Trap sub-parts of computer readable instructions and related systems, methods, and apparatus

By introducing a trap sub-section into the processing circuit, a single-bit fixed fault of the program counter is captured, ensuring the safe operation of the processing circuit under fault conditions. This solves the problem of unpredictable operation caused by fixed faults in the prior art and realizes the stable operation of safety-critical equipment.

CN117015765BActive Publication Date: 2026-06-26MICROCHIP TECHNOLOGY INC

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
MICROCHIP TECHNOLOGY INC
Filing Date
2022-02-10
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In the prior art, the program counter (PC) of the processing circuit is susceptible to fixed faults, leading to unpredictable operation that cannot be effectively detected and recovered, thus affecting the safety of safety-critical products.

Method used

By introducing a trap subsection of computer-readable instructions into the processing circuit, fixed high traps and fixed low traps are used to capture single-bit fixed faults in the program counter, ensuring that the processing circuit enters a safe loop in fault conditions and avoids jumping to unknown addresses.

Benefits of technology

It achieves safe capture of all single-bit fixed faults, ensuring that the processing circuit maintains safe operation in fault conditions, independent of the initialization state of the watchdog timer, and preventing unsafe operation of safety-critical equipment.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117015765B_ABST
    Figure CN117015765B_ABST
Patent Text Reader

Abstract

Trap subparts of computer readable instructions and related systems, methods, and apparatus are disclosed. A processing circuit includes a processing core including a program counter that cycles through addresses and a data storage device including computer readable instructions stored thereon. The computer readable subparts correspond to subroutines. Locations of the subparts within the data storage device are associated with the addresses. A first subpart at a first location within the data storage device is indicated by a first address. A first trap subpart at a first trap location is indicated by a first trap address. The first trap address differs from the first address by only a single bit. The first trap subpart indicates the processing core to execute a first trap sub-routine to either jump to the first address or jump back to itself.
Need to check novelty before this filing date? Find Prior Art

Description

[0001] Cross-referencing of related patent applications

[0002] This application claims the benefit of priority date of U.S. Provisional Patent Application Serial No. 63 / 148,060, filed February 10, 2021, pursuant to 35 U.S. SC §119(e), the entire disclosure of which is incorporated herein by reference. Technical Field

[0003] This disclosure relates in its entirety to trap sub-parts of computer-readable instructions, and more specifically to the secure operation of safety-critical products in response to trap sub-parts of computer-readable instructions. Background Technology

[0004] Fixed faults in the program counter (PC) of a processing circuit can occur in response to damage or defects in one or more semiconductor devices (e.g., transistors) of the PC. A "fixed fault" is when the output of a bit remains fixed at a specific logic level regardless of programmed error conditions. For example, high-energy particles (e.g., radiation particles such as alpha, beta, and gamma particles) can penetrate the packaging material of an integrated circuit device and impact the semiconductor chip, potentially damaging the circuitry that enables the PC's functionality. Similar problems can arise from the address bus, where one or more lines are fixed at a particular value. Attached Figure Description

[0005] Although this disclosure concludes with claims that specifically point out and clearly claim particular examples, the various features and advantages of the examples within the scope of this disclosure can be more readily identified by the following description when read in conjunction with the accompanying drawings:

[0006] Figure 1 This is a flowchart illustrating a method for operating the processing circuit in response to a problem that may occur due to a fixed type of fault.

[0007] Figure 2 It is a block diagram of a processing circuit based on some examples;

[0008] Figure 3 This is based on the operation shown in some examples. Figure 2 A schematic diagram illustrating the operation flow of an example of a method for processing circuits;

[0009] Figure 4 This is based on the operation shown in some examples. Figure 2 A schematic diagram of the operation flow of another example of a method for processing circuits;

[0010] Figure 5 This is based on the operation shown in some examples. Figure 2 A schematic diagram of the operation flow of another example of the method for processing the circuit;

[0011] Figure 6 It is based on some examples, including Figure 3 A block diagram of a safety-critical system for the processing circuitry;

[0012] Figure 7 It is a flowchart illustrating a method of operating the processing circuitry based on some examples; and

[0013] Figure 8 This is a block diagram of a circuit, which in some examples can be used to implement the various functions, operations, actions, processes and / or methods disclosed herein. Detailed Implementation

[0014] In the following detailed description, reference is made to the accompanying drawings, which form part of this disclosure, and specific examples in which this disclosure may be practiced are shown by way of example. These examples are described in sufficient detail to enable those skilled in the art to practice this disclosure. However, other examples enabled herein may be utilized, and structural, material, and process changes may be made without departing from the scope of this disclosure.

[0015] The illustrations presented herein are not intended to be actual views of any particular method, system, device, or structure, but are merely idealized representations used to describe examples of this disclosure. In some cases, for the convenience of the reader, similar structures or components in the various figures may retain the same or similar numbering; however, similarity in numbering does not necessarily mean that the structures or components are identical in size, composition, construction, or any other property.

[0016] The following description may include examples to assist those skilled in the art in practicing the examples disclosed herein. The use of the terms “exemplary,” “for example,” and “e.g.” means that the description is illustrative, and while the scope of this disclosure is intended to cover examples and legal equivalents, the use of such terms is not intended to limit the examples or the scope of this disclosure to the specified parts, steps, features, functions, etc.

