Method And Device For Monitoring A Memory Unit In A Mutliprocessor System

- ROBERT BOSCH GMBH

A method and device for monitoring a memory unit in a system including at least two processing units, a switchover arrangement being included that allows switching between at least two operating modes of the system, the device being arranged to log the memory content and/or the operating mode in which the memory content was generated.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
FIELD OF THE INVENTION

The present invention relates to a method and device for monitoring a memory unit in a multiprocessor system.

BACKGROUND INFORMATION

In technical applications, such as, in particular, in motor vehicles or in the industrial goods sector, that is, for example, in the machinery and automation sectors, an increasing number of microprocessor or computer-based, closed-loop and open-loop control systems are being used for safety-critical applications. Today, dual-processor systems (dual cores) are computer systems commonly used for safety-critical applications, especially in motor vehicles, for example for antilock systems, the electronic stability program (ESP), X-by-wire systems, such as drive-by-wire or break-by-wire, etc., or for other networked systems. In order to meet these high safety requirements in future applications, powerful fault mechanisms and fault handling mechanisms are required, especially to cope with transient faults, which may occur, for example, when reducing the size of the semiconductor structures of the computer systems. In this context, it is relatively difficult to protect the core itself, i.e., the processor. As mentioned above, one solution for this is to use a dual-processor system, or dual-core system, for fault detection.

Such processor units having at least two integrated execution units are therefore known as dual-core or multi-core architectures. In the current prior art, such dual-core or multi-core architectures are proposed mainly for two reasons:

First of all, they allow performance to be enhanced, i.e., increased, by regarding and treating the two execution units or cores as two processing units on one semiconductor device. In this configuration, the two execution units or cores execute different programs or tasks, respectively. This makes it possible to increase performance, and therefore this configuration is termed performance mode.

The second reason for implementing a dual-core or multi-core architecture is to increase safety by the two execution units redundantly executing the same program. The results of the two executions units or CPUs, i.e., cores, are compared, and a fault can be detected in the conformity-check comparison. In the following, this configuration will be referred to as “safety mode” or also as “fault detection mode”.

Thus today, on the one hand; there are dual-processor or multiprocessor systems which work redundantly in order to detect hardware faults (see dual-core or master-checker systems) and, on the other hand, there are dual-processor or multiprocessor systems which process different data in their processors. If these two operating modes are now combined in a dual-processor or multiprocessor system, the two processors must receive different data when in the performance mode and identical data when in the fault detection mode (for the sake of simplicity, only the term “dual-processor system” will be used hereinafter, but the following invention is also applicable to multiprocessor systems).

The clock frequency of today's processors is typically significantly higher than the frequency with which a memory, especially an external memory, can be accessed. Cache memories are used to compensate for this time lag. The interaction of such a fast buffer memory with a corresponding main memory then allows access times to be significantly reduced.

In particular, when implementing dual-processor (dual-core) systems, one cache is provided for each processor. In the system, caches are used as fast intermediate memories to eliminate the need for the processor to always have to retrieve the data from the slow main memory. To make this possible, the access time of a cache must be paid particular attention to during the implementation thereof. The access time is made up of the actual access time for retrieving the data from the cache and the time for transferring the data to the processor.

In a multiprocessor system, in particular in a dual-processor system having 2 processors, a plurality of processors executes the same or different tasks. If they execute different tasks, usually, a cache is coupled between the processor and the main memory for each processor, respectively. The cache is needed to decouple the different operating speeds of the main memory and the processor. When the dual-processor system operates in the mode in which the two processors execute different tasks, then the caches of the processors are loaded with different data. When switching over to safety mode, in which the processors execute the same tasks and the output data are compared, the cache content must be deleted or marked invalid prior to switching over.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a method and device, and an implementation, for avoiding this performance-reducing drawback so as to eliminate the need to completely delete the cache or invalidate it each time a switchover is made from performance mode to safety mode.

Such an implementation has not been previously described. The implementation enables efficient operation of dual-processor system, so that switching can be done in both the safety and performance modes during operation without reducing performance. The term “processors”, as used hereinafter, is understood to also include cores or processing units.

