application 32B on the first OS 41, and the second CPU 52 executes the first ACC application 31B on the second OS 42. And the 2nd ACC application 32B is performed.

  The first CPU 51 outputs the control calculation value a by the first ABS application 31A (S50) and also outputs the control calculation value b by the second ABS application 32A (S51). Further, the first CPU 51 outputs the control calculation value c by the first ACC application 31B (S52) and also outputs the control calculation value d by the second ACC application 32B (S53). Then, the first CPU 51 transmits the control calculation values a, b, c, d to the second CPU 52 (S54). Further, the first CPU 51 receives the control calculation values e, f, g, h from the second CPU 52 (S55).

  The second CPU 52 outputs the control calculation value e by the first ABS application 31A (S80) and outputs the control calculation value f by the second ABS application 32A (S81). Further, the second CPU 52 outputs the control calculation value g by the first ACC application 31B (S82) and outputs the control calculation value h by the second ACC application 32B (S83). Then, the second CPU 52 transmits the control calculation values e, f, g, and h to the first CPU 51 (S84). The second CPU 52 receives the control calculation values a, b, c, d from the first CPU 51 (S85).

  The first CPU 51 compares the control calculation values a, b, e, and f (S56). In the first CPU 51, 0 is assigned to Status 11 when a = b = e = f, 1 is assigned to Status 11 when a = e ≠ b = f, and a = b = e ≠ f. 2 is assigned to Status 11, 2 is assigned to Status 11 if a = b = f ≠ e, 3 is assigned to Status 11 if a ≠ b = e = f, and b ≠ a = In the case of e = f, 3 is substituted into Status 11, and in the case of other patterns, 4 is substituted into Status 11 (S57).

  Further, the first CPU 51 compares the control calculation values c, d, g, and h (S58). In the first CPU 51, 0 is assigned to Status 12 when c = d = g = h, 1 is assigned to Status 12 when c = g ≠ d = h, and c = d = g ≠ h. 2 is assigned to Status 12, 2 is assigned to Status 12 if c = d = h ≠ g, 3 is assigned to Status 12 if c ≠ d = g = h, and d ≠ c = If g = h, 3 is assigned to Status 12, and if it is a pattern other than these, 4 is assigned to Status 12 (S59).

  Then, the first CPU 51 transmits Status 11 and Status 12 to the second CPU 52 (S60). In addition, the first CPU 51 receives Status 21 and Status 22 from the second CPU 52 (S61).

  The second CPU 52 compares the control calculation values a, b, e, and f (S86). Then, in the second CPU 52, 0 is assigned to Status 21 when a = b = e = f, 1 is assigned to Status 21 when a = e ≠ b = f, and a = b = e ≠ f. 2 is assigned to Status 21, 2 is assigned to Status 21 if a = b = f ≠ e, 3 is assigned to Status 21 if a ≠ b = e = f, and b ≠ a = In the case of e = f, 3 is substituted into Status 21, and in the case of other patterns, 4 is substituted into Status 21 (S87).

  Further, the second CPU 52 compares the control calculation values c, d, g, and h (S88). Then, in the second CPU 52, 0 is substituted into Status 22 when c = d = g = h, 1 is substituted into Status 22 when c = g ≠ d = h, and c = d = g ≠ h. 2 is assigned to Status 22, 2 is assigned to Status 22 if c = d = h ≠ g, 3 is assigned to Status 22 if c ≠ d = g = h, and d ≠ c = If g = h, 3 is assigned to Status 22, and if it is a pattern other than these, 4 is assigned to Status 22 (S89).

  Then, the second CPU 52 transmits Status 21 and Status 22 to the first CPU 51 (S90). In addition, the second CPU 52 receives Status 11 and Status 12 from the first CPU 51 (S91).

  The first CPU 51 determines whether Status 11 and Status 21 are the same (S62). When it is determined that the status 11 and the status 21 are the same, the first CPU 51 determines whether the status 12 and the status 22 are the same (S63). When it is determined that the Status 12 and the Status 22 are the same, the first CPU 51 determines the Status 11 (S64). When Status 11 is 0, the first CPU 51 performs normal ABS control using the control calculation value a (b) (S65). When Status 11 is 1, the first CPU 51 turns off the ABS relay, ends the ABS applications 31A and 32A, and stops the ABS control (S66). When Status 11 is 2, the first CPU 51 continues the ABS control using the control calculation value a (b) (S67). If Status 11 is 3, the first CPU 51 does nothing (S68). Further, the first CPU 51 determines Status 12 (S70). When Status 12 is 0, the first CPU 51 performs normal ACC control using the control calculation value c (d) (S71). When Status 12 is 1, the first CPU 51 restarts the ACC applications 31B and 32B (S72). When Status 12 is 2, the first CPU 51 continues the ACC control using the control calculation value c (d) (S73). When Status 12 is 3, the first CPU 51 does nothing (S74). If the status 11 is 4, the status 12 is 4, the determination in S62 determines that the status 11 and the status 21 are different, or the determination in S63 determines that the status 12 and the status 22 are different, the first CPU 51 shuts down the system or The power is turned off and the system is stopped (S69, S75).