[0017] It should be readily understood that the components of the examples described herein and shown in the accompanying drawings can be arranged and designed in a variety of different configurations. Therefore, the following description of various examples is not intended to limit the scope of this disclosure, but rather to represent various examples only. While various aspects of these examples are given in the accompanying drawings, the drawings are not necessarily drawn to scale unless specifically indicated otherwise.

[0018] Furthermore, the specific embodiments shown and described are merely examples and should not be construed as the only way to implement this disclosure unless otherwise indicated herein. Components, circuits, and functions may be shown in block diagram form so as not to obscure this disclosure with unnecessary detail. Rather, the specific embodiments shown and described are merely exemplary and should not be construed as the only way to implement this disclosure unless otherwise indicated herein. Additionally, block definitions and logical partitioning between blocks are examples of specific embodiments. It will be apparent to those skilled in the art that this disclosure can be practiced with many other partitioning solutions. In most cases, details regarding timing considerations, etc., have been omitted, where such details do not require a full understanding of this disclosure and are within the capabilities of those skilled in the art.

[0019] Those skilled in the art will understand that information and signals can be represented using any of a variety of different techniques and methods. For clarity of presentation and description, some accompanying drawings may show a signal as a single signal. It should be understood by those skilled in the art that a signal may represent a signal bus, wherein the bus may have multiple bit widths, and this disclosure can be implemented on any number of data signals, including a single data signal.

[0020] The various exemplary logic blocks, modules, and circuits described in conjunction with the examples disclosed herein can be implemented or carried out using a general-purpose processor, a special-purpose processor, a digital signal processor (DSP), an integrated circuit (IC), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic components, discrete hardware components, or any combination thereof designed to implement the functions described herein. A general-purpose processor (which may also be referred to herein as a “host processor” or simply a “host”) can be a microprocessor, but alternatively, the processor can be any conventional processor, controller, microcontroller, or state machine. The processor can also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors combined with a DSP core, or any other such configuration. When a general-purpose computer including a processor executes computational instructions (e.g., software code) related to the examples of this disclosure, the general-purpose computer is considered a special-purpose computer.

[0021] Examples can be described based on processes depicted as flowcharts, schematic diagrams, structural diagrams, or block diagrams. While a flowchart may describe operable actions as a continuous process, many of these actions may be performed in another sequence, in parallel, or substantially simultaneously. Furthermore, the order of actions can be rearranged. Processes in this document may correspond to methods, threads, functions, procedures, subroutines, subroutines, other structures, or combinations thereof. Furthermore, the methods disclosed herein can be implemented in hardware, software, or both. If implemented in software, these functions may be stored or transferred as one or more instructions or code onto a computer-readable medium. Computer-readable media includes both computer storage media and communication media, which includes any medium that facilitates the transfer of a computer program from one location to another.

[0022] Any references to elements in this document, such as “first”, “second”, etc., do not limit the number or order of those elements unless such limitation is explicitly stated. Rather, these names serve as a convenient way to distinguish between two or more elements or instances of elements. Therefore, mentioning a first element and a second element does not imply that only two elements can be used there, or that the first element must somehow precede the second element. Furthermore, unless otherwise specified, a group of elements may include one or more elements.

[0023] As used herein, the term "generally" when referring to a given parameter, property, or condition means and includes, to a certain extent, what a person of ordinary skill in the art will understand as achieving a given parameter, property, or condition with minor variations (such as, for example, within acceptable manufacturing tolerances). By way of example, depending on the specific parameter, property, or condition that is substantially satisfied, it may be satisfied at least 90%, at least 95%, or even at least 99%.

[0024] In safety-critical products, it is necessary to test or detect (e.g., diagnose) faults in processing circuitry (e.g., microcontrollers) to ensure safe operation of the product. As a non-limiting example, if a fixed fault occurs in the program counter or address bus of the processing circuitry, safety-critical products involving valve control to allow and prohibit the flow of flammable fluids through the valve may perform in unpredictable and dangerous ways. The flow of flammable fluids at unexpected times could result in injury or death to one or more persons and / or damage or destruction to equipment, facilities, and / or the environment.

[0025] Recommended and adequate diagnostic tests are specified by standards such as IEC 60730. IEC 60730, Annex H, Table H.1 specifies that diagnostic tests must identify fixed faults in the program counter (PC).

[0026] Diagnostic tests for fixed faults in the program counter are performed by testing that no bits are fixed. If an unexpected program flow / timing occurs to catch a fixed fault in the program counter that occurs at runtime and is not detected by diagnostic tests, the watchdog timer is used to reset the MCU or other processors in safety-critical devices.

[0027] However, if the bit is fixed in the program counter or the address bus, the processing circuitry may not be able to execute instructions in the expected sequence. Therefore, diagnostic tests may not run, or may not run as expected. Fault detection mechanisms are affected by faults and therefore cannot be considered independent safety mechanisms. Successful execution of diagnostic tests requires the absence of a fixed fault in the program counter, meaning the fault detection mechanism has not achieved its purpose and cannot be properly claimed to have successfully contributed to system safety. In the case of a fixed fault in the program counter, the watchdog timer is the only and last line of defense, but since the watchdog timer is typically software-initialized, its successful initialization may be conditional on the presence of a fixed fault in the program counter. In effect, this means that the fault detection capability of a software-initialized watchdog timer is also compromised, as it is also affected by faults. The inventors of this disclosure now recognize that any assumption that the combination of a software-initialized watchdog timer and diagnostics verifying the absence of a fixed fault will work is unsafe, as a fixed fault may prevent the watchdog timer from initializing, diagnosing, or both from functioning correctly.

