JP5845902B2 - Information processing apparatus and memory access management method - Google Patents

Description

  The present invention relates to an information processing device and a memory access management method, and in particular, stores a predetermined number of authority information indicating access authority to any of a plurality of areas included in a memory by any of a plurality of tasks, The present invention relates to an information processing apparatus and a memory access management method for managing memory access from a computer.

  Service robots must ensure functional safety by constantly monitoring the safety state with external sensors and self-diagnosis devices and executing appropriate safety control logic when any danger is detected.

  In addition to the service robots described above, IEC 61508 has been established as an international standard for functional safety for systems that operate on electrical principles such as transportation equipment. In IEC 61508, a system provided for ensuring functional safety is called a safety-related system. IEC 61508 defines various techniques for constructing a safety-related system using hardware such as a microprocessor and a PLC (Programmable Logic Controller) and a computer program (software). By using the technique defined in IEC 61508, it is possible to construct a safety-related system using a computer system.

  On the other hand, in recent years, the processing capability of programmable electronic devices such as microprocessors has improved. For this reason, a multi-task OS (Operating System) is used, and various application programs are executed in parallel on one computer system, thereby integrating multiple-use computer systems installed in service robots and automobiles. can do.

  For example, Patent Literature 1 discloses a technique for causing an application program (hereinafter referred to as a safety-related application) related to ensuring functional safety to operate on one computer system together with other application programs (hereinafter referred to as a non-safety-related application). Has been.

  When the technique defined in IEC 61508 is applied to the entire software including safety-related applications and non-safety-related applications, it is necessary to apply even to non-safety-related applications. For this reason, there is a problem that the software development cost increases.

  Therefore, in the technique disclosed in Patent Document 1, safety-related applications (safety monitoring program and safety control program) are made independent from non-safety-related applications (normal control program) by time partitioning of the system program. For this reason, the normal control program can be excluded from the safety-related system, which can contribute to the cost reduction of the safety-related system configured using the computer system.

JP 2010-271759 A

  Here, the technique disclosed in Patent Document 1 employs a technique called resource partitioning. In this technique, fixed resources such as execution memory are partitioned into partitions called resource partitions. The application is prohibited from accessing other resources beyond the pre-assigned resource partition.

  The applicant of the present application has found the problems described below when examining the above-described resource partitioning using an MMU (Memory Management Unit) or an MPU (Memory Protection Unit). The problem will be described below. In addition, the content demonstrated below is the content which the present applicant newly examined, and is not what demonstrated the prior art.

  In an operating system that employs time partitioning, as illustrated in FIG. 14, the operating application can be switched by switching the time partition. In FIG. 14, “TP1”, “TP2”, and “TP3” indicate time partitions, and “T1”, “T2”, and “T3” indicate tasks belonging to TP1 to TP3, respectively. It is assumed that the task is generated by executing a non-safety related application or a safety related application.

  In FIG. 14, it is assumed that T1 belonging to TP1 is generated by a non-safety related application, and T2 belonging to TP2 is generated by a safety related application. In this case, for functional safety, T1 belonging to TP1, which is a non-safety related system, needs to prevent access to the resource partition of TP2, which is a safety related system.

  On the other hand, if the memory protection function of the MMU or MPU is used, resource partitioning can be performed by granting access authority to the resource partition corresponding to the time partition to each time partition. . Specifically, as shown in FIG. 15, T1 belonging to TP1 is given access authority to access only the memory area allocated to the resource partition of TP1, and T2 belonging to TP2 is assigned to TP2 Grant access authority to access only the memory area allocated to the resource partition. In this way, for example, when T1 accesses an area of memory allocated to the resource partition of T2, the access can be detected as a memory protection violation by the MMU or MPU. . This makes it possible to prevent a task belonging to a certain time partition from accessing a resource partition assigned to another time partition.

  Here, when the MMU and MPU access a certain area in the memory by referring to the table in which the access authority is defined, whether or not the task has the access authority to the area. To protect the memory. This table generally has a plurality of entries, and one entry includes information indicating access authority to any one page (area) in the memory by any one task. ing. This table is called TLB (Translation Look-aside Buffer) in the MMU.

  Hereinafter, the case of MMU will be described. When a certain task accesses a certain page in the memory, the MMU refers to the TLB and determines whether or not the task has the access authority to the page. If the MMU determines that the user does not have access authority, the MMU detects the access as a TLB protection violation (memory protection violation).

  However, when there is an access to a certain page in the memory from a certain task, the MMU detects this as a TLB miss if there is no entry in the TLB indicating the access authority for that page by that task. When a TLB miss is detected, information indicating the access authority is created and stored in any entry in the TLB. Then, the same memory access is issued again, and the access authority is determined based on the newly stored information. Thus, when a TLB miss occurs, the memory access is delayed until at least information indicating the access authority is created and stored in the TLB. Also, the processing time for creating this information is indeterminate. Therefore, there is a problem that processing that needs to be executed immediately is delayed. For example, it is not preferable for the safety-related application task to be delayed due to the execution of the process related to ensuring functional safety.

  Here, the MMU and the MPU are common in that they have a memory protection function for detecting a memory access without access authority. On the other hand, generally, the MMU and the MPU are different in that only the MMU of the MMU and the MPU has a virtual storage management function for converting a virtual address into a physical address.

  The present invention has been made based on the above-described knowledge, and an object thereof is to provide an information processing apparatus and a memory access management method that can reduce the probability that memory access by a specific task is delayed.

  An information processing apparatus according to a first aspect of the present invention includes a memory including a plurality of areas, a task execution unit that executes a plurality of tasks, and access to any of the plurality of areas by any of the plurality of tasks. A storage unit capable of storing a predetermined number of authority information indicating authority, and when the task execution unit accesses the area by the task, authority information indicating an access authority to the area by the task is stored in the storage unit. If the authority information is stored, the access authority is determined based on the authority information. If the authority information is not stored, the access authority is determined. An access management unit that stores authority information indicating access authority to the area by the task in the storage unit The plurality of tasks includes a first task and a second task that is allowed to be delayed in execution as compared to the first task, and the access management unit relates to the first task. When it is necessary to overwrite any of the authority information stored in the storage unit when the authority information is stored in the storage unit, the authority information related to the first task and the authority information related to the second task Among them, the authority information related to the second task is preferentially overwritten.

  The memory access management method according to the second aspect of the present invention is based on a task when any one of a plurality of tasks accesses any one of a plurality of regions included in the memory. Whether authority information indicating access authority for the area is stored in a storage unit capable of storing a predetermined number of authority information indicating access authority for any of the plurality of areas by any of the plurality of tasks. If it is determined that the authority information is stored and the authority information is stored, the authority determining step is to determine the access authority based on the authority information, and if it is determined that the authority information is not stored. In order to make it possible to determine the access authority, an access to the access destination area by the accessed task is performed. An information storage step of storing authority information indicating a task authority in the storage unit, wherein the plurality of tasks includes a first task and a second task that is allowed to be delayed in execution as compared to the first task. In the information storing step, when storing the authority information related to the first task in the storage unit, if any of the authority information stored in the storage unit needs to be overwritten, Of the authority information related to the first task and the authority information related to the second task, the authority information related to the second task is preferentially overwritten.

  According to each aspect of the present invention described above, it is possible to provide an information processing apparatus and a memory access management method capable of reducing the probability that memory access by a specific task is delayed.