  The second CPU 52 determines whether Status 21 and Status 11 are the same (S92). When it is determined that the status 21 and the status 11 are the same, the second CPU 52 determines whether the status 22 and the status 12 are the same (S93). When it is determined that the status 22 and the status 12 are the same, the second CPU 52 determines the status 21 (S94). When Status 21 is 0, the second CPU 52 performs normal ABS control on the first CPU 51 side, so nothing is performed (S95). When the status 21 is 1, the second CPU 52 turns off the ABS relay, ends the ABS applications 31A and 32A, and stops the ABS control (S96). If Status 21 is 2, the second CPU 52 does nothing (S97). When Status 21 is 3, the second CPU 52 continues the ABS control using the control calculation value e (f) (S98). Further, the second CPU 52 determines Status 22 (S100). When the status 22 is 0, the second CPU 52 performs normal ACC control on the first CPU 51 side, so nothing is performed (S101). When Status 22 is 1, the second CPU 52 restarts the ACC applications 31B and 32B (S102). If Status 22 is 2, the second CPU 52 does nothing (S103). When Status 22 is 3, the second CPU 52 continues the ACC control using the control calculation value g (h) (S104). When the status 21 is 4, when the status 22 is 4, when it is determined that the status 21 and the status 11 are different in the determination of S92, or when it is determined that the status 22 and the status 12 are different in the determination of S93, the second CPU 52 shuts down the system or The power is turned off and the system is stopped (S99, S105).

  According to this ECU 2, four control calculation values in four combinations are arranged by arranging the first ABS application 31A and the second ABS application 32A respectively converted by the different compilers 21 and 22 into the first OS 41 and the second OS 42 on the ABS side. a, b, e, f are compared, and on the ACC side, the first ACC application 31B and the second ACC application 32B converted by the different compilers 21 and 22 are respectively arranged in the first OS 41 and the second OS 42, and four combinations are provided. By comparing these four control calculation values c, d, g, and h, it is possible to determine whether the bug is the OS 41 or 42 or the compiler 21 or 22. As a result, when there is a bug in the compilers 21 and 22, file safe processing (for example, ABS control is stopped on the ABS side which is a safety system, and the ACC application is restarted on the ACC side which is a driving support system) is executed. If there is a bug in the OS 41, 42, file safe processing can be performed when the OS is abnormal. In particular, when there is a bug in the OSs 41 and 42 and it can be determined which OS has the bug, the ABS control and the ACC control can be continued with the normal OS.

  With reference to FIG.12 and FIG.13, ECU3 of the ABS system which concerns on 3rd Embodiment is demonstrated. FIG. 12 is a configuration diagram of the ECU of the ABS system according to the third embodiment. FIG. 13 is a list of discrimination patterns for comparison of control calculation values by a combination of two compilers and two OSs in the ECU of FIG.

  The ECU 3 is an electronic control unit and performs overall control of the ABS system. The ECU 3 includes an ABS application 10, a first compiler 21 and a second compiler 22, a first ABS application 31, a second ABS application 32, a first OS 41, and a second OS 42 as software. The ECU 3 includes a first CPU 51 and a second CPU 52, ROM, RAM, and the like as hardware. Further, in the ECU 3, a comparison unit 63 and an output processing unit 73 are configured by each application being executed by each of the CPUs 51 and 52. The comparison unit 63 and the output processing unit 73 are configured on both the first CPU 51 side and the second CPU 52 side, and the same processing is performed on both sides.

  In the third embodiment, the first ABS application 31 and the second ABS application 32 correspond to the first application and the second application described in the claims, and the first OS 41 and the second OS 42 are described in the claims. The comparison unit 63 corresponds to the processing result comparison unit described in the claims.

  The ECU 3 has the same configuration on the first CPU 51 side and a different configuration on the second CPU 52 side as compared with the ECU 1 according to the first embodiment, so only the configuration will be described. The first ABS application 31 is installed on each of the first OS 41 (first CPU 51) and the second OS 42 (first CPU 52), while the second ABS application 32 is installed only on the first OS 41 (first CPU 51). Therefore, the second CPU 52 executes only the first ABS application 31 on the second OS 42 every time predetermined data (the same data as the predetermined data input on the first CPU 51 side) is input to the first ABS application 31. Only the calculated value c is output.