To achieve this object, the present invention discloses a method and device for monitoring a memory unit in a system including at least two processing units, a switchover arrangement being included that allows switching between at least two operating modes of the system, the device being arranged to log the memory content and/or the operating mode in which the memory content was generated. The present invention also discloses a corresponding system and a corresponding memory unit, in particular, a cache memory.

Logging of what was written into the cache at what time eliminates the need to mark the complete data as invalid when a mode switch is made. Therefore, the cache does not need to be reloaded so often, and the performance of the overall system increases accordingly.

Furthermore, a unit for distributing data from at least one data source is provided in a system including at least two processing units, a switchover arrangement (ModeSwitch) being included that allow switching between at least two operating modes of the system, the unit being designed such that the data distribution and/or the data source (in particular, instr. memory, data memory, cache) is/are dependent on the operating mode. Also disclosed is a system including such a unit.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a dual-processor system including a first processor 100, in particular a master processor, and a second processor 101, in particular a slave processor.

FIG. 2 shows another view of the dual processor or dual core system.

FIG. 3 is a schematic view showing a switchable dual-processor system with the caches.

FIG. 4 shows an exemplary cache memory.

 DETAILED DESCRIPTION

In the context of the exemplary embodiments and/or exemplary methods of the present invention, the first operating mode corresponds to a safety mode, in which the two processing units execute or process the same programs and/or data and in which a comparison arrangement is provided by which the states occurring during the execution of the same programs are checked for conformity.

The unit and method according to the present invention allows the two modes to be implemented in a dual-processor system without reducing the cache utilization performance.

When the two processors operate in the fault detection mode (F mode), then the two processors receive the same data/instructions, and when operating in the performance mode (P mode), each processor can access the memory. Then, this unit manages the accesses to the only one existing memory or peripheral equipment.

In the F mode, the unit reads the data/addresses of one processor (herein referred to as “master”) and forwards the same to components such as the memory, bus, etc. The second processor (hereinafter “slave”) wishes to make the same access. The data distribution unit receives this request at a second port, but does not forward it to the other components. The data distribution unit transfers to the slave the same data as those transferred to the master and compares the data of the two processors. If these data are different, then the data distribution unit (hereinafter “DDU”) will indicate this by an error signal. Thus, only the master operates on the bus/memory, and the slave receives the same data (the operation is similar to that of a dual-core system).

In the P mode, the two processors execute different program parts. The memory accesses are therefore also different. Thus, the DDU receives the requests of the processors and returns the results/requested data to the requesting processor. If now both processors wish to access a component simultaneously, then one processor is put to a waiting state until the other is served.

Switching between the two modes, and thus between the different methods of operation of the data distribution unit, is accomplished by a control signal. The control signal can be generated either by one of the two processors, or externally.

Thus, in accordance with the present invention, a distinction is made between a performance mode and a safety mode, as far as operating modes are concerned, and the logging includes recording which memory content was generated in the performance mode. Also or instead, the logging advantageously includes recording which memory content was generated in the safety mode. For logging purposes, it is possible to create a table, and to evaluate the table as a function of a mode signal indicative of the operating mode of at least one processing unit.

With respect to the memory content, data are advantageously distinguished from other memory contents, in particular instructions, and the table additionally logs whether the data were changed in the memory unit in the performance mode and/or in the safety mode.

It is a particular advantage that the logging additionally includes recording whether the respective memory content is valid. This allows all memory contents, especially all data, to be invalidated when starting the processing units.

Advantageously, one memory unit is provided for each processing unit, and the logging is performed for each memory unit, and, in addition, a comparison of the log is made for each memory unit. In particular, only one table is created for the two processing units during logging, or one table is created for each processing unit during logging, in which case the table entries are interchangeable between the tables.

It is advantageous that the table entries are checked for conformity. It is also advantageous that the validity information is evaluated in the safety mode.

If, in the F mode, the dual-processor system is operated with a clock offset and, when in the P mode, it is not, then the DDU unit delays the data for the slave accordingly, or stores the output data of the master until they can be compared to the output data of the slave for fault detection purposes.

The clock offset will be explained in more detail with reference to FIG. 1.

