[go: up one dir, main page]

WO2010049339A1 - Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité - Google Patents

Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité Download PDF

Info

Publication number
WO2010049339A1
WO2010049339A1 PCT/EP2009/063870 EP2009063870W WO2010049339A1 WO 2010049339 A1 WO2010049339 A1 WO 2010049339A1 EP 2009063870 W EP2009063870 W EP 2009063870W WO 2010049339 A1 WO2010049339 A1 WO 2010049339A1
Authority
WO
WIPO (PCT)
Prior art keywords
realization
paths
implementation
machine
different
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2009/063870
Other languages
German (de)
English (en)
Inventor
Volker Roelke
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of WO2010049339A1 publication Critical patent/WO2010049339A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1479Generic software techniques for error detection or fault masking
    • G06F11/1487Generic software techniques for error detection or fault masking using N-version programming
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1497Details of time redundant execution on a single processing unit
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems

Definitions

  • the invention is based on a device or method according to the category of L 5 independent claims. As is known, technical systems have one
  • EP 1 723 513 Bl a method is described that allows a clear and flexible configuration of a computer program.
  • the possibility is created by means of global and special configuration files from a single program code (source text) to generate a machine code by means of a compiler.
  • L 5 is implemented such that it becomes a physical realization variant
  • this generator generates at least two implementation paths which result in the same effect or a similar result, but achieve this on a different approach, and are therefore redundant but different from one another. error
  • L O occur simultaneously (synchronously) in the at least two ways of realization.
  • an error that is present in a certain component can be uncovered, since one of the implementation paths implements the realization without using this component.
  • the errors are usually discovered in a comparison of the results or intermediate results or
  • Microprocessor platform understands (machine language).
  • the compiler corresponds to the automated generator, but may also be an interpreter (e.g., programming language Basic or Java) or another form of language translator.
  • the invention also includes a reaction in
  • this compiler generates from a source text of the high-level language two machine codes which describe redundant but different realization paths. Since the system requirement for this is usually the same and the source code is the same, the results of both of them must also be the same
  • the at least second realization path can also calculate an approximation result which is suitable for a plausibility check of the real result of the one realization path.
  • the mere calculation 5 of an approximate result can have resource advantages, in particular runtime advantages.
  • This decision is carried out by a body known as Voter.
  • the at least two machine codes may also run on a single hardware, thereby avoiding parallel architecture and duplicate hardware costs.
  • errors that occur during compilation can be intercepted if they only have an effect on one of the implementation paths. The same applies to temporary errors in
  • Realization paths can also determine the correct result.
  • the compiler advantageously converts the instructions from the high-level language into respectively different machine code instructions or machine code instruction sequences.
  • Machine codes would be created in the other machine code are not called and would come into play, which allows error detection. Unless every instruction of the machine code can be substituted by another instruction, one is
  • the invention specifically uses the properties and freedoms when compiling
  • Fast code is usually preferred when the calculation results of the realization paths must be available at the same time, for example, if the result may not be used without a plausibility check. Alternatively, for example, a very
  • L 5 Realization path also run distributed over several clock cycles. A comparison of the results of the implementation paths in the voter or a call of the voter can then be done regularly but not necessarily in every bar. Also, the variation of the program size of the various machine codes may be useful, this is always in a first machine code, the shorter each
  • Modern microcontrollers often have different computing units, 5 for example floating point units, different computer cores, PCP, etc.
  • arithmetic operations of the floating point units can be simulated by means of integer operations in the normal computer core, to later plausibility. In this case, errors that occur in only one of the two arithmetic units can be detected.
  • L O different computer cores of a microcontroller the different computing units
  • Machine codes are processed.
  • Machine code or realization way to use to generate by means of an automatic generator at least a second realization path or machine code is a suitable program, for example, which contains the machine code instructions
  • Machine code for safety-critical systems can be designed fault-tolerant by this idea. Even if a corresponding source text in the high-level language no longer exists or has been lost, such a second machine code can be generated in order to meet the corresponding requirements
  • the programmer usually uses a software in the form of a source code or source code in a specific one High-level language created.
  • a compiler converts these into so-called object codes, which in turn are linked together by a linker with other program components to form a machine code. If necessary, an intermediate step via a machine language
  • Machine language in the form of source text, also called assembler, is a 1 to 1 mapping to the so-called machine code, which is binary.
  • machine code which is binary.
  • L o optionally a linker or other software tools or components to
  • Generation of the machine code includes. It is equally unimportant whether the different machine codes are created by one or more compilers; the decisive factor is the use of a single source text for the generation of different but redundant machine codes.
  • single point of failure refers to points in the system where different paths are merged, so a failure at that point would result in a total error.
  • voter the so-called voter
  • Figure 1 shows various arrangements for fault-tolerant systems
  • Figure 2 shows an exemplary implementation of a multiplication command.
  • FIG. 1a shows, by way of example, the basic structure of a fault-tolerant system, in which there are at least two paths, wherein an occurrence of an error on one of these paths is detected, in that the voter shown here as a comparator determines a difference.
  • FIG. 1 b shows how a single software SW is converted by means of a compiler C into a machine code M which is used on different hardware HW1, HW2 and thus makes it possible to detect a defect in one of the various hardware.
  • FIG. 2c two different software SW1, SW2 are shown, which are translated into a machine code M1, M2 after a translation by means of a (possibly similar / the same) compiler C and are executed in a hardware.
  • a (possibly similar / the same) compiler C Analogously to Figure b part can also here
  • Such a system ensures that an error that occurs in only one of the software is detected.
  • FIG. 1 d the method according to the invention is presented, wherein a single L 5 software here inputs a source code SW into a compiler C, which generates two different machine codes M 1, M 2, which are executed on the hardware.
  • the final error assessment is performed as usual by a comparator (voter).
  • an interpreter for example, which uses high-level languages such as Java or Basic in particular, the block designated here with compiler C can come to lie in the hardware itself, the interpreter independently converting the instructions into machine code in two different ways and the method according to the invention follows.
  • An interpreter typically functions to sequentially read and directly process the high-level language instructions 5 into machine code instructions that are executed immediately by the microprocessor and not, like a compiler C, to first translate the entire program into the complete machine code.
  • FIG. 2 shows the exemplary implementation of a multiplication command in a high-level language (FIG. 2 a) which is represented in two different variants of the machine code, here as assembler command sequence (FIG. Part b, c).
  • assembler command sequence FIG. Part b, c
  • the command line in FIG. 1 a is generated during the generation of a first machine code by means of the command sequence as shown in FIG.
  • the compiler has a translation table which allows it to translate any high-level language command into at least two different types of machine code.
  • the multiplication command in the high-level language in the variant in FIG. 2 b was translated by means of the assembler-multiplication command.
  • this command was realized by means of a loop and additions.
  • Another embodiment which is not illustrated here in a figure, would be, for example, the implementation of so-called branch operators which are each performed with negated test conditions. Usually, jumps in the machine code by testing individual
  • Assembler commands are bz (branch zero) and bnz (branch not zero), which lead directly to a double, different realization of a branching operator. Only the condition must be previously negated with at least one additional command, but with all
  • Commands in the machine code can also be realized a translation of the same branch by the check of various conditions.
  • a branch number zero can be simulated by setting the register to the value to be tested + 1 and instead of