It is a block diagram which shows the structural example of the safety control apparatus concerning embodiment of invention. It is a figure for demonstrating the concept of the time partitioning in embodiment of invention. It is a conceptual diagram for demonstrating the concept of the resource partitioning in embodiment of invention. It is a block diagram which shows the structural example of MMU concerning embodiment of invention. It is a figure which shows an example of TLB concerning embodiment of invention. It is a figure which shows the example of conversion to the Wild of ASID concerning embodiment of invention. It is a figure which shows the relationship between the partition scheduler and task in embodiment of invention. It is a figure which shows the specific example of a scheduling pattern. It is a figure which shows the specific example of a scheduling pattern. It is a flowchart which shows the specific example of the process sequence of the partition scheduler concerning embodiment of invention. It is a flowchart which shows the specific example of the process sequence of the entry information registration process concerning embodiment of this invention. It is a flowchart which shows the specific example of the process sequence of the memory access process concerning embodiment of this invention. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure which shows the relationship between the partition scheduler concerning other embodiment, and a task. It is a figure for demonstrating a subject. It is a figure for demonstrating a subject.

  Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings. In the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted as necessary for the sake of clarity.

<Embodiment of the Invention>
The safety control device 1 according to the present embodiment is mounted on a service robot, a transportation device, or the like, and executes safety control for ensuring functional safety. The safety control device 1 is configured to execute a safety-related application and a non-safety-related application on the same computer system. FIG. 1 is a block diagram illustrating a configuration example of the safety control device 1 according to the present embodiment.

  The processor 10 performs calculation processing according to acquisition of a program (instruction stream), instruction decoding, and instruction decoding result. Although only one processor 10 is shown in FIG. 1, the safety control device 1 may have a multiprocessor configuration having a plurality of processors 10. The processor 10 may be a multi-core processor. The processor 10 provides a multiprogramming environment by executing an operating system (OS) 100 as a system program. A multi-programming environment is an environment in which multiple programs are executed in parallel by periodically switching and executing multiple programs, or by switching the programs to be executed in response to the occurrence of a certain event. means.

  Multiprogramming is sometimes called multiprocess, multithread, multitask, and the like. A process, a thread, and a task mean a program unit that is executed in parallel in a multiprogramming environment. The multi-programming environment included in the processor 10 of the present embodiment may be a multi-process environment or a multi-thread environment.

  The execution memory 11 is a memory used for program execution by the processor 10. The execution memory 11 stores programs (such as the OS 100 and applications 101 to 103) loaded from the nonvolatile memory 13, input / output data of the processor 10, and the like. The processor 10 may directly execute these programs from the nonvolatile memory 13 without loading the programs from the nonvolatile memory 13 to the execution memory 11.

  Specifically, the execution memory 11 may be a random accessible volatile memory such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory). The execution memory 11 in FIG. 1 represents a logical unit. That is, the execution memory 11 may be, for example, a combination of a plurality of SRAM devices, a combination of a plurality of DRAM devices, or a combination of an SRAM device and a DRAM device.

  The I / O port 12 is used for data transmission / reception with an external device. For example, when the safety control device 1 is mounted on a service robot, the external device is various sensors and actuators that operate the service robot. In this case, the various sensors include, for example, a visual sensor capable of measuring obstacles around the service robot, a posture sensor for detecting the posture of the service robot, and a rotation center for detecting the state of the actuator of the service robot. It includes a sensor that detects the internal and external status of the service robot.

  The non-volatile memory 13 is a memory device capable of maintaining stored contents more stably than the execution memory 11 without receiving power supply. For example, the nonvolatile memory 13 is a ROM (Read Only Memory), a flash memory, a hard disk drive or an optical disk drive, or a combination thereof. The nonvolatile memory 13 stores the OS 100 and the applications 101 to 103. Note that at least a part of the nonvolatile memory 13 may be configured to be removable from the safety control device 1. For example, the memory storing the applications 101 to 103 may be removable. Further, at least a part of the nonvolatile memory 13 may be disposed outside the safety control device 1.

  The OS 100 is executed by the processor 10 to use task resources including task scheduling, interrupt management, time management, resource management using hardware resources such as the processor 10, the execution memory 11, and the nonvolatile memory 13. Provides inter-task synchronization and inter-task communication mechanism.

  Further, in order to increase the independence of the safety monitoring application 101 and the safety control application 103 related to ensuring functional safety from the normal control application 102, the OS 100 has a function of protecting hardware resources temporally and spatially. . Here, the hardware resources include the processor 10, the execution memory 11, and the I / O port 12.

  Of these, temporal protection is performed by partitioning a temporal resource called the execution time of the processor 10. Specifically, temporal protection is performed by partitioning the execution time of the processor 10 and assigning a task (process or thread) to each partition (referred to as a time partition). The scheduling function (partition scheduler 21) of the OS 100 guarantees the use of resources including the execution time of the processor 10 for tasks assigned to each time partition (hereinafter sometimes referred to as TP).

  FIG. 2 is a conceptual diagram related to time partitioning. In the example of FIG. 2, an example in which a predetermined cycle time is divided into three TP1, TP2, and TP3 is shown. For example, when one cycle time is 100 Tick, the first 20 Tick is defined as TP1, the middle 30 Tick is defined as TP2, and the second 50 Tick is defined as TP3.

  In the example of FIG. 2, the first application (APL1) to the fourth application (APL4) are assigned to any one of TP1 to TP3. The scheduling function (partition scheduler 21) of the OS 100 selects / determines which of TP1 to TP3 is activated as time elapses. Then, the application assigned to the active TP is executed by the processor 10.

  On the other hand, spatial protection is performed by partitioning fixed resources including the execution memory 11 and the I / O port 12 and assigning tasks to each partition (referred to as a resource partition). The scheduling function (partition scheduler 21) of the OS 100 prohibits a task from accessing other resources beyond a pre-assigned resource partition (hereinafter sometimes referred to as RP).

  FIG. 3 is a conceptual diagram related to resource partitioning. In the example of FIG. 3, two RPs (RP1 and RP2) are shown. A part of the execution memory 11 and the nonvolatile memory 13 (A area) and a part of the I / O port 12 (port A) are allocated to RP1. Further, another part (B area) of the execution memory 11 and the nonvolatile memory 13 and another part (port B) of the I / O port 12 are allocated to RP2. Access from RP1 to the resource assigned to RP2 is prohibited, and access from RP2 to the resource assigned to RP1 is prohibited. Resource partitioning in the execution memory 11 is realized by using the memory protection function of the MMU described later.

  Note that not all resources need to be exclusively assigned to any RP. That is, there may be a resource shared by a plurality of RPs. For example, when performing safety control of a service robot, the actuator needs to be accessible from both the normal control application 102 and the safety control application 103. Therefore, the I / O port for controlling the actuator may be shared by the RP to which the normal control application 102 belongs and the RP to which the safety control application 103 belongs.

  Returning to FIG. The applications 101 to 103 are executed in a multiprogramming environment provided by the OS 100 and the processor 10. Among these, the safety monitoring application 101 executes the processor 10 to monitor the execution status of the normal control application 102, monitor the execution status of the safety control application 103, and monitor input / output data to the I / O port 12. Instruction code to make it Further, the safety monitoring application 101 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety monitoring application 101 is a safety related application.

  Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a control procedure for causing a control target such as a service robot to perform a normal function / operation. Further, the normal control application 102 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the normal control application 102 is a non-safety related application.

  Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a control procedure determined to ensure functional safety in response to a case where some abnormality is detected. Further, the safety control application 103 includes an instruction code for causing the processor 10 to execute a result notification to the partition scheduler 21. That is, the safety control application 103 is a safety-related application.