FIG. 1 shows a dual-processor system including a first processor 100, in particular a master processor, and a second processor 101, in particular a slave processor. The entire system is operated with a predeterminable clock pulse, i.e., in predeterminable clock cycles (CLK). The clock pulse is supplied to the system via clock input CLK1 of processor 100 and via clock input CLK2 of processor 101. Moreover, this dual-processor system includes, by way of example, a special feature for fault detection, namely that first processor 100 and second processor 101 operate with a time offset, in particular a predeterminable time offset or a predeterminable clock offset. In this context, any time may be specified for a time offset and any clock pulse may be specified with respect to an offset of the clock cycles. This may be an integral clock cycle offset, but also, for example, an offset of 1.5 clock cycles, as illustrated in this example, in which first processor 100 operates or is operated 1.5 clock cycles ahead of second processor 101. This offset prevents so-called common mode failures from affecting the processors, i.e., the cores or the dual-core system, in the same manner, as a result of which the common mode failures would remain undetected. That is, due to the offset, such common mode failures affect the processors at different points in the program execution and, therefore, have different effects on the two processors, as a result of which faults become detectable. Without a clock offset, identical fault effects would possibly not be detectable in a comparison. This is prevented in this manner. In order to implement this offset with respect to time or clock pulse, here in particular 1.5 clock cycles, in the dual-processor system, there are implemented offset blocks 112 through 115.

In order to detect the common mode failures, this system is designed, for example, to operate with a predetermined time offset or clock cycle offset, here in particular 1.5 clock cycles; i.e., while one processor, for example processor 100, accesses the components, in particular external components 103 and 104, directly, second processor 101 operates with a delay of exactly 1.5 clock cycles with respect thereto. In this case, in order to generate the desired one-and-a-half cycle delay, i.e., the delay of 1.5 clock cycles, processor 101 is supplied with the inverted clock, i.e., the inverted clock pulse at clock input CLK2. Because of this, however, the aforementioned ports of the processor, i.e., its data and instructions through the buses, must also be delayed by the above-mentioned clock cycles, i.e., here in particular 1.5 clock cycles, for which purpose offset or delay blocks 112 through 115 are provided, as mentioned earlier. In addition to the two processors 100 and 101, there are provided components 103 and 104, which are in communication with the two processors 100 and 101 via buses 116, including bus lines 116A and 116B and 116C, as well as 117, including bus lines 117A and 117B. 117 is an instruction bus, where an instruction address bus is denoted by 117A and the sub-instruction (data) bus is denoted by 117B. Address bus 117A is connected via an instruction address port IA1 (Instruction Address 1) to processor 100 and via an instruction address port IA2 (Instruction Address 2) to processor 101. The instructions themselves are transmitted via sub-instruction bus 117B, which is connected via an instruction port I1 (Instruction 1) to processor 100 and via an instruction port I2 (Instruction 2) to processor 101. This instruction bus 117, which is formed by 117A ad 117B, has interconnected therein a component 103, for example, an instruction memory, in particular a safe instruction memory, or the like. In this example, this component, especially as an instruction memory, is also operated with clock pulse CLK. Furthermore, 116 represents a data bus, which includes a data address bus or data address line 116A and a data bus or data line 116B. 116A, i.e., the data address line, is connected via a data address port DA1 (Data Address 1) to processor 100 and via a data address port DA2 (Data Address 2) to processor 101. Similarly, the data bus or data line 116B is connected via a data port DO1 (Data Out 1) and a data port DO2 (Data Out 2) to processor 100 and processor 101, respectively. Data bus line 116C is also part of data bus 116, and is connected via a data port DI1 (Data In 1) and a data port DI2 (Data In 2) to processor 100 and processor 101, respectively. This data bus 116, which is formed by lines 116A, 116B and 116C, has interconnected therein a component 104, for example, a data memory, in particular a safe data memory, or the like. In this example, this component 104 is also supplied with clock pulse CLK.

In this context, components 103 and 104 represent any components which are connected via a data bus and/or instruction bus to the processors of the dual-processor system, and which may receive or output erroneous data with respect to write operations and/or read operations according to the accesses via data and/or instructions of the dual-processor system. It is true that, in order to prevent errors, error detection generators 105, 106 and 107 are provided, which generate an error code, such as a parity bit or other suitable error code, such as, for example, an error correction code, i.e., ECC, or the like. To this end, then, there are also provided corresponding error detection checkers or checking devices 108 and 109, which are used to check the respective error code, i.e., for example, the parity bit or other error code, such as ECC.