  The comparison unit 63 compares the control calculation values a, b, and c, and performs each determination process according to the determination pattern shown in FIG. 13 depending on whether the control calculation values a, b, and c are the same value or different values.

  When all of a, b, and c have the same value, the comparison unit 63 determines that the first compiler 21 (first ABS application 31), the second compiler 22 (second ABS application 32), the first OS 41, and the second OS 42 are free of bugs. It is determined that normal ABS control is performed.

  When a and c are the same value and only b is a different value, the comparison unit 63 has no bug in the first OS 41 and the second OS 42, but one of the first compiler 21 and the second compiler 22 has a bug. It can also be determined that there is no bug in the first compiler 21, the second compiler 22, and the second OS 42, but there is a bug in the first OS 41. In this case, the comparison unit 63 determines to stop the ABS control as a safe process.

  When a and b are the same value and only c is a different value, the comparison unit 63 has no bug in the first compiler 21 and the second compiler 22, but there is a bug in either the first OS 41 or the second OS 42. Judge that there is. In this case, since it cannot be determined which of the OSs 41 and 42 cannot be executed normally, the comparison unit 63 determines to stop the system as a safe process.

  When b and c are the same value and only a is a different value, the comparison unit 63 determines that the first compiler 21, the second compiler 22, and the second OS 42 have no bug, but the first OS 41 has a bug. . In this case, since it can be determined that only the first OS 41 cannot be normally executed, the comparison unit 63 determines that the ABS control is continued only on the normal second OS 42 side. Although there is a bug in a part of the first OS 41, it can be estimated that b and c have the same value because the second ABS application 32 is executed in the part where the first OS 41 is operating normally.

  In the case of a pattern other than the above, as described in the first embodiment, it is extremely rare and can be ignored. However, in the event that this pattern occurs, the system may be stopped as a safe process.

  The output processing unit 73 performs the same processing as the output processing unit 71 described in the first embodiment, and thus description thereof is omitted. However, the output processing unit 73 does not perform output processing when the ABS control is continued only on the first OS 41 side.

  With reference to FIG.12 and FIG.13, the flow of the fail safe process in ECU3 is demonstrated. In particular, the processing on the first CPU 51 side will be described with reference to the flowchart of FIG. 14, and the processing on the second CPU 52 side will be described with reference to the flowchart of FIG. FIG. 14 is a flowchart showing the flow of processing in the first CPU in the ECU of FIG. FIG. 15 is a flowchart showing a flow of processing in the second CPU in the ECU of FIG.

  Each time the ABS system is activated and data is input, the first CPU 51 executes the first ABS application 31 and the second ABS application 32 on the first OS 41, and the second CPU 52 executes the first ABS application 31 on the second OS 42.

  The first CPU 51 outputs the control calculation value a by the first ABS application 31 (S110) and outputs the control calculation value b by the second ABS application 32 (S111). Then, the first CPU 51 transmits the control calculation values a and b to the second CPU 52 (S112). Further, the first CPU 51 receives the control calculation value c from the second CPU 52 (S113).

  The second CPU 52 outputs the control calculation value c by the first ABS application 31 (S130). Then, the second CPU 52 transmits the control calculation value c to the first CPU 51 (S131). Further, the second CPU 52 receives the control calculation values a and b from the first CPU 51 (S132).

  The first CPU 51 compares the control calculation values a, b, and c (S114). In the first CPU 51, 0 is assigned to Status1 when a = b = c, 1 is assigned to Status1 when a = c ≠ b, and 2 is assigned to Status1 when a ≠ b = c. When a = b ≠ c, 3 is assigned to Status1, and in the case of other patterns, 4 is assigned to Status1 (S115). Then, the first CPU 51 transmits Status1 to the second CPU 52 (S116). Further, the first CPU 51 receives Status 2 from the second CPU 52 (S117).

  The second CPU 52 compares the control calculation values a, b, and c (S133). In the second CPU 52, 0 is assigned to Status2 when a = b = c, 1 is assigned to Status2 when a = c ≠ b, and 2 is assigned to Status2 when a ≠ b = c. If a = b ≠ c, 3 is assigned to Status2, and if the pattern is other than these, 4 is assigned to Status2 (S134). Then, the second CPU 52 transmits Status2 to the first CPU 51 (S135). Further, the second CPU 52 receives Status1 from the first CPU 51 (S136).