  The MMU 14 has a memory protection function and a virtual memory management function. The memory protection function is a function that monitors accesses from the processor 10 to the execution memory 11 and detects an access that causes a memory protection violation. When an access is made to an address in the execution memory 11 from the processor 10, it is determined whether or not the access has an access right to the address. When the access does not have the access authority for the address, the access is detected as a TLB protection violation (memory protection violation), and the processor 10 is notified of the TLB protection violation. In this case, the MMU 14 may inhibit access to the execution memory 11.

  The MMU 14 realizes resource partitioning in the execution memory 11 by this memory protection function. Specifically, in the case illustrated in FIG. 3, the task belonging to RP1 is given an access authority to access only the area of the execution memory 11 assigned to RP1, and the task belonging to RP2 is assigned to Access authority is granted to access only the area of the execution memory 11 assigned to RP2. Thereby, for example, when a task belonging to RP1 accesses the area of the execution memory 11 assigned to RP2, the MMU 14 detects the access as a TLB protection violation. The access authority is given to each page of the execution memory 11. Further, an arbitrary size can be determined in advance as the size of one page.

  The virtual memory management function is a function for converting a virtual address designated when the processor 10 accesses the execution memory 11 into a physical address corresponding to the virtual address. That is, the MMU 14 accesses the execution memory 11 designated by the virtual address from the processor 10 by the virtual memory management function, and gives a physical address indicating the same address as the address on the execution memory 11 indicated by the virtual address. The access is converted to access to the designated execution memory 11 and issued to the execution memory 11.

  FIG. 4 is a block diagram illustrating a configuration example of the MMU 14. The MMU 14 includes a control unit 141 and a TLB 142. Here, the physical address corresponding to the access authority and the virtual address is set by the processor 10 in the TLB 142 included in the MMU 14. The TLB 142 is a storage device such as a register and a memory included in the MMU 14, for example. The TLB 142 includes a plurality of entries. 4 illustrates the case where the number of entries in the TLB 142 is 64, the number of entries in the TLB 142 is not limited to this. The contents for one page are set in one entry. In one entry, an ASID (Address Space Identification), a virtual address, a physical address corresponding to the virtual address, an access authority to a page of the physical address by a task of the ASID, and the like are set.

  The ASID takes a value uniquely determined for each RP. In the present embodiment, since one RP corresponds to one TP, the ASID is also a value uniquely determined for each TP. As a virtual address in the TLB 142, a virtual page number indicating a certain range in which a page can be specified is generally set in the virtual address. The same applies to the physical address. In this case, the virtual address is converted into a physical address by replacing the range corresponding to the virtual page number with the physical page number and using the other offset address range as it is. Can do. As the access authority, data read authority, data write authority, and data (command) execution authority can be set. That is, the access authority can be set for each access type (read, write, or execution).

  For example, when reading and writing of data from a task belonging to a certain TP is permitted for a certain page on the execution memory 11, the entry includes an ASID corresponding to the TP, a virtual address of the page, and a physical of the page. Address, access authority with read authority and write authority, etc. are set.

  When the processor 10 accesses a certain address in a page on the execution memory 11 by reading or writing data, the processor 10 performs access specifying the ASID, virtual address, and access type (reading or writing). To issue. That is, a signal indicating each of the ASID, virtual address, and access type is output to the MMU 14. A value corresponding to the task that issued the access is specified for the ASID. That is, by referring to the designated ASID, it is possible to specify which TP belongs to the task with the authority of the task. In the present embodiment, the same ASID is designated for access from tasks belonging to the same TP. If the access type is write, data to be written to the execution memory 11 is also specified.

  The control unit 141 of the MMU 14 refers to the TLB 142, the designated ASID is set, the designated virtual address is set (or the virtual page number matches), and the designated access type If an entry that is set to have the right is detected, access is permitted. In this case, the control unit 141 converts the virtual address specified in the access into a physical address based on the detected entry, and issues an access specifying the converted physical address and the access type to the execution memory 11. . That is, signals indicating the physical address and the access type are output to the execution memory 11. If the access type is write, data to be written to the execution memory 11 is also specified.

  Further, the processor 10 issues an access specifying an ASID and a virtual address to the MMU 14 when accessing a certain address in a certain page on the execution memory 11 by executing data (instruction). The control unit 141 performs address conversion and access authority check in the same manner as described above. That is, in this check, it is determined whether or not there is an authority to execute data (command). When the access is permitted, the control unit 141 issues an access designating the converted physical address to the execution memory 11.

  In response to an access from the MMU 14, the execution memory 11 processes data according to the access. Specifically, the execution memory 11 outputs data of a specified physical address to the processor 10 when the access is performed by reading or writing and the access type is reading. The execution memory 11 writes the specified data to the specified physical address when the access is performed by reading or writing and the access type is writing. The execution memory 11 outputs the data of the designated physical address to the processor 10 when the access is performed by executing the data (instruction).

  On the other hand, the control unit 141 refers to the TLB 142 and detects an entry in which the virtual address designated by access is set (or the virtual page number matches) and the designated ASID is set. However, if the authority of the designated access type is not set to “Yes” in the entry, a TLB protection violation is detected. If an entry in which a virtual address designated by access and a designated ASID are set cannot be detected, a TLB miss is detected.

  When detecting the TLB miss, the control unit 141 notifies the processor 10 of the TLB miss. Also, the control unit 141 selects an entry to be updated from the TLB entries. In response to the notification of the TLB miss from the control unit 141, the processor 10 receives the TLB 142 entry information (hereinafter referred to as “entry information”) based on the ASID and virtual address specified in the access that caused the TLB miss. Also called). This information is information indicating the ASID and virtual address specified by the access that caused the TLB miss, the physical address corresponding to the virtual address, and the access authority to the page indicated by the physical address by the ASID. The processor 10 outputs the created information to the MMU 14. The control unit 141 updates the entry selected as the update target with the information output from the processor 10. Then, the processor 10 issues the same access to the MMU 14 again as the access that becomes the TLB miss hit. As a result, the access authority is determined without causing a TLB miss.

  In this embodiment, as shown in FIG. 5, a value indicating such a task is set as an ASID in an entry relating to a task that is preferably executed without delay. Hereinafter, this value is referred to as “Wild”. Note that a task that is generated by executing a safety-related application corresponds to a task that is preferably executed without delay. That is, the ASID of the safety-related task generated from the safety-related application is converted to Wild and stored in the TLB entry. When selecting an entry to be updated, the control unit 141 preferentially selects an entry in which Wild is not set as the ASID. According to this, it is possible to increase the probability that an entry related to a safety-related task that is preferably executed without delay exists in the TLB 142. That is, it is possible to reduce the probability that the memory access by the safety-related task is delayed due to the entry update. In addition, it is possible to reduce the probability that processing in the safety-related task is delayed due to waiting for memory access by the safety-related task.

  Here, FIG. 5 illustrates the case where the same address is set as the virtual address and the physical address in the entry of the TLB 142, but different addresses may be set. As described above, when the conversion from the virtual address to the physical address is unnecessary, the virtual memory management function of the MMU 14 may be disabled and the MMU 14 may be used. In this case, the processor 10 issues a memory access by designating a physical address. In this case, the control unit 141 issues an access in which the physical address designated by the access from the processor 10 is designated as it is to the execution memory 11. In this case, in the TLB 142, for example, as shown in FIG. 5, the same address as the physical address may be set as the virtual address. Alternatively, the MMU 14 may detect the entry described above with reference to the physical address of the TLB 142.