The comparison of the data and/or instructions with respect to the redundant embodiment in the dual-processor system is performed in comparators 110 and 111, as shown in FIG. 1. However, if there exists now a time offset, in particular a clock pulse or clock cycle offset, between processors 100 and 101, either caused by an asynchronous dual-processor system or, in a synchronous dual-processor system, by errors in the synchronization process or, as in this particular example, by a time or clock cycle offset, here in particular 1.5 clock cycles, that is desired for fault detection purposes, then one processor, here especially processor 100, may write or read erroneous data and/or instructions in components, especially external components, such as here, for example, memories 103 or 104, in particular, or also with respect to other stations or actuators or sensors, during this time or clock offset. Due to this clock offset, the processor may also erroneously perform, for example, a write access instead of an intended read access. Of course, these scenarios lead to errors in the entire system, in particular without any possibility to clearly indicate which data and/or instructions have just been erroneously changed, which also leads to the problem of recovery.

In order to solve this problem, a delay unit 102 is interconnected in the lines of the data bus and/or in the instruction bus, as shown. For the sake of clarity, only the interconnection in the data bus is illustrated. Of course, this is equally possible and conceivable with respect to the instruction bus. This delay unit 102 delays the accesses, here especially the memory accesses, in such a way that a possible time or clock offset is compensated for, especially when performing fault detection, for example, using comparators 110 and 111, the accesses being delayed, for example, until the error signal is generated in the dual-processor system, i.e., until the fault detection is performed in the dual-processor system. To this end, different variants can be implemented: delaying the write and read operations, delaying only the write operations, and also, although not preferred, delaying the read operations. In this context, using a change signal, in particular the error signal, a delayed write operation can be converted to a read operation in order to prevent erroneous writing.

An exemplary implementation with respect to the data distribution unit (DDU), which may be formed by a device for detecting the switchover request (through IIIOPDetect), the Mode Switch unit and the Iram and Dram control blocks, described below with reference to FIG. 2.

IIIOpDetect: The switchover between the two modes is detected by the “‘Switch Detect”’ units. This unit is located between the cache and the processor on the instruction bus and observes whether the IllOp instruction is loaded into the processor. If this instruction is detected, then this result is communicated to the Mode Switch unit. The “‘Switch Detect’ ” unit is provided for each processor separately. The “‘Switch Detect’ ” unit does not need to be fault-tolerant, because two such units are provided, which makes them redundant. On the other hand, it is possible to design this unit to be fault-tolerant and, therefore, as a single unit, but preference may be given to the redundant design.

ModeSwitch: Switching between the two modes is triggered by the “‘Switch Detect’ ” unit. If a switchover is to be made from the lock mode to the split mode, both “‘Switch Detect’ ” units detect the switchover because, both processors execute the same program code in the lock mode. The “‘Switch Detect’ ” unit of processor 1 detects this 1.5 clock pulses before the “‘Switch Detect’ ” unit of processor 2. The “‘Mode Switch’ ” unit halts processor 1 for 2 clock pulses with the aid of the wait signal. 1.5 clock pulses later, processor 2 is also halted, but only for a half clock pulse, in order to be synchronized with the system clock. After that, the status signal is switched to split for the other components, and the two processors continue to operate. In order for the two processors to execute different tasks, they must diverge in terms of the program code. This is accomplished by performing a read access to the processor ID immediately after switching to the split mode. This read-out processor ID is different for each of the two processors. If a comparison is now made with a reference processor ID, the respective processor can then be taken to a different program location using a conditional jump instruction.

A switchover from the split mode to the lock mode will be detected by one processor, that is, by one of two processors first. This processor will execute program code that contains the switching instruction. This is now detected by the “‘Switch Detect’ ” unit and communicated by it to the Mode Switch unit. The Mode Switch unit halts the respective processor and communicates the request for synchronization to the second processor using an interrupt. The second processor receives an interrupt and can now execute a software routine to complete its task. Then, it also jumps to the program location containing the switching instruction. Then, its “‘Switch Detect’ ” unit also signals the mode switch request to the Mode Switch unit. At the next rising edge of the system clock, the wait signal is deactivated for processor 1, and 1.5 clock pulses later for processor 2. Then, both processors operate synchronously again with a clock offset of 1.5 clock pulses.