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Devices For Executing Special Programs (AREA)

Abstract

L'invention concerne un procédé et un dispositif de génération automatisée d'au moins deux modes de réalisation redondants, mais différents, d'un système essentiel pour la sécurité, caractérisé en ce que lesdits deux modes de réalisation sont générés à partir d'une seule description du système, notamment pour une solution à base de logiciel. Selon l'invention, un code source est convertit au moyen d'un compilateur en au moins deux codes machine différents qui sont formés de séquences d'instructions asynchrones et qui permettent un contrôle d'erreur par comparaison des résultats.
PCT/EP2009/063870 2008-10-31 2009-10-22 Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité Ceased WO2010049339A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE200810043374 DE102008043374A1 (de) 2008-10-31 2008-10-31 Vorrichtung und Verfahren zur Generierung redundanter, aber unterschiedlicher Maschinencodes aus einem Quellcode zur Verifizierung für ein sicherheitskritisches System
DE102008043374.8 2008-10-31

Publications (1)

Publication Number Publication Date
WO2010049339A1 true WO2010049339A1 (fr) 2010-05-06

Family

ID=41396116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/063870 Ceased WO2010049339A1 (fr) 2008-10-31 2009-10-22 Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité

Country Status (2)

Country Link
DE (1) DE102008043374A1 (fr)
WO (1) WO2010049339A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014001543A1 (fr) 2012-06-29 2014-01-03 Société Technique pour l'Energie Atomique TECHNICATOME Procédé de traitement de données en sécurité, et calculateur associé
US20200353884A1 (en) * 2019-05-08 2020-11-12 Mobileye Vision Technologies Ltd. System on chip

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014121817A1 (fr) * 2013-02-05 2014-08-14 Abb Technology Ltd Diversité logicielle dans des systèmes de commande industriels
DE102015204337A1 (de) * 2015-03-11 2016-09-15 Siemens Aktiengesellschaft Sicherheitsrelevantes Computersystem
EP3367242B1 (fr) * 2017-02-24 2021-04-07 Bombardier Transportation GmbH Procédé de détection d'erreurs dans un microcontrôleur
DE102024200446A1 (de) * 2024-01-18 2025-07-24 Robert Bosch Gesellschaft mit beschränkter Haftung Verfahren für automatische graphen-basierte fehlererkennung in einem befehlsstrom von prozessorbefehlen