[0028] Many safety-critical systems may use fixed-bit program counter diagnostic methods, which do not necessarily work in reality and are therefore potentially unsafe. The example of a fixed-bit program counter trap disclosed herein can catch virtually all single-bit fixed-bit faults in the program counter, regardless of whether the watchdog timer is software-initialized to operate as expected.

[0029] Figure 1 This is a flowchart illustrating a problem that may occur in method 100 of operating processing circuitry (e.g., CPU) in response to a fixed fault. If a bit is fixed high, half of the instruction address will be inaccessible by the processing circuitry. In the absence of any fixed bits (e.g., fixed high or fixed low), method 100 can proceed under the normal operating flow shown using solid lines. In contrast, dashed lines show the abnormal operating flow of method 100 in response to a single bit fault 114 (e.g., a fixed high fault).

[0030] Under normal operation (without fixed faults), method 100 may include releasing a reset at operation 102. At operation 104, method 100 includes the CPU starting execution from address 0x0000. Since no fixed fault interferes with the program counter pointing to address 0x0000, the program associated with address 0x0000 is executable, and method 100 may therefore jump to a known address at operation 106 to initialize a watchdog timer at operation 108. At operation 110, method 100 may include running diagnostic tests (e.g., fixed diagnostic tests for the program counter and / or address bus to test for fixed faults). In response to passing the fixed diagnostic tests, method 100 may proceed to operation 112, where method 100 includes running the application. Method 100 may periodically return to operation 110 to run fixed diagnostic tests and return to operation 112 to run the application during normal operation.

[0031] However, if the program counter experiences a fixed fault (such as a single-bit fault 114), method 100 may include a jump to an unknown address at operation 116 in response to releasing the reset at operation 102. Therefore, instead of starting execution from address 0x0000 in operation 104, method 100 may alternatively include the CPU starting execution from a different address one bit away from address 0x0000. As a particular non-limiting example, at operation 118, the CPU may start execution from address 0x0001; at operation 120, the CPU may start execution from address 0x0002; at operation 122, the CPU may start execution from address 0x0004; or at operation 124, the CPU may start execution from address 0x8000. Thus, at operation 126, the CPU may execute an unknown block of instructions out of order without initializing the watchdog timer (operation 108), without running the fixed diagnostic test for the program counter (e.g., operation 110), and without running the application program (operation 112). In other words, in response to a single bit fault 114, method 100 may never reach operation 108 (initializing the watchdog timer), operation 110 (running a fixed fault diagnosis test for the program counter), or operation 112 (running the application).

[0032] like Figure 1As shown, in response to a single bit fault 114, execution of any of the various unknown instruction blocks associated with any of the various addresses can terminate at operation 126. For example, let A be a set of instruction addresses, and F be a fixed fault value 2^n, where n is the bit address of the fixed high bit. Therefore, if a fixed high bit fault exists, all addresses A will be executed as A|F (where _|_ is the bitwise OR operator) instead of as A. For example, if bit 0 is fixed high, instruction address 0x0000 is replaced with 0x0001, 0x0002 is replaced with 0x0003, and so on. A similar problem applies if the program counter bit is fixed low.

[0033] The characteristics of a single fixed fault include:

[0034] Only half of the instruction address will be accessible to the processing core.

[0035] Random instructions have a 50% probability of being executed incorrectly.

[0036] Statistically, there is a 99.9% chance of execution error after only ten instructions (assuming a uniform probability for each address to be accessed).

[0037] High fixed type characteristics include that address 0x0000 will always result in an error execution. Low fixed type characteristics include that address 0x0000 will always result in a correct execution, and address 0xFFFF will always result in an error execution.

[0038] Figure 2 This is a block diagram of a processing circuit 200 based on some examples. The processing circuit 200 includes a processing core 202 and a data storage device 204. The processing core 202 includes a program counter 208 for cyclically passing through addresses. Figure 2 The program counter 208 indicates the current address 210. The processing core 202 also includes code execution logic 252 for executing computer-readable instructions 206 stored in the data storage device 204.

[0039] The computer-readable instructions 206 include sub-parts of computer-readable instructions (e.g., a first sub-part 212, a second sub-part 218, a first trap sub-part 224, a second trap sub-part 226, and an application sub-part 240). The sub-parts of the computer-readable instructions 206 are used to instruct the processing core 202 to execute subroutines. Each sub-part of the computer-readable instructions 206 corresponds to a subroutine within a corresponding subroutine. For example, the first sub-part 212 corresponds to the first subroutine 232, the second sub-part 218 corresponds to the second subroutine 234, the first trap sub-part 224 corresponds to the first trap subroutine 236, the second trap sub-part 226 corresponds to the second trap subroutine 238, and the application sub-part 240 corresponds to the application subroutine 244.