When the system is in lock mode, both “‘Switch Detect’ ” units must inform the Mode Switch unit that they wish to change to the split mode. If only one unit issues a switchover request, then the comparison units will detect the fault, because one of the two processors continues to supply data to the comparison units, and the data do not match those of the halted processors.

When the two processors are in split mode and one processor does not switch back to lock mode, then this can be detected by an external watchdog. If there is a trigger signal for each processor, the watchdog notices that the waiting processor is no longer sending any signals. If there is only one watchdog signal for the processor system, then the triggering of the watchdog may only take place in the lock mode. Consequently, the watchdog would detect that that the mode switch has not occurred. The mode signal is present as a dual-rail signal. In this context, “‘10’” stands for the lock mode and “‘01’” stands for the split mode. In the case of “‘00’” and “‘11’”, faults have occurred.

IramControl: Access to the instruction memory of the two processors is controlled by the IRAM Control, which must be safe, because it is a single point of failure. The IRAM Control includes two finite automatons for each processor: in each case in the form of a clocked iram1clkreset and an asynchronous readiram1, respectively. In the safety-critical mode, the finite automatons of the two processors monitor each other, and in the performance mode, they operate separately.

The reloading of the two caches of the processors is controlled by 2 finite automatons. A synchronous finite automaton iramclkreset and an asynchronous readiram. These two finite automatons also distribute the memory accesses in the split mode. In this process, processor 1 has the higher priority. After an access to the main memory by processor 1, processor 2 is given memory access authorization, if both processors wish to access the main memory again. These two finite automatons are implemented for each processor. In the lock mode, the output signals of the automatons are compared to be able to detect any errors that may occur.

The data for updating cache 2 in the lock mode are delayed by 1.5 clock pulses in the IRAM control unit.

Bit 5 in register 0 of the SysControl encodes which core is concerned. For core 1, the bit is 0 and for core 2, it is high. This register is mirrored into the memory area having the address 65528.

In case of a memory access by core 2, it is first checked which mode the processor is in. If it is in the lock mode, its memory access is suppressed. This signal is present as a common-rail signal, because it is safety-critical.

The program counter of processor 1 is delayed by 1.5 clock pulses to be able to be compared to the program counter of processor 2 in the lock mode.

In the split mode, the caches of the two processors can be reloaded differently. If a switchover is now made to lock mode, the two caches are not coherent with each other. Because of this, the two processors may diverge and, therefore, the comparators signal a fault. In order to avoid this, a flag table is set up in the IRAM Control. This table records whether a cache line was written in lock mode or in split mode. In the lock mode, the corresponding entry for the cache line is set to 0, and in the split mode, it is set to 1, even if the cache line of only one cache is updated. If the processor now performs a memory access in lock mode, then a check is made as to whether this cache line was updated in the lock mode, that is, whether it is identical in both caches. In the split mode, the process can always access the cache line, regardless of the state of the Flag_Vector. Only one such table needs to exist, because a fault causes the two processors to diverge and, therefore, this fault is reliably detected in the comparators. Since the access times to the central table are relatively high, this table may also be copied to each cache.

DramControl: In this component, the parity is generated for the address, data, and memory control signals from each processor.

For both processors, there is one process to lock the memory. This process does not need to be of safe design, because in the lock mode, erroneous memory accesses are detected by the comparators, and in the split mode, no safety-critical applications are executed. The process checks whether the processor wishes to lock the memory for the other processor. Such locking of the data memory is accomplished by accessing the memory address $FBFF$=64511. This signal should be applied for exactly one clock pulse, even if a wait command is applied to the processor at the time the access is made. The finite automaton for managing data memory accesses is formed by two main states:

processor state LOCK: The two processors operate in the lock mode. That is, the data memory locking functionality is not needed. Processor 1 coordinates the memory accesses.

processor state SPLIT: now, access conflict resolution is needed on the data memory, and memory locking must be possible.

The state in the split mode is, in turn, divided into 7 states, which allow access conflicts to be resolved and the data memory to be locked for the respective other processor.