  Here, with reference to FIG. 6, a method for generating a Wild from an ASID will be described. Wild is generated as a value obtained by changing the bit value of a predetermined position to ON “1” among the values of ASID. For example, when changing the 17th bit from the lower order of the ASID, as shown in FIG. 6, when the ASID is “0x0001”, “0x0101” is generated as the Wild, and when the ASID is “0x0002”, “0x0102” is generated as the Wild. This may be generated, for example, by inverting the value of the 17th bit from the lower order, or generated as a logical sum with the value “0x0100” in which the 17th bit from the lower order is on. Also good. When the processor 10 generates the entry information related to the safety-related task, the processor 10 converts the ASID into the wild as described above to generate the entry information.

  When detecting the ASID designated by the memory access from the processor 10, the control unit 141 masks the bit “1” indicating “Wild” to “0” and then compares it with the designated ASID. . For example, in the example shown in FIG. 6, masking may be performed by inverting the value of the lower 17th bit, and masking as a logical sum with the value “0x0100” in which the lower 17th bit is on. You may make it do.

  Note that the Wild generation method is not limited to the above-described generation method as long as the difference from the normal ASID value can be identified. For example, in the example of FIG. 6, the case where the value of only one bit is changed is illustrated, but a plurality of bit values may be changed to ON “1”. Further, the present invention is not limited to these, as long as it is possible to distinguish the Wild value from other values by referring to the bit value at a specific bit position of the ASID. For example, when it is Wild, the specific bit value may be off “0”, and when it is not Wild, the bit value may be on “1”.

  Although FIG. 1 illustrates the case where the MMU 14 is provided outside the processor 10, the processor 10 may include the MMU 14. That is, the processor 10 may include the control unit 141 and the TLB 142.

  The reset circuit 15 resets the microcontroller 20 based on a signal from the OS 100. A transmission signal is periodically transmitted from the partition scheduler 21 to the reset circuit 15, and the reset circuit 15 resets the microcontroller 20 when the transmission signal from the partition scheduler 21 is interrupted. For example, as will be described later, the partition scheduler 21 transmits a transmission signal at a timing that operates every 1 tick. Further, when an abnormality is detected by the OS 100 or when a result notification indicating an abnormality is received from any of the applications 101 to 103, the partition scheduler 21 transmits a reset signal to the reset circuit 15 and responds accordingly. Thus, the reset circuit 15 may reset the microcontroller 20. By doing in this way, when a malfunction occurs in the microcontroller 20, the microcontroller 20 can be reset and recovered.

  Subsequently, the relationship between the partition scheduler 21 and the tasks generated by starting up the applications 101 to 103 will be described with reference to FIG. FIG. 7 is a diagram showing the relationship between the partition scheduler 21 and the tasks 24, 26, and 28 that are activated in the multiprogramming environment provided by the OS 100.

  The microcontroller 20 includes a processor 10, an execution memory 11, an I / O port 12, a nonvolatile memory 13, an MMU 14, and the like. 7 illustrates a configuration in which the reset circuit 15 is provided outside the microcontroller 20, but a configuration in which the reset circuit 15 is included in the microcontroller 20 may be employed.

  The microcontroller 20 is supplied with a clock signal from an external clock source, and the processor 10 and the like operate at a predetermined timer cycle based on this clock signal. In the present embodiment, the predetermined timer cycle is described as 1 Tick. For this reason, when the processor 10 executes the OS 100, the partition scheduler 21 operates every 1 Tick, and at each TP, the task schedulers 23, 25, 27 and tasks (safety monitoring task 24, normal control task 26, safety The control task 28) operates every 1 Tick.

  The partition scheduler 21 operates every 1 tick and performs TP switching (partition scheduling). The partition scheduler 21 selects and determines which of TP1 to TP3 is activated during the next 1 Tick. Furthermore, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP.

  Specifically, partition scheduling by the partition scheduler 21 is described. The partition scheduler 21 refers to the scheduling table 22 and performs partition scheduling in accordance with a scheduling pattern that defines TP settings.

  The scheduling table 22 holds a scheduling pattern that defines the TP switching order and timing. For example, the scheduling table 22 is stored in advance in the execution memory 11. The scheduling table 22 holds at least two different scheduling patterns. One is a scheduling pattern that is applied when abnormality detection by the safety monitoring task 24 is not performed (that is, during normal time). The other is a scheduling pattern applied when an abnormality is detected by the safety monitoring task 24. Hereinafter, the scheduling pattern applied in the normal time is referred to as “normal control scheduling pattern”. A scheduling pattern applied at the time of detecting an abnormality is called a “safe control scheduling pattern”.

  FIG. 8A shows a specific example of the normal control scheduling pattern. In FIG. 8A, TP2 to which the normal control task 26 belongs is assigned to the first half (T1) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T2) of one cycle time. According to the scheduling pattern of FIG. 8A, the normal control task 26 and the safety monitoring task 24 are repeatedly scheduled.

  FIG. 8B shows a specific example of the safety control scheduling pattern. In FIG. 8B, TP3 to which the safety control task 28 belongs is assigned to the first half (T3) of one cycle time. In addition, TP1 to which the safety monitoring task 24 belongs is assigned to the second half (T4) of one cycle time. According to the scheduling pattern of FIG. 8B, the safety control task 28 and the safety monitoring task 24 are repeatedly scheduled.

  Returning to FIG. The task schedulers 23, 25, and 27 perform task scheduling in the TP to which each belongs. For scheduling tasks in each TP, general priority-based scheduling may be applied. In FIG. 7, each TP is illustrated as including only one task, but may include one or more tasks. For example, the normal control task A and the normal control task B may be included in the normal control TP2.

  The safety monitoring task 24 is a task generated when the safety monitoring application 101 is activated. In the example of FIG. 7, the safety monitoring task 24 is assigned to TP1 and RP1. The safety monitoring task 24 monitors the execution status of the normal control task 26 that is a non-safety related application, monitors the execution status of the safety control task 28 that is a safety related application, and monitors input / output data of the I / O port 12. To do. The safety monitoring task 24 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP1 to which the safety monitoring task 24 belongs. Furthermore, the safety monitoring task 24 notifies the partition scheduler 21 of the task execution status.

  The normal control task 26 is a task generated when the normal control application 102 is activated. In the example of FIG. 7, the normal control task 26 is assigned to TP2 and RP2. The normal control task 26 performs control for causing a control target such as a service robot to perform a normal function / operation. The normal control task 26 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP 2 to which the normal control task 26 belongs. Further, the normal control task 26 notifies the partition scheduler 21 of the task execution status.

  The safety control task 28 is a task generated when the safety control application 103 is activated. In the example of FIG. 7, the safety control task 28 is assigned to TP3 and RP3. The safety control task 28 performs control determined to ensure functional safety in response to any abnormality being detected. The safety control task 28 performs calculations necessary for executing its own processing while using the resources of the execution memory 11 assigned to the RP 3 to which the safety control task 28 belongs. Further, the safety control task 28 notifies the partition scheduler 21 of the task execution status.

  Various methods can be adopted as a specific configuration for notifying the result from each task to the partition scheduler 21. For example, a task can call a system call (service call) of the OS 100 and notify the partition scheduler 21 of the result via the OS 100. Specifically, for example, a system call for performing communication between tasks is called. Also, for example, assuming that a flag related to the task execution status is stored in the execution memory 11, the task sets a flag value according to the execution status, and the partition scheduler 21 executes the task according to the flag set value. The situation can also be judged.