[0040] Sub-parts of the computer-readable instruction 206 are located at a location on the data storage device 204. As used herein, when reference is made to the location of data or computer-readable instructions stored in the data storage device, the term “location” means a logical location, a physical location, or both. As a non-limiting example, a location may correspond to the physical location of a physical data storage element (e.g., a memory cell) storing a corresponding sub-part of the computer-readable instruction 206, or a logical location corresponding to such a physical location. For example, a first sub-part 212 is stored at a first location 214, a second sub-part 218 is stored at a second location 222, a first trap sub-part 224 is stored at a corresponding first trap location 254, a second trap sub-part 226 is stored at a corresponding second trap location 256, and an application sub-part 240 is stored at a corresponding application location 258.

[0041] Addresses are used to indicate the location of sub-parts of computer-readable instruction 206. For example, a first sub-part 212 is located at a first location 214 indicated by a first address 216 (e.g., 0x0000). A second sub-part 218 is located at a second location 222 indicated by a second address 220 (e.g., the boot or end memory address corresponding to the boot or end memory location 0xFFFF). A first trap sub-part 224 is located at a corresponding first trap location 254 indicated by a corresponding first trap address 228 (e.g., 0x0001, ..., 0x8000). A second trap sub-part 226 is located at a corresponding second trap location 256 indicated by a corresponding second trap address 230 (e.g., 0x7FFF, ..., 0xFFFE), and an application sub-part 240 is located at a corresponding application location 258 indicated by a corresponding application address 242 (e.g., one of the application addresses is the application start address).

[0042] In operation, current address 210 cyclically passes through the addresses corresponding to sub-parts of computer-readable instructions 206 stored on data storage device 204. Processing core 202 provides current address 210 to data storage device 204 (e.g., via address bus 246). In response to current address 210, data storage device 204 provides current sub-part 250 (i.e., a sub-part of computer-readable instructions 206 located at the position indicated by current address 210) to processing core 202 (e.g., via data bus 248).

[0043] The first address 216 comprises multiple bits, and each of the first trap addresses 228 differs from the first address 216 by a single corresponding bit. As a non-limiting example, the first address 216 can be a consecutive series of zeros. Since each of the first trap addresses 228 differs from the first address 216 by only a single bit, where the first address 216 is 0x0000 (hexadecimal, which is equal to 16 consecutive zeros in binary), the first trap address 228 can be 0x0001, 0x0002, 0x0004, 0x0008, 0x0010, 0x0020, 0x0040, 0x0080, 0x0100, 0x0200, 0x0400, 0x0800, 0x1000, 0x2000, 0x4000, and 0x8000. The first trap sub-section 224 instructs the processing core 202 to execute a corresponding first trap subroutine 236 to jump to the first address 216 or jump back to itself. Therefore, in the case where a fixed high causes the processing core 202 to retrieve one of the first trap sub-sections in the first trap sub-section 224 and execute one of the first trap subroutines in the first trap subroutine 236 instead of retrieving the first sub-section 212 and executing the first subroutine 232, one of the first trap sub-sections in the first trap sub-section 224 can be repeatedly retrieved and the corresponding first trap subroutine in the first trap subroutine 236 can be repeatedly executed. Therefore, in response to a single fixed high fault of the program counter 208 or the address bus 246, the processing core 202 will be fixed in a continuous loop of executing one of the first trap subroutines in the first trap subroutine 236.

[0044] In some examples, the first sub-section 212 instructs the processing core 202 to execute the first subroutine 232 to jump to the second address 220. Therefore, if the first address 216 is a consecutive series of zeros, the current address 210 of the program counter 208 can be updated to the second address 220 (e.g., a consecutive series of ones: 0xFFFF, the end of the boot address, or the memory address) if no fixed high fault exists at the program counter 208. The second address 220 can be the complement of one of the first address 216 to enable the detection of all fixed faults by executing the first subroutine 232 and the second subroutine 234. In other words, the first subroutine 232 and the first trap subroutine 236 enable the detection of fixed high faults, and the second subroutine 234 and the second trap subroutine 238 enable the detection of fixed low faults.

[0045] The second trap address 230 differs from the second address 220 by only a single bit. For example, if the second address 220 is 0xFFFF (hexadecimal, which is equal to 16 consecutive ones in binary), the second trap sub-section 226 can be located at addresses 2300x7FFF, 0xBFFF, 0xDFFF, 0xEFFF, 0xF7FF, 0xFBFF, 0xFDFF, 0xFEFF, 0xFF7F, 0xFFBF, 0xFFDF, 0xFFEF, 0xFFF7, 0xFFFB, 0xFFFD, and 0xFFFE. The second trap sub-section 226 instructs the processing core 202 to execute the second trap subroutine 238 to jump to the second address 220, jump back to itself, or jump to the first address 216. Therefore, in the case where a fixed low causes the processing core 202 to retrieve one of the second trap subsections 226 and execute one of the second trap subroutines 238 instead of retrieving the second subsection 218 and executing the second subroutine 234, one of the second trap subsections 226 can be retrieved repeatedly and the corresponding second trap subroutine in the second trap subroutine 238 can be executed repeatedly. Thus, in response to a single fixed low fault of the program counter 208 or the address bus 246, the processing core 202 will be fixed in a continuous loop of executing one of the second trap subroutines 238.