In the case of a simultaneous request of the two processors during an access, the specified order at the same time represents the priority assignment.

Core1\_Lock: Processor 1 has locked the data memory. If, in this state, the processor 2 wishes to access the memory, then it is halted by a wait signal until processor 1 releases the data memory. \

Core2\_Lock: This is same state as the previous one, except that now processor 2 has locked the data memory and processor 1 is halted in the case of data memory operations.

lock1\_wait: The data memory was locked by processor 2 when processor 1 also wished to reserve it for itself. Therefore, processor 1 is earmarked for the next memory locking operation.

nex: The same for processor 2. The data memory was locked when processor 1 attempted to lock it. The memory is pre-reserved for processor 2. In the case of normal memory access without locking, processor 2 can perform an access before processor 1 here, if, before that, it had been the turn of processor 1.

Memory access of processor 1: In this case, the memory is not locked. Processor 1 may access the data memory. If it wishes to lock the data memory, it can do so in this state.

Memory access by processor 2. In the same clock pulse, processor 1 did not wish to access the memory and, consequently, the memory is free for processor 2.

no processor wishes to access the data memory.

As mentioned earlier, the DDU is formed by the device for detecting the switchover request (IIIOPDetect), the ModeSwitch unit and the IramControl and DramControl.

FIG. 3 is a schematic view showing a switchable dual-processor system with the caches. One cache memory is shown by way of example in FIG. 4. A distinction must be made between data cache and instruction cache. In a non-switchable dual-processor system, no coherence problem occurs with respect to an instruction cache. Therefore, no snooping has been used so far. Here, the approach is now to perform snooping of the instructions that are loaded into the respective caches of the processors.

A table is set up:

set 0 tag 0 valid set 1 tag 1 not valid set 2 tag 2 valid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set 63 tag 63 valid

Representation of the Cache Snooping Table.

In this table, one entry is provided for each cache line. Only one such table is needed for the switchable multiprocessor system. If the data are written in lock mode, the corresponding line is marked valid in this table. If a cache line is written in split mode, then the corresponding entry for this line is marked invalid.

In the split mode, each time a cache access is made, it is only checked whether it contains valid values. In the lock mode, however, this new table is also queried. If the data are marked invalid in this table, there may indeed be valid data in the caches, but these data are not identical in the caches. In the lock mode, the comparator of the dual-processor system would therefore indicate a fault, because the two processors would diverge.

If this table is also used for the data memory, it must additionally be checked whether, if the data were loaded in the lock mode, this cache line was not only replaced in the split mode, but whether the data were also updated by a processor in one of the caches.

Instruction Cache:

New Cache Valid Higher-Order Action Field Table Action system starts all data all data up invalid invalid cache line is cache line cache line loaded in lock valid valid mode cache line is cache line cache line When accessing loaded in valid invalid the cache line in split mode lock mode, this cache line must be reloaded in all caches of the processors even if it is already marked valid in one cache.

If a cache line is replaced with another one in the split mode in one processor, then only the valid field must be replaced as invalid in the table. There is no need to pay attention to the tag field.

A second variant of the table may be as follows:

Cache 1 Cache 2 Comparison set 0 tag 0 tag 0 identical set 1 tag 1 tag 1 not identical set 2 tag 2 tag 2 identical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set 63 tag 63 tag 63 identical

Cache Snooping Table According to Variant 2

The second variant of the table is that it includes only the set and tag fields, but for each member separately. This indeed makes the table larger, but the advantage is that, in the split mode, the system centrally documents for both caches what their contents look like. Then, in the lock mode, comparison of the tables makes it possible to determine whether these data are identical in both caches. Thus, unlike the first method, cache lines can be updated at different points in time, without being marked as invalid for the lock mode.

As explained above, the core of the present invention is the logging of the data in the cache. In addition to that, the object mentioned at the outset is also achieved by the specific implementation described.

Claims

1-30. (canceled)

31. A method for monitoring a memory unit in a system including at least two processing units, the method comprising:

switching between at least two operating modes of the system using a switchover arrangement; and
logging at least one of a memory content and an operating mode in which the memory content was generated.

32. The method of claim 31, wherein with respect to the operating modes, a distinction is made between a performance mode and a safety mode, and the logging includes recording which memory content was generated in the performance mode.