  From the above, the safety monitoring task 24 and the safety control task 28 are related to ensuring the functional safety of the controlled object, such as monitoring the execution status of the task and the controlled object, and the control defined for ensuring functional safety. It becomes a task to execute processing. On the other hand, the normal control task 26 is a task for executing processing related to control of other control targets. Therefore, the safety monitoring task 24 and the safety control task 28 are safety-related tasks that are preferably executed without delay, and the normal control task 26 has an execution delay compared to the safety monitoring task 24 and the safety control task 28. This is an acceptable non-safety related task.

  The OS 100 includes a TLB management routine 29. The TLB management routine 29 is a routine for creating entry information of the TLB 142 when the OS 100 is started or when a TLB miss hit is notified from the MMU 14. Specifically, when the TLB miss is notified from the MMU 14, the TLB management routine 29, as described above, based on the ASID and virtual address specified in the access that caused the TLB miss, the TLB 142 Create entry information for. Then, the TLB management routine 29 outputs the created entry information to the MMU 14. As a result, as described above, one of the entries in the TLB 142 is updated by the control unit 141 with the entry information output from the TLB management routine 29.

  As described above, the partition scheduler 21 operates every 1 Tick, and selects and determines which of TP1 to TP3 is activated. Further, the partition scheduler 21 starts the operation of the task scheduler related to the selected TP. Then, task scheduling is performed by the task schedulers 23, 25, and 27 starting operations, and the processor 10 executes the tasks in the TP according to the order scheduled by the task schedulers 23, 25, and 27. Go. As a result, the application assigned to the active TP is executed by the processor 10.

  Subsequently, partition scheduling by the partition scheduler 21 will be described with reference to FIG. FIG. 9 is a flowchart showing a specific example of the processing procedure of the partition scheduler 21 according to the first embodiment of the invention.

  In FIG. 9, a case where scheduling is executed according to a normal control scheduling pattern (for example, FIG. 8A) or a safety control scheduling pattern (for example, FIG. 8B) will be described as an example. That is, when the next TP following TP2 or TP3 is TP1, and when an abnormality in TP2 is detected in TP1, the next TP selected and determined based on the result from TP1 is TP3 Will be described as an example.

  The OS 100 starts the partition scheduler 21 every time one tick elapses (S11) (S12). The partition scheduler 21 refers to the scheduling pattern and determines whether or not it is TP switching timing (S13).

  If it is determined that it is not the TP switching timing (No in S13), the partition scheduler 21 continues the operation for the same TPX. For this reason, the processes of S11 to S13, S15, and S16 are repeated until the TP switching timing is reached. Here, the variable X indicates the number of TP, and X is any one of 1 to 3. That is, when partition scheduling is performed according to the normal control scheduling pattern, either TP2 or TP1 except for TP3 for safety control is operated.

  On the other hand, when it is determined that it is TP switching timing (Yes in S13), the partition scheduler 21 executes TP switching (S14). As described above, when the partition scheduler 21 changes the TP to be activated next (Yes in S13), the partition TP before switching is normal according to the notification result from the task belonging to the TP before switching. It is determined whether or not. If the TP before switching is abnormal as a result of the determination, the partition scheduler 21 selects and determines the TPX to be activated during the next 1 Tick from either TP1 or TP3 according to the safety control scheduling pattern. As a result of the determination, if it is normal, the partition scheduler 21 selects and determines one of TP1 and TP2 in accordance with the normal control scheduling pattern for TPX to be activated during the next 1 Tick.

  The partition scheduler 21 operates the task scheduler of the currently active TPX (S15). The task scheduler of TPX that started the operation in S15 executes the task in TPX according to the priority (S16).

  When 1 Tick elapses (S11), the partition scheduler 21 starts TP scheduling again (S12). That is, the partition scheduler 21 selects and determines which TP is to be activated during the next 1 Tick according to the scheduling pattern.

  A specific example of partition scheduling will be described with respect to the processing shown in FIG. First, according to the normal control scheduling pattern illustrated in FIG. 8A, a case where scheduling is started from the active state of TP2 in S15 will be described. In this case, TPX = TP2 is started in S15, and TPX = TP2 remains even in subsequent S16 and S11 to S13. And as long as No continues in S13, the state of TPX = TP2 is maintained. If S13 is Yes and TP2 is changed to TP1 in S14, TP1 remains in S15 to S16 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When it is determined in S16 that the execution status (data input / output, etc.) related to TP2 is normal when TP1 is active, TPX = TP2 in the next S14 (that is, start from TP2). Normal control scheduling pattern continues.) On the other hand, if it is determined in S16 that the execution status (data input / output, etc.) relating to TP2 is abnormal, TPX = TP3 (that is, a safety control scheduling pattern starting from TP3) in the next S14. Switch to.)

  Further, a case will be described in which scheduling is started from the active state of TP3 in S15 according to the safety control scheduling pattern illustrated in FIG. 8B. In this case, TPX = TP3 is started in S15, and TPX = TP3 remains even in subsequent S16 and S11 to S13. And as long as No continues in S13, the state of TPX = TP3 is maintained. If the answer is Yes in S13 and the TP3 is changed to TP1 in S14, TP1 remains as it is in subsequent S15 to S16 and S11 to S13. As long as No continues in S13, the state of TPX = TP1 is maintained. When it is determined in S16 that the execution status (data input / output, etc.) relating to TP3 is normal when TP1 is active, TPX = TP2 is set in the next S14 (that is, starting from TP2). Switch to normal control scheduling pattern.) On the other hand, if it is determined in S16 that there is an abnormality in the execution status (data input / output, etc.) related to TP3, TPX = TP3 (that is, a safety control scheduling pattern starting from TP3) in the next S14. Will continue.)

  In the above-described example, a case where only three TPs (safety monitoring TP1, normal control TP2 and safety control TP3) are combined as a scheduling pattern has been described as an example. There may be a plurality of control partitions and a plurality of safety control partitions such as TP3. For example, there are two TP2 and TP4 for normal control, TP1 for safety monitoring, and two TP3 and TP5 for safety control, and these five TPs (TP1 to TP5) are combined to form a scheduling pattern. It may be configured. In this case, in S14, the partition scheduler 21 determines the type of the abnormal state of the execution status (data input / output, etc.) related to TPX, and selects either TP3 or TP5 for safety control according to the abnormal type. That's fine. In S14, either TP2 or TP4 for normal control may be selected.

  As described above, in this embodiment, the OS 100 includes the partition scheduler 21 that selects and determines the partition to be activated next in response to a notification from the TP1 for safety monitoring or a notification from each TP. ing. The partition scheduler 21 operates at a predetermined timer period independently of the tasks executed in each TP.

  With the configuration in which the partition scheduler 21 that operates independently receives the result notification from all TPs, the partition scheduler 21 can centrally grasp the situation regarding all TPs. Therefore, for example, when the partition scheduler 21 decides and selects the next partition in response to the result notification from the safety monitoring TP1, the partition scheduler 21 considers the situation of each TP. The next partition can be determined and selected only from the TP in the normal state. According to this, there is an effect that more accurate partition scheduling can be realized.

  Next, with reference to FIG. 10, a processing procedure of entry information registration processing according to the embodiment of the present invention will be described. FIG. 10 is a flowchart showing a specific example of the processing procedure of the entry information registration processing according to the embodiment of the present invention.