[0046] In order to capture all possible one-bit fixed faults, the number (i.e., quantity) of the first trap sub-parts 224 and the second trap sub-parts 226 are each equal to the number of bits in the address, that is, for an address with X bits, there are X first trap sub-parts 224 and X second trap sub-parts 226.

[0047] In some examples, processing circuitry 200 includes a watchdog timer 260 to detect a fixed fault in program counter 208 during runtime. Watchdog timer 260 initiates a reset operation in response to the detection of a fault (such as a fixed fault in program counter 208), for example, because watchdog timer 260 was not reset before a timeout. After the reset operation, processing core 202 will be locked in a continuous loop executing either the first trap subroutine 236 or the second trap subroutine 238 as described above. In some examples, watchdog timer 260 may be implemented independently of computer-readable instructions 206 to prevent fixed faults from interfering with the operation of watchdog timer 260. In some examples, a watchdog timer (not shown) external to processing circuitry 200 may be used. In some examples, watchdog timer 260 initiates a reset operation independently of processing core 202.

[0048] Figure 3 This is based on the operation shown in some examples. Figure 2The schematic diagram of the operation flow of the processing circuit 200 and the method 300 is shown in the example. Figure 3 The 16-bit program counter 208 is shown. Figure 2 This implementation covers all single-bit fixed faults except for reset. This implementation assumes the first instruction executed is at address 0x0000. It should be noted that program counters of different numbers of bits can be implemented alternatively, and the 16-bit program counter 208 is discussed herein only as an example. For example, this implementation may be adapted to work with program counters of other sizes (e.g., 8-bit, 32-bit, 64-bit program counters) (i.e., different from the 16-bit program counter). This implementation may be adapted to work with start addresses other than 0x0000.

[0049] Processing circuit 200 ( Figure 2 Normal operation (e.g., operation without a single fixed high fault 314 or a single fixed low fault 316) in Figure 3 Arrows with solid lines are used to indicate abnormal operation of the processing circuit 200, while arrows with dashed lines are used to indicate abnormal operation of the circuit. At operation 302, method 300 includes a reset release. Under normal operation (without fixed faults, such as a single fixed high fault 314 or a single fixed low fault 316), the reset-released program counter 208 can be set to 0x0000 and a jump to the end of memory address 0xFFFF (e.g., JMP 0xFFFF) can be performed at operation 304. In response to the jump to the end of the memory address performed at operation 304, i.e., a jump to memory address 0xFFFF, method 300 includes a jump to the start of the application (e.g., the start of the JMP application from memory address 0xFFFF) performed at operation 306. At operation 308, if no fault is detected, method 300 includes running the application.

[0050] However, if the program counter 208 or the address bus 246 ( Figure 2 If a single fixed high-order fault 314 occurs, one of several fixed high-order traps 310 can be executed instead of the reset vector (address 0x0000). The first trap address 228 associated with these fixed high-order traps 310 is... Figure 2 This can differ from the initial reset address 0x0000 by one bit (such as 0x0001, 0x0002, 0x0004, 0x0008, 0x0010, 0x0020, 0x0040, 0x0080, 0x0100, 0x0200, 0x0400, 0x0800, 0x1000, 0x2000, 0x4000, and 0x8000). Figure 3In the example shown, each fixed high trap in fixed high trap 310 executes a jump to 0x0000 (reset vector address). However, due to a single fixed high fault 314, the same fixed high trap in fixed high trap 310 will be executed, thus trapping method 300 into repeated execution of one fixed high trap in fixed high trap 310. Therefore, processing circuit 200 ( Figure 2 To perform safe operations, that is, not to redirect to an unknown address.

[0051] If program counter 208 or address bus 246 experiences a single fixed low fault 316, the reset vector (0x0000) is executed correctly. However, at operation 306, one of several fixed low traps 312 can be executed instead of 0xFFFF (the end of program memory). The second trap address 230 associated with these fixed low traps 312 ( Figure 2 It can differ from 0xFFFF (such as 0x7FFF, 0xBFFF, 0xDFFF, 0xEFFF, 0xF7FF, 0xFBFF, 0xFDFF, 0xFEFF, 0xFF7F, 0xFFBF, 0xFFDF, 0xFFEF, 0xFFF7, 0xFFFB, 0xFFFD, and 0xFFFE) by one bit. Figure 3 In the example shown, each fixed low trap in fixed low trap 312 can be executed to jump to 0xFFFF. However, due to a single fixed low fault 316, the same fixed low trap in fixed low trap 312 will be executed, thus trapping method 300 into repeated execution of one fixed low trap in fixed low trap 312. Therefore, processing circuit 200 ( Figure 2 To perform safe operations, that is, not to redirect to an unknown address.