  The first CPU 51 determines whether Status1 and Status2 are the same (S118). When it is determined that Status1 and Status2 are the same, the first CPU 51 determines Status1 (S119). When Status 1 is 0, the first CPU 51 performs normal ABS control using the control calculation value a (b) (S120). When Status 1 is 1, the first CPU 51 turns off the ABS relay, ends the ABS applications 31 and 32, and stops the ABS control (S121). If Status 1 is 2, the first CPU 51 does nothing (S122). If Status 1 is 3 or 4, or if it is determined in S118 that Status 1 and Status 2 are different, the first CPU 51 shuts down the system or turns off the power and stops the system (S123).

  The second CPU 52 determines whether Status2 and Status1 are the same (S137). When it is determined that Status2 and Status1 are the same, the second CPU 52 determines Status2 (S138). When Status 2 is 0, the second CPU 52 performs normal ABS control on the first CPU 51 side, so nothing is performed (S139). When Status 2 is 1, the second CPU 52 turns off the ABS relay, ends the ABS application 31, and stops the ABS control (S140). When Status 2 is 2, the second CPU 52 continues the ABS control using the control calculation value c (S141). When Status 2 is 3 or 4, or when it is determined that Status 2 and Status 1 are different in S137, the second CPU 52 shuts down the system or turns off the power and stops the system (S142).

  According to the ECU 3, the first ABS application 31 and the second ABS application 32 converted by the different compilers 21 and 22 are arranged in the first OS 41, and the first ABS application 31 converted by the compiler 21 is arranged in the second OS 42. By comparing the three control calculation values a, b, and c in the three combinations, it is possible to determine whether the bug is the OS 41, 42 or the compiler 21, 22. As a result, when the compilers 21 and 22 have bugs, the file safe process when the compiler is abnormal can be performed, and when the OSs 41 and 42 have bugs, the file safe process when the OS is abnormal can be performed. In particular, when there is a bug in the OSs 41 and 42, when it is possible to determine which OS has the bug, the ABS control can be continued with the normal OS.

  As mentioned above, although embodiment which concerns on this invention was described, this invention is implemented in various forms, without being limited to the said embodiment.

  For example, in this embodiment, the present invention is applied to a system mounted on a vehicle. However, any information processing apparatus having a plurality of operating environments and a plurality of applications converted by a plurality of compilers can be applied to other apparatuses. It is. Further, the present invention can also be applied to a compiler and a device that only detects bugs in the operating environment without performing various controls.

  In this embodiment, the present invention is applied to a system having two CPUs, two OSs, and two compilers (and thus two machine language programs respectively generated by the two compilers). The present invention is also applicable to a system having the above CPU, three or more OSs, and three or more compilers. Further, the arithmetic device may be a CPU core or the like instead of the CPU.

  In the present embodiment, the ECU system is configured to control the ABS system or the ABS system and the ACC system. However, the present invention can also be applied to a case where three ECUs or more are controlled by one ECU.

  In this embodiment, the bug detection of the compiler and OS is always performed, but it may be performed only once or several times. In this embodiment, the ECU and the OS bug are detected by the ECU mounted on the vehicle. However, the compiler and the OS bug are detected in advance by the same process during development, and the compiler or the compiler bug is detected. In such a case, the compiler or OS may be replaced or bugs may be removed in advance.

  In this embodiment, the application is applied to an application (machine language program) in which the source code of the same application is converted by a different compiler.

  1, 2, 3 ... ECU, 10, 10A ... ABS app, 10B ... ACC app, 21 ... 1st compiler, 22 ... 2nd compiler, 31, 31A ... 1st ABS app, 32, 32A ... 2nd ABS app, 31B ... 1st ACC application, 32B ... 2nd ACC application, 41 ... 1st OS, 42 ... 2nd OS, 51 ... 1st CPU, 52 ... 2nd CPU, 61, 62, 63 ... comparison part, 71, 72, 73 ... output processing part

Claims (2)

When the same data is input, the first operating environment and the second operating environment that output the same processing result through different processing steps, and when the same data is input when executed in the operating environment, are different. An information processing apparatus having a first application and a second application for outputting the same processing result data to an operating environment through a processing process,
In the first operating environment, the first application and the second application are executed,
In the second operating environment, at least the first application is executed,
When the same data is input to each of the first application and the second application executed on the first operating environment and the first application executed on the second operating environment, the first application Processing results in the first operating environment to be executed, processing results in the first operating environment in which the second application is executed, and processing results in the second operating environment in which the first application is executed An information processing apparatus comprising processing result comparison means for comparing In the second operating environment, the first application and the second application are executed,
The processing result comparison unit includes the same data for the first application and the second application executed on the first operating environment and the first application and the second application executed on the second operating environment. Are input, the processing result in the first operating environment in which the first application is executed, the processing result in the first operating environment in which the second application is executed, and the first application The information processing apparatus according to claim 1, wherein the processing result in the second operating environment to be executed is compared with the processing result in the second operating environment in which the second application is executed.

Images