  The OS 100 starts a process for creating and registering entry information of the TLB 142 by executing the TLB management routine 29 at the time of startup (S21). The subsequent processing is executed not only when the OS 100 is started but also when a TLB miss occurs. First, the OS 100 creates entry information of the TLB 142 (S22). At this time, when the OS 100 creates entry information related to a task belonging to the safety-related TP (TP1, TP3) (hereinafter also referred to as “safety-related TP entry information”), the ASID is set as described above. Create entry information converted to Wild. The OS 100 outputs the created entry information to the MMU 14.

  The control unit 141 of the MMU 14 determines whether the entry information output from the processor 10 by the OS 100 is entry information related to the safety-related TP (S23). Whether the entry information is related to the safety-related TP is determined by, for example, whether the ASID of the entry information is Wild.

  When the entry information is not entry information related to the safety-related TP (No in S23), the control unit 141 determines whether or not there is an empty entry in the TLB 142 (S24). When there is an empty entry in the TLB 142 (Yes in S24), the control unit 141 stores the entry information output from the processor 10 in any of the empty entries (S25). As a result, entry information relating to a task belonging to a normal (non-safety related) TP (TP2) whose ASID is not Wild (hereinafter referred to as “entry information related to a normal TP”) is registered in the TLB 142. When there is no empty entry in the TLB 142 (No in S24), the control unit 141 eliminates any entry information related to normal TP and stores the entry information output from the processor 10 in the entry (S26). . That is, the control unit 141 selects any entry in which entry information related to normal TP is stored as an update target entry, and overwrites the selected entry with the entry information output from the processor 10. As a result, normal TP entry information whose ASID is not Wild is registered in the TLB 142.

  When the entry information is entry information related to the safety-related TP (Yes in S23), the control unit 141 determines whether there are two or more entries in the TLB 142 in which the entry information of the safety-related TP is not registered. (S27). That is, it is determined whether there are a total of two or more entries storing normal TPs and vacant entries.

  If there are no two or more entries in which the safety-related TP entry information is not registered (No in S27), the control unit 141 excludes the entry information related to access with a small number of executions from the entry information related to the safety-related TP. Then, the entry information output from the processor 10 is stored in the entry (S28). That is, the control unit 141 selects, as entry to be updated, an entry in which entry information related to access with a small number of executions is stored among entry information related to safety-related TPs, and the selected entry is output from the processor 10 Overwrite with entry information. As a result, the entry information of the safety-related TP whose ASID is Wild is registered in the TLB 142.

  Here, the actual number of times of access execution may be used, or an estimated value may be used. For example, in the case of using an actual measurement value, when the processor 10 accesses the execution memory 11, the access execution count related to the entry information of the entry detected from the ASID and virtual address designated by the access is counted up. To measure. The measured number of executions may be stored in a storage device included in the MMU 14 in association with the entry information so that the control unit 141 can be referred to at the time of determination in S28. As a storage device included in the MMU 14, any storage device such as a register or a memory may be used.

  Further, for example, when using an estimated value, it is estimated that a task belonging to a TP having a large number of times that the TP becomes active in one cycle of the scheduling pattern is based on the scheduling table 22 and has a large number of accesses. . In this case, the execution count further estimated by the OS 100 may be set in the entry information including the ASID of the task corresponding to the execution count, and the control unit 141 may determine it with reference to the entry information. Note that these actually measured values and estimated values are examples, and actual measured values or estimated estimated values measured by other methods may be used.

  If there are two or more entries in which the safety-related TP entry information is not registered (Yes in S27), the control unit 141 determines whether or not there is an empty entry in the TLB 142 (S29). When there is an empty entry in the TLB 142 (Yes in S29), the control unit 141 stores the entry information output from the processor 10 in any of the empty entries (S30). As a result, the entry information of the safety-related TP whose ASID is Wild is registered in the TLB 142. When there is no empty entry in the TLB 142 (No in S29), the control unit 141 eliminates any entry information related to the normal TP and stores the entry information output from the processor 10 in the entry (S31). . That is, the control unit 141 selects any entry in which entry information related to normal TP is stored as an update target entry, and overwrites the selected entry with the entry information output from the processor 10. As a result, the entry information of the safety-related TP whose ASID is Wild is registered in the TLB 142.

  On the other hand, the OS 100 determines whether or not all entry information has been registered (created) (S32). If all the entries have not been registered (No in S32), the OS 100 creates entry information to be registered next (S22). Thereafter, the same processing as described above is repeated. When all the entries have been registered (Yes in S32), the OS 100 ends the creation of the entry information of the TLB 142 (S33). Here, when the processing described above is executed in response to a TLB miss, the processing ends when one entry information is registered (Yes in S32, S33).

  According to the processing procedure described above, entry information related to a normal TP is preferentially excluded and entry information related to a safety-related TP is preferentially registered as in S31. According to this, it is possible to increase the probability that an entry related to a safety-related task that is preferably executed without delay exists in the TLB 142. That is, it is possible to reduce the probability that the memory access by the safety-related task is delayed due to the entry update. In addition, it is possible to reduce the probability that processing in the safety-related task is delayed due to waiting for memory access by the safety-related task.

  Here, in the processing procedure described above, when there are two or more entries in which entry information related to safety-related TPs is not registered in S27, entry information related to safety-related TPs is registered in one of those entries. Otherwise, the entry information is registered in one of the entries in which entry information related to safety-related TPs is registered. As a result, entry information related to safety-related TPs is preferentially registered for all entries, and entry information related to normal TPs is not registered.

  For example, as illustrated in FIG. 4, when the number of entries in the TLB 142 is 64, entry information related to safety-related TPs is registered by preferentially excluding entry information related to normal TPs up to 63 entries. When there is one remaining entry in which no entry information related to safety-related TPs is registered, the entry is left for registering entry information related to normal TPs. That is, in this example, the upper limit number of entries in which entry information related to safety-related TPs can be registered is 63.

  Here, the number of entries determined in S27 is not limited to two or more. For example, in the above-described example, when up to the upper limit number of entry information related to safety-related TPs, only one entry information related to normal TPs is stored in the TLB 142. For example, in this case, when the entry information related to the normal TP is frequently updated and adversely affected, the upper limit number of entry information related to the safety-related TP may be lowered. For example, the number of entries determined in S27 may be four or more. That is, an arbitrary number can be predetermined as the upper limit number of entry information related to safety-related TPs.

  In addition, as described above, registration exceeding the upper limit number of entry information related to safety-related TPs is suppressed, but the method is not limited to the method described above. For example, until the registration of entry information related to safety-related TPs reaches the upper limit, entry information related to safety-related TPs is preferentially excluded and entry information related to safety-related TPs is registered. When the registration of entry information has reached the upper limit, simply select an entry to be updated at random, select an entry with a small number of executions, or select by FIFO (First In First Out), etc. The entry to be updated may be selected.

  Next, with reference to FIG. 11, a processing procedure of the memory access processing according to the embodiment of the present invention will be described. FIG. 11 is a flowchart showing a specific example of the processing procedure of the memory access processing according to the embodiment of the present invention.

  When a task being executed in the active TP accesses a page in the execution memory 11, the OS 100 issues an access specifying the ASID corresponding to the TP and the address of the page to the MMU 14. . The control unit 141 of the MMU 14 searches for an entry in which entry information indicating the same ASID and address as the ASID and address specified in the access issued from the processor 10 by the OS 100 is stored (S41).

  When the corresponding entry is detected (No in S42), the control unit 141 checks the access authority of the issued access based on the detected entry information (S43). When it is determined that the issued access has access authority (No in S45), the control unit 141 executes memory access (S46). That is, the control unit 141 converts the designated address from a virtual address to a physical address, and then issues an access to the execution memory 11.