[0052] The examples disclosed herein securely capture all single-bit program counter fixed-type faults. As previously discussed, the examples disclosed herein can be used in conjunction with a watchdog timer that implements an independent time-slot monitoring mechanism, such that a fixed-type fault occurring at runtime is detected by the watchdog timer (regardless of the code error execution caused by the program counter fixed-type fault), which can then be monitored by another system to identify repeated executions of a fixed-high trap in fixed-high trap 310 or a fixed-low trap in fixed-low trap 312. The watchdog timer generates a RESET independently of the CPU, and by doing so, the level for the program counter fixed-type trap is set to keep the system in a safe state after a reset. Once the fixed-type trap is triggered by a fault, the system remains safe even if the watchdog timer cannot be initialized by software.

[0053] As an alternative to jumping to address 0x0000 via fixed high trap 310, fixed high trap 310 can jump to itself. Similarly, instead of jumping to 0xFFFF, fixed low trap 312 can jump to itself. [The rest of the text is incomplete and likely refers to further details about the jump.] Figure 4 An example describing this alternative.

[0054] Figure 4 This is based on the operation shown in some examples. Figure 2 The following is a schematic diagram of the operation flow of another example of method 400 of the processing circuit 200. Method 400 is similar to... Figure 3 Method 300. For example, Method 400 includes the above references. Figure 3 Operations 302, 304, 306, and 308 are discussed. Figure 3 Compared to the fixed-high trap 310 that executes to jump to 0x0000, method 400 includes executing to jump to a fixed-high trap 402 that executes to jump to itself (JMP SELF). Furthermore, with Figure 3 Compared to the fixed low trap 312 where execution jumps to 0xFFFF, method 400 includes execution to jump to itself (JMP SELF) in a fixed low trap 404.

[0055] If program counter 208 experiences a single fixed high-order fault 314, one of several fixed high-order traps 402 can be executed instead of the reset vector (address 0x0000). Figure 4 In the example shown, each fixed high trap in fixed high trap 402 can execute to jump to itself, which will then execute to jump to the same fixed high trap in fixed high trap 402, i.e., jump to itself. Jumping back to itself will be repeated continuously, thus capturing method 400 into repeated execution of one fixed high trap in fixed high trap 402. Therefore, processing circuit 200 ( Figure 2 To perform safe operations, that is, not to redirect to an unknown address.

[0056] If program counter 208 experiences a single fixed low-order fault 316, the reset vector (0x0000) is executed correctly. However, one of several fixed low-order faults 404 may be executed instead of 0xFFFF. Figure 4 In the example shown, each fixed low trap in fixed low trap 404 can be executed to jump to itself, which will then execute to jump to itself again (i.e., the same fixed low trap in fixed low trap 404). This continuous repetition of jumps back to the same fixed low trap in fixed low trap 404 thus traps method 400 into repeated execution of one fixed low trap in fixed low trap 404. Therefore, processing circuit 200 ( Figure 2 To perform safe operations, that is, not to redirect to an unknown address.

[0057] Figure 5 This is based on the operation shown in some examples. Figure 2 The flowchart of another example of method 500 for processing circuit 200 is shown. Method 500 is similar to Figure 3 Method 300. For example, Method 500 includes the above references. Figure 3 Operations 302, 304, 306, and 308 are discussed. Method 500 also includes the above references. Figure 3 The fixed-type high-trap 310 is discussed. However, with Figure 3 Compared to the fixed low trap 312 that executes to jump to 0xFFFF, method 500 includes executing a fixed low trap 502 that executes to jump to the initial reset vector 0x0000 (JMP 0x0000).

[0058] In response to a single fixed high-level fault 314, method 500 can be combined with Figure 3 Method 300 operates similarly, because method 500 includes... Figure 3 The fixed high trap 310. Furthermore, in response to a single fixed low fault 316, the reset vector (0x0000) is correctly executed. However, one of several fixed low traps 502 can be executed, instead of operation 306 at 0xFFFF. Figure 5 In the example shown, each fixed low trap in fixed low trap 502 can be executed to jump to reset vector 0x0000. In the absence of a single fixed high fault 314, operation 304 can correctly execute to jump to 0xFFFF, but in response to a single fixed low fault 316, the same fixed low trap in fixed low trap 502 that previously executed to jump back to reset vector 0x0000 can be executed again to jump back to reset vector 0x0000. Jumping back to the reset vector (execution of operation 304) and the single fixed low fault 316 can be repeated consecutively, thus trapping method 500 into repeated execution of one fixed low trap in fixed low trap 502. Therefore, processing circuit 200 ( Figure 2 To perform safe operations, that is, not to redirect to an unknown address.

[0059] Figure 6 It is based on some examples, including Figure 2 A block diagram of a safety-critical system 600 with processing circuitry 200. The safety-critical system 600 also includes a safety-critical device 602 controlled by the processing circuitry 200.

[0060] As a non-limiting example, safety-critical equipment 602 may include valves that allow and restrict the flow of flammable fluids. Also as a non-limiting example, safety-critical equipment 602 may include medical devices (e.g., pacemakers, ventilators, dialysis equipment, life support equipment, etc.), electrical infrastructure equipment (e.g., fuses, circuit breakers, alarms, etc.), nuclear systems, vehicle brakes, other safety-critical equipment, or combinations thereof.

[0061] When the processing circuit 200 responds to the program counter 208 or the address bus 246 ( Figure 2 When a single bit-fixed fault in the process traps the operation of the processing circuit 200 into a continuous loop, the processing circuit 200 may bypass the random application subroutine 244 without looping. Figure 2 This prevents unsafe operation of safety-critical equipment 602.