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6473897B1 (en) * 1998-04-13 2002-10-29 Intel Corporation Method and apparatus for generating multiple processor-specific code segments in a single executable
US6658656B1 (en) * 2000-10-31 2003-12-02 Hewlett-Packard Development Company, L.P. Method and apparatus for creating alternative versions of code segments and dynamically substituting execution of the alternative code versions
DE102004005730A1 (de) 2004-02-05 2005-08-25 Robert Bosch Gmbh Verfahren zur Konfiguration eines Computerprogramms

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LOVRIC T: "Detecting hardware-faults with systematic and design diversity: experimental results", COMPUTER SYSTEMS SCIENCE AND ENGINEERING,, vol. 11, no. 2, 1 March 1996 (1996-03-01), pages 83 - 92, XP009127286 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014001543A1 (fr) 2012-06-29 2014-01-03 Société Technique pour l'Energie Atomique TECHNICATOME Procédé de traitement de données en sécurité, et calculateur associé
US20200353884A1 (en) * 2019-05-08 2020-11-12 Mobileye Vision Technologies Ltd. System on chip

Also Published As

Publication number Publication date
DE102008043374A1 (de) 2010-05-06

Similar Documents

Publication Publication Date Title
EP1917592B1 (fr) Systeme informatique comprenant au moins deux unites d'execution et une unite de comparaison et son procede de commande
EP3841438B1 (fr) Système d'automatisation de la surveillance d'un processus critique en matière de sécurité
DE112016004678T5 (de) Verfahren zum Ausführen von Programmen in einem elektronischen System für Anwendungen mit funktionaler Sicherheit umfassend mehrere Prozessoren, entsprechendes System und Computerprogrammprodukt
WO2010049339A1 (fr) Dispositif et procédé pour générer des codes machine redondants mais différents à partir d’un code source de vérification pour un système essentiel pour la sécurité
EP2907072A1 (fr) Procédé de commande d'un déroulement séparé de blocs de programme enchaînés et appareil de commande
EP1680737B1 (fr) Procede et dispositif de traitement d'operandes dans un processeur
DE102008024193A1 (de) System mit konfigurierbaren Funktionseinheiten und Verfahren
DE102005037230A1 (de) Verfahren und Vorrichtung zur Überwachung von Funktionen eines Rechnersystems
DE102022208087A1 (de) Verfahren zum Überprüfen einer Verarbeitung von Nutzdaten
EP1805617A1 (fr) Procede d'execution d'un programme informatique sur un systeme informatique
EP2902905B1 (fr) Procédé de contrôle de traitement de logiciel
DE102011007467A1 (de) Mehrkernige integrierte Mikroprozessorschaltung mit Prüfeinrichtung, Prüfverfahren und Verwendung
DE102019102299A1 (de) Verfahren und Vorrichtung zum automatisierten Erfassen von Fehlern in Computersystemen
EP2228723A1 (fr) Procédé de gestion des erreurs d'un système de calcul
DE102005054587A1 (de) Programmgesteuerte Einheit und Verfahren zum Betreiben derselbigen
DE102005037213A1 (de) Verfahren und Vorrichtung zur Umschaltung zwischen Betriebsmodi eines Multiprozessorsystems durch wenigstens ein externes Signal
DE10007008A1 (de) Verfahren zur Überwachung einer Datenverarbeitungseinrichtung
EP3841439B1 (fr) Système d'automatisation de la surveillance d'un processus critique en matière de sécurité
DE102022207612A1 (de) Computer-implementiertes Verfahren zur Verifikation einer Softwarekomponente einer automatisierten Fahrfunktion
EP2495625B1 (fr) Procédé et système de programmation pour l'authentification d'un programme relevant de la sécurité d'un dispositif d'automatisation
WO2007017372A1 (fr) Procede et dispositif pour piloter un systeme de calcul comprenant au moins deux unites d'execution
EP1043660B1 (fr) Système d'automatisation à sécurité intégrée
EP4671978A1 (fr) Procédé, système de traitement de données, produit de programme informatique et support lisible par ordinateur
DE102010031017A1 (de) Verfahren zur Überwachung des Programmablaufs eines Prozessors
DE102015223579A1 (de) Verfahren und Vorrichtung zum Überprüfen eines Komponentenfehlerbaums

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09747809

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 09747809

Country of ref document: EP

Kind code of ref document: A1