33. The method of claim 31, wherein with respect to the operating modes, a distinction is made between a performance mode and a safety mode, and the logging includes recording which memory content was generated in the safety mode.

34. The method of claim 31, wherein for logging purposes, a table is created, and the table is evaluated as a function of a mode signal indicative of the operating mode of at least one of the processing units.

35. The method of claim 32, wherein with respect to the memory content, data are distinguished from other memory contents or instructions, and the table additionally logs whether the data were changed in the memory unit in the performance mode.

36. The method of claim 33, wherein with respect to the memory content, data are distinguished from other memory contents or instructions, and the table additionally logs whether the data were changed in the memory unit in the safety mode.

37. The method of claim 31, wherein the logging additionally includes recording whether a respective memory content is valid.

38. The method of claim 31, wherein all memory contents are invalidated when starting the processing units.

39. The method of claim 31, wherein one memory unit is provided for each processing unit, and the logging is performed for each memory unit, and wherein a comparison of the log is made for each of the memory units.

40. The method of claim 39, wherein one table is created for the two processing units during the logging.

41. The method of claim 39, wherein one table is created for each of the processing units during the logging, table entries being interchangeable between the tables.

42. The method of claim 34, wherein table entries are checked for conformity.

43. The method of claim 37, wherein validity information is evaluated in the safety mode.

44. A device for monitoring a memory unit in a system including at least two processing units, comprising:

a switchover arrangement to allow switching between at least two operating modes of the system; and
a logging arrangement to log at least one of a memory content and an operating mode in which the memory content was generated.

45. The device of claim 44, wherein the memory unit includes a cache memory.

46. The device of claim 44, wherein the memory unit includes at least one validity field in which validity information of the memory content can be entered.

47. The device of claim 44, wherein with respect to the operating modes, a distinction is made between a performance mode and a safety mode, and the logging includes recording which memory content was generated in the performance mode.

48. The device of claim 44, wherein with respect to the operating modes, a distinction is made between a performance mode and a safety mode, and the logging includes recording which memory content was generated in the safety mode.

49. The device of claim 44, wherein a table is created for logging purposes, and the table is evaluated as a function of a mode signal indicative of the operating mode of at least one of the processing units.

50. The device of claim 47, wherein with respect to the memory contents, data are distinguished from other of the memory contents or instructions, and the table logs whether the data were changed in the memory unit in the performance mode.

51. The device of claim 48, wherein with respect to the memory contents, data are distinguished from other memory contents or instructions, and the table logs whether the data were changed in the memory unit in the safety mode.

52. The device of claim 44, wherein the logging includes recording whether the respective memory content is valid.

53. The device of claim 44, wherein all of the memory contents are invalidated when the processing units are started.

54. The device of claim 44, wherein one memory unit is included for each of the processing units, and the logging is performed for each of the memory units, a comparison of the log being made for each of the memory units.

55. The device of claim 54, wherein a table is included for the two processing units during the logging.

56. The device of claim 54, wherein a table is created for each of the processing units during the logging, the table entries being interchangeable between the tables.

57. The device of claim 49, wherein the table entries are checked for conformity.

58. The device of claim 46, wherein the validity information is evaluated in the safety mode.

59. A system comprising:

a device for monitoring a memory unit in a system including at least two processing units, including: a switchover arrangement to allow switching between at least two operating modes of the system; and a logging arrangement to log at least one of a memory content and an operating mode in which the memory content was generated.

60. A memory unit comprising:

a device for monitoring a memory unit in a system including at least two processing units, including: a switchover arrangement to allow switching between at least two operating modes of the system; and a logging arrangement to log at least one of a memory content and an operating mode in which the memory content was generated.
Patent History
Publication number: 20080126718
Type: Application
Filed: Oct 25, 2005
Publication Date: May 29, 2008
Applicant: ROBERT BOSCH GMBH (Stuttgart)
Inventors: Thomas Kottke (Ehningen), Stefan Trittler (Gerlingen)
Application Number: 11/666,407
Classifications
Current U.S. Class: Control Technique (711/154); Accessing, Addressing Or Allocating Within Memory Systems Or Architectures (epo) (711/E12.001)
International Classification: G06F 12/00 (20060101);