[0062] Figure 7 This illustrates the operation processing circuitry according to some examples (e.g., Figure 2 A flowchart of method 700 for processing circuit 200. At operation 702, method 700 includes detecting a fault in the operation of the processing circuit during its runtime. As a non-limiting example, fault detection may include detection by a watchdog timer (e.g., Figure 2 The method uses either a monitor timer 260 or a diagnostic test to detect a fixed fault. At operation 704, method 700 includes operation of a reset processing circuit in response to a detected fault.

[0063] At operation 706, method 700 includes using data storage device (e.g., Figure 2 The data storage device 204, but not limited thereto, is stored at a first location (e.g., Figure 2 Computer-readable instructions (e.g., at the first position 214, but not limited thereto) Figure 2 The first sub-part of (but not limited to) computer-readable instructions 206) Figure 2 The first address corresponding to the first sub-part 212 (but not limited to this) (e.g., Figure 2 The first address is 216, but not limited to this) in the program counter (e.g., Figure 2 The loop starts at the address in the program counter 208 (but is not limited thereto). At operation 712, method 700 includes executing a first trap subroutine corresponding to a first trap subsection of a computer-readable instruction to jump to the first address or jump back to itself in response to a first address in the program counter and a first type of fixed fault (e.g., fixed high fault) in the program counter or address bus.

[0064] At operation 708, method 700 includes executing a first subroutine corresponding to a first sub-part of a computer-readable instruction in response to the absence of a first type of fixed fault in the program counter and the address bus, to jump to a second address corresponding to a second sub-part of a second sub-part of the computer-readable instruction at a second location in the data storage device. At operation 714, method 700 includes executing a second trap subroutine corresponding to a second trap sub-part of a computer-readable instruction in response to a second address in the program counter and a second type of fixed fault (e.g., a fixed low fault) in the program counter or the address bus, to jump to the second address, jump back to itself, or jump to the first address. Dashed arrows are drawn from operation 714 to operations 706 and 714 to indicate that operation 706 or operation 714 may be executed in response to operation 714.

[0065] At operation 710, method 700 includes executing a second subroutine corresponding to a second sub-part of computer-readable instructions in response to a second address in the program counter and the absence of a second type of fixed fault on the address bus, to jump to the application start address corresponding to the application sub-part of the computer-readable instructions and the application subroutine.

[0066] Dashed lines are used to indicate operations 702 and 704, indicating that these operations can only be performed if a fixed fault occurs during the operation of the processing circuit. If the fixed fault occurs outside the operation of the processing circuit, method 700 may begin at operation 706.

[0067] Those skilled in the art will understand that the functional elements (e.g., functions, operations, actions, processes, and / or methods) of the examples disclosed herein can be implemented in any suitable hardware, software, firmware, or a combination thereof. Figure 8 Non-limiting examples of specific implementations of the functional elements disclosed herein are shown. In some examples, some or all portions of the functional elements disclosed herein may be executed by hardware specifically designed to perform the functional elements.

[0068] Figure 8This is a block diagram of circuit 800, which in some examples can be used to implement the various functions, operations, actions, processes, and / or methods disclosed herein. Circuit 800 includes one or more processors 802 (sometimes referred to herein as "processor 802") operatively coupled to one or more data storage devices (sometimes referred to herein as "storage device 8004"). Storage device 804 includes machine-executable code 806 stored thereon, and processor 802 includes logic circuitry 808. Machine-executable code 806 includes information describing functional elements that can be implemented (e.g., executed) by logic circuitry 808. Logic circuitry 808 is adapted to implement (e.g., execute) the functional elements described by machine-executable code 806. When executing the functional elements described by machine-executable code 806, circuit 800 should be considered as dedicated hardware for executing the functional elements disclosed herein. In some examples, processor 802 may execute the functional elements described by machine-executable code 806 sequentially, simultaneously (e.g., on one or more different hardware platforms), or in one or more parallel process flows.

[0069] When implemented by the logic circuitry 808 of the processor 802, the machine-executable code 806 adapts the processor 802 to perform the operations of the examples disclosed herein. For example, the machine-executable code 806 may adapt the processor 802 to perform... Figure 3 Method 300 Figure 4 Method 400 Figure 5 Method 500 and / or Figure 7 Method 700 includes at least some or all of it. For example, machine-executable code 806 may adapt processor 802 to execute code targeting... Figure 2 The processing circuit 200 is involved in at least some or all of the operations discussed.

[0070] Processor 802 may include a general-purpose processor, a special-purpose processor, a central processing unit (CPU), a microcontroller, a programmable logic controller (PLC), a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, other programmable devices, or any combination thereof designed to perform the functions disclosed herein. A general-purpose computer including a processor is considered a special-purpose computer when it executes functional elements corresponding to machine-executable code 806 (e.g., software code, firmware code, hardware description) associated with the examples of this disclosure. It should be noted that the general-purpose processor (also referred to herein as a host processor or simply host) may be a microprocessor, but alternatively, processor 802 may include any conventional processor, controller, microcontroller, or state machine. Processor 802 may also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, multiple microprocessors, one or more microprocessors combined with a DSP core, or any other such configuration.