  If it is determined that the issued access does not have access authority (Yes in S45), the control unit 141 outputs a notification of a TLB protection violation exception to the processor 11 (S47). The OS 100 performs an abnormality treatment in response to the notification of the TLB protection violation exception from the MMU 14. Arbitrary processing may be implemented as the abnormality treatment. For example, the partition scheduler 21 may switch the scheduling pattern to the safety control scheduling pattern and perform control so that the control target is urgently stopped by the safety control task 28.

  On the other hand, if the corresponding entry cannot be detected (Yes in S42), the control unit 141 outputs a TLB miss hit exception notification to the processor 11 (S44). The OS 100 executes the TLB management routine 29 in response to the notification of the TLB miss from the MMU 14. Thereby, the process described below is executed.

  The OS 100 checks the access authority of the access in which the TLB miss hit exception has occurred (S48). Here, generally, since the OS 100 creates entry information of the TLB 142, the OS 100 determines the ASID of each task, the page (virtual address and physical address) accessed by each task, and each page of each task. Has access authority information or can refer to it. Therefore, the access authority may be determined based on the information.

  If it is determined that the user does not have access authority (Yes in S49), the OS 100 jumps to the TLB protection violation exception handler (S51). For example, as a TLB protection violation exception handler, an abnormality treatment is performed as described above.

  If it is determined that the user has access authority (No in S49), the OS 100 indicates the ASID and address specified in the access that caused the TLB miss-hit exception, and the access authority for the address by the ASID. Entry information is created (S50). The OS 100 outputs the created entry information to the MMU 14 (S51). As a result, the control unit 141 of the MMU 14 selects the entry information storage destination entry from the TLB 142, and replaces the entry information of the selected entry with the entry information output from the processor 10 by the OS 100. That is, the entry information is overwritten. At this time, the entry information registration process described with reference to FIG. 10 is executed.

  Note that the MMU 14 may select an entry to be updated in accordance with the output of entry information from the processor 10, or may select in advance when a TLB miss is detected.

  The processor 10 returns to the instruction (address) that caused the TLB miss hit exception (S52). That is, the processor 10 issues the memory access that caused the TLB miss hit exception to the MMU 14 again. As a result, the determination of access authority (S45) is performed without causing a TLB miss (No in S42).

<Other embodiments of the invention>
In the present embodiment, the case where the tasks belonging to each of the TPs are the safety monitoring task 24, the normal control task 26, and the safety control task 28, respectively, is illustrated, but the types of tasks are not limited thereto. The present invention is not limited to the safety monitoring task 24, the normal control task 26, and the safety control task 28, and may have a task for executing an arbitrary process related to the control of another control target.

  For example, you may make it have the tasks 30-32 as shown in FIG. In this case, the safety control device needs to have an application corresponding to the tasks 30 to 32 instead of the applications 101 to 103. However, since this point is obvious, illustration and description thereof are omitted.

  The supervisory control task 30 controls the control target. Specifically, the supervisory control task 30 controls the actuator to be controlled based on command values from the normal control task 31 and the safety control task 32. The normal control task 31 performs control calculation for causing the control target to perform a normal function / operation. Specifically, the normal control task 31 calculates an actuator command value by performing control calculation of the actuator in normal control. The normal control task 31 outputs the calculated command value to the monitoring control task 30. The safety control task 32 performs a control calculation determined to ensure functional safety. Specifically, the safety control task 32 calculates a command value for the actuator by performing a control calculation of the actuator in the safety control. The safety control task 32 outputs the calculated command value to the monitoring control task 30. The supervisory control task 30 controls the actuator based on the command value output from the normal control task 31 or the safety control task 32.

  Furthermore, the monitoring control task 30 acquires a sensor value from the sensor to be controlled. The monitoring control task 30 outputs the acquired sensor value to the normal control task 31 and the safety control task 32. Each of the normal control task 31 and the safety control task 32 may perform actuator control calculation based on the sensor value output from the monitoring control task 30.

  In the example of FIG. 12, the monitoring control task 30 and the safety control task 32 perform processing related to ensuring the functional safety of the controlled object, such as monitoring of the controlled object and control calculation determined to ensure functional safety. A task to be executed. On the other hand, the normal control task 31 is a task that executes processing related to control of other control targets. Therefore, the monitoring control task 30 and the safety control task 32 are safety-related tasks that are preferably executed without delay, and the normal control task 31 has an execution delay compared to the monitoring control task 30 and the safety control task 32. This is an acceptable non-safety related task. That is, in the case shown in FIG. 12, in the entry information registration process shown in FIG. 10, the monitoring control task 30 and the safety control task 32 are processed as tasks belonging to the safety-related TP, and the normal control task 31 is normal (non- It is processed as a task belonging to the TP of safety-related).

  In addition, for example, you may make it have the tasks 33-35 as shown in FIG. In this case, the safety control device needs to have an application corresponding to the tasks 33 to 35 instead of the applications 101 to 103. However, since this point is obvious, illustration and description are omitted.

  The monitoring task 33 acquires a sensor value from the sensor to be controlled. This sensor includes a posture sensor for detecting the posture of the control target as described above. The example demonstrated here demonstrates the case where it applies to the traveling apparatus which a person can board as a control object. In this case, the monitoring task 33 can detect the movement of the center of gravity by the passenger using the posture sensor. The monitoring task 33 outputs the acquired sensor value to an HMI (Human Machine Interface) task 35.

  Based on the sensor value output from the monitoring task 33, the HMI task 35 performs control calculation of the actuator to be controlled, and calculates a command value for the actuator. The HMI task 35 outputs the calculated command value to the control task 34. The control task 34 controls the actuator based on the command value output from the HMI task 35.

  In the example of FIG. 13, the monitoring task 33, the HMI task 35, and the control task 34 monitor the control target, perform control calculation according to the control target, and control the control target based on the control calculation result. Execute processing related to ensuring functional safety. Therefore, the monitoring task 33, the HMI task 35, and the control task 34 are safety-related tasks that are preferably executed without delay. In this case, a task that executes processing related to control of another control target belonging to a TP (not shown) other than TP1 to TP3 is executed in comparison with the monitoring task 33, the HMI task 35, and the control task 34. This is a non-safety-related task in which delay is allowed. That is, in the case shown in FIG. 13, in the entry information registration process shown in FIG. 10, the monitoring task 33, the HMI task 35, and the control task 34 are processed as tasks belonging to the safety-related TP.

  Here, according to the configuration described with reference to FIG. 13, it is possible to realize an HMI in which a control target is controlled in accordance with a passenger's operation. For example, it is possible to perform control such that the control object moves back and forth when the passenger moves the center of gravity back and forth, and the control object turns left and right when the passenger moves the center of gravity left and right. The same can be said for the example described with reference to the embodiment and FIG. Specifically, the normal control task 26 and the safety control task 28, or the normal control task 31 and the safety control task 32 perform the same control according to the sensor value acquired by the safety monitoring task 24 or the monitoring control task 34. Thus, HMI can be realized. Further, according to the present embodiment, it is possible to reduce the execution delay probability of the safety-related task and to perform control of the controlled object with improved reliability. Therefore, as described above, it is possible to perform control of a controlled object with improved safety by applying a traveling device on which a person can board as a controlled object.

  In addition, as a traveling apparatus, it can also be set as the coaxial two-wheeled vehicle of standing up riding. In this case, the wheel rotates by controlling the actuator. Further, the safety control device itself may be mounted on the control target.