[0071] In some examples, storage device 804 includes volatile data storage devices (e.g., random access memory (RAM)), non-volatile data storage devices (e.g., flash memory, hard disk drive, solid-state drive, erasable programmable read-only memory (EPROM), etc.). In some examples, processor 802 and storage device 804 may be implemented as a single device (e.g., semiconductor device product, system-on-a-chip (SoC), etc.). In some examples, processor 802 and storage device 804 may be implemented as separate devices.

[0072] In some examples, the machine-executable code 806 may include computer-readable instructions (e.g., software code, firmware code). As a non-limiting example, the computer-readable instructions may be stored in storage device 804, directly accessed by processor 802, and executed by processor 802 using at least logic circuitry 808. Also as a non-limiting example, the computer-readable instructions may be stored on storage device 804, transferred to a memory device (not shown) for execution, and executed by processor 802 using at least logic circuitry 808. Therefore, in some examples, the logic circuitry 808 includes electrically configurable logic circuitry 808.

[0073] In some examples, machine-executable code 806 may describe the hardware (e.g., circuitry) to be implemented in logic circuitry 808 to perform functional elements. This hardware can be described from any of a range of abstraction levels, from low-level transistor layout to high-level description languages. At high-level abstraction, hardware description languages ​​(HDLs), such as the IEEE standard hardware description language (HDL), can be used. As a non-limiting example, Verilog can be used.TM SystemVerilog TM Or Very Large Scale Integration (VLSI) Hardware Description Language (VHDL) TM ).

[0074] HDL descriptions can be transformed into descriptions at any of a variety of other levels of abstraction as needed. As a non-limiting example, a high-level description can be transformed into a logic-level description, such as Register Transfer Language (RTL), Gate-level (GL) description, layout-level description, or mask-level description. As a non-limiting example, micro-operations to be performed by the hardware logic circuitry of logic circuitry 808 (e.g., gates, flip-flops, registers, but not limited thereto) can be described in RTL and then transformed into a GL description by a synthesis tool, and the GL description can be transformed into a layout-level description by a placement and routing tool, which corresponds to the physical layout of an integrated circuit, discrete gate or transistor logic, discrete hardware components, or combinations thereof of a programmable logic device. Therefore, in some examples, machine-executable code 806 may include HDL, RTL, GL descriptions, mask-level descriptions, other hardware descriptions, or any combination thereof.

[0075] In an example where machine-executable code 806 includes a hardware description (at any level of abstraction), a system (not shown, but including storage device 804) may implement the hardware description described by machine-executable code 806. As a non-limiting example, processor 802 may include a programmable logic device (e.g., an FPGA or PLC), and logic circuitry 808 may be electrically controlled to implement circuitry corresponding to the hardware description into logic circuitry 808. Also as a non-limiting example, logic circuitry 808 may include hardwired logic components manufactured by a manufacturing system (not shown, but including storage device 804) according to the hardware description of machine-executable code 806.

[0076] Regardless of whether the machine-executable code 806 includes computer-readable instructions or a hardware description, the logic circuit 808 is adapted to execute the functional elements described by the machine-executable code 806 when implementing the functional elements of the machine-executable code 806. It should be noted that although the hardware description may not directly describe the functional elements, it indirectly describes the functional elements that the hardware elements described by the hardware description can execute.

[0077] Example

[0078] The following is a non-exhaustive and non-limiting list of embodiments. Not every embodiment listed below is explicitly and individually indicated to be combinable with all other embodiments listed below and discussed above. However, it is intended that these embodiments be combinable with all other embodiments unless it would be obvious to those skilled in the art that these embodiments are not combinable.

[0079] Example 1: An apparatus comprising: a processing core including a program counter for cyclically passing through an address; and a data storage device including computer-readable instructions stored thereon, the computer-readable instructions including sub-parts of the computer-readable instructions for instructing the processing core to execute subroutines, each sub-part of the computer-readable instructions corresponding to a subroutine within the subroutines, the location of the sub-parts of the computer-readable instructions within the data storage device being associated with the address, the sub-parts including: a first sub-part located at a first location within the data storage device indicated by a first address; and a first trap sub-part located at a first trap location within the data storage device, the first trap sub-part indicated by a corresponding first trap address differing from the first address by only a single bit, the first trap sub-part instructing the processing core to execute a corresponding first trap subroutine to jump to either the first address or to itself.

[0080] Example 2: The apparatus according to Example 1, wherein the first address is a continuous series of zeros.

[0081] Example 3: The apparatus according to any one of Examples 1 and 2, wherein the first address comprises a plurality of bits, and each of the first trap addresses differs from the first address by a single corresponding bit.

[0082] Example 4: The apparatus according to any one of Examples 1 to 3, wherein the sub-part comprises: a second sub-part located at a second position within the data storage device indicated by a second address, the second address being the complement of one of the first address, the first sub-part being used to instruct the processing core to execute a first subroutine to jump to the second address; and a second trap sub-part located at a second trap position within the data storage device, the second trap position being indicated by a second trap address, the second trap address differing from the second address by only a single bit, the second trap sub-part being used to instruct the processing core to execute a second trap subroutine to jump to the second address or jump to itself.

[0083] Example 5: The apparatus according to