  Note that the present invention is not limited to the above-described embodiment, and can be changed as appropriate without departing from the spirit of the present invention.

  In the present embodiment, the case where the OS has TP1 to TP3 is illustrated, but the type and number of TPs are not limited to this. The scheduling pattern is not limited to that exemplified in the present embodiment.

  In the present embodiment, the case where the number of tasks is three is exemplified, but the number of tasks is not limited to this. For example, in the present embodiment, the case where there are three TPs TP1 to TP3 is illustrated, but the number of TPs is set to a number other than three, and each TP has one or more arbitrary numbers of tasks. You may do it.

  In the present embodiment, the case where different access authorities are assigned for each TP (RP) has been illustrated. That is, in the present embodiment, the case where the same access authority is given to tasks belonging to the same TP is exemplified, but the present invention is not limited to this. For example, a different access authority may be given for each task. In this case, the ASID is uniquely defined for each task.

  In the present embodiment, the multitask OS adopting time partitioning is exemplified, but the present invention is not limited to this. The present invention can also be applied to a multitasking OS that does not employ time partitioning. In this case, the ASID is uniquely defined for each task.

  In the present embodiment, the case where the management target of the MMU 14 is the execution memory 11 that is a RAM is illustrated, but the present invention is not limited to this. For example, the storage device managed by the MMU may be a ROM. Further, the storage device to be managed by the MMU may be a combination of RAM and ROM.

  In this embodiment, the case where the memory protection function is implemented by the MMU is illustrated, but the present invention is not limited to this. For example, a memory protection function may be implemented by an MPU. When implemented by the MPU, since it does not have a virtual memory management function, the ASID, the address, the access authority for the page of the address by the task of the ASID, etc. are set in the entry of the MPU. .

  In the present embodiment, the ASID of the safety-related task is converted to Wild, but the conversion to Wild may not be performed. In this case, by making the MMU 14 recognize the ASID of the safety-related task, it is possible to determine entry information that may be preferentially excluded. For example, the MMU 14 may have a storage device that stores a list of ASIDs of safety-related tasks, and an entry in which the ASIDs of safety-related tasks are set may be determined by checking those ASIDs. . In this case, the list of ASIDs of safety-related tasks may be acquired by the MMU 14 from the OS 100 and stored in the storage device. Further, the MMU 14 may include a storage device that stores a list of ASIDs of tasks other than safety-related tasks, and an entry in which a safety-related ASID is set may be determined by collating with those ASIDs. However, preferably, as in the present embodiment, the ASID of the safety-related task is set to a value obtained by changing the bit value at a predetermined position, so that only the bit value is confirmed and priority is given. The entry information that can be excluded automatically can be determined. According to this, it is possible to simplify the process of determining entry information related to a safety-related task.

  In this embodiment, the MMU 14 selects an entry to be updated, but the present invention is not limited to this. For example, the OS 100 (TLB management routine 29) may select the update target entry and instruct the MMU 14 to store the entry information in the selected entry.

  In this embodiment, entry information is given priority to the TLB 142 in a safety-related task that executes a process related to ensuring functional safety of a control target and a non-safety-related task that executes a process related to control of another control target. However, this task is not limited to this. Other than this, if the system includes a task that is preferably executed without delay and a task in which execution delay is allowed more than that task, the system can be similarly applied.

DESCRIPTION OF SYMBOLS 1 Safety control apparatus 10 Processor 11 Execution memory 12 I / O port 13 Non-volatile memory 14 MMU
15 reset circuit 20 microcontroller 21 partition scheduler 22 scheduling tables 23, 25, 27 task scheduler 24 safety monitoring tasks 26, 31 normal control tasks 28, 32 safety control tasks 29 TLB management routine 30 monitoring control task 33 monitoring task 34 control task 35 HMI task 100 Operating system 101 Safety monitoring application 102 Normal control application 103 Safety control application 141 Control unit 142 TLB

Claims (10)

Memory containing multiple areas;
A task execution unit for executing a plurality of tasks;
A storage unit capable of storing a predetermined number of authority information indicating access authority to any of the plurality of areas by any of the plurality of tasks;
When the task execution unit accesses the area by the task, it is determined whether authority information indicating access authority to the area by the task is stored in the storage unit, and the authority information is stored. If the access authority is determined, the access authority is determined based on the authority information. If the authority information is not stored, the access authority to the area by the task is determined in order to determine the access authority. An access management unit for storing authority information indicating the storage in the storage unit,
The plurality of tasks include a first task and a second task that is allowed to be delayed in execution as compared to the first task,
When the access management unit needs to overwrite any of the authority information stored in the storage unit when storing the authority information related to the first task in the storage unit, the first task Preferentially overwriting authority information relating to the second task among authority information relating to the second task and authority information relating to the second task,
Information processing device. When the access management unit needs to overwrite any of the authority information stored in the storage unit when storing the authority information regarding the second task in the storage unit, the first task Preferentially overwriting authority information relating to the second task among authority information relating to the second task and authority information relating to the second task,
The information processing apparatus according to claim 1. When the access management unit stores the authority information related to the first task in the storage unit, the predetermined upper limit number, if the authority information related to the first task is already stored in the storage unit, Allowing overwriting of authority information relating to the first task;
The information processing apparatus according to claim 1 or 2. When the access management unit has already stored a predetermined upper limit number and authority information related to the first task in the storage unit, among the authority information related to the first task stored in the storage unit, Overwrites the authority information related to fewer accesses more preferentially,
The information processing apparatus according to claim 3. The authority information is information indicating an identification value for identifying the task and an access authority for the area by the task,
In the authority information related to the first task and the authority information related to the second task, the bit values at predetermined bit positions of the identification value are different values,
The access management unit determines whether the authority information is authority information related to the first task based on a bit value of the predetermined bit position;
The information processing apparatus according to any one of claims 1 to 4. Each of the plurality of tasks is executed in any of a plurality of time partitions,
The task execution unit schedules and executes the plurality of tasks according to scheduling information indicating scheduling contents of the plurality of time partitions.
The information processing apparatus according to any one of claims 1 to 5. The information processing apparatus is a control apparatus that controls a control target,
Each of the plurality of tasks is a task that executes processing related to control of the control target.
The information processing apparatus according to claim 1. The first task is a task for executing processing related to ensuring functional safety of the control target;
The second task is a task for executing processing related to control of the other control target.
The information processing apparatus according to claim 7. The task execution unit is the processor;
The access management unit is an MMU (Memory Management Unit) or MPU (Memory Protection Unit).
The information processing apparatus according to any one of claims 1 to 8. When any one of the plurality of tasks accesses any one of the plurality of areas included in the memory, the authority information indicating the access authority to the area by the task is the plurality of tasks. An information determination step for determining whether authority information indicating access authority to any of the plurality of areas is stored in a storage unit capable of storing a predetermined number of
If it is determined that the authority information is stored, an authority determining step for determining the access authority based on the authority information;
If it is determined that the authority information is not stored, authority information indicating access authority to the access destination area by the accessed task is stored in the storage unit so that the access authority can be determined. And an information storage step for
The plurality of tasks include a first task and a second task that is allowed to be delayed in execution as compared to the first task,
In the information storing step, when the authority information related to the first task is stored in the storage unit, if any of the authority information stored in the storage unit needs to be overwritten, the first task Preferentially overwriting authority information relating to the second task among authority information relating to the second task and authority information relating to the second task,
Memory access management method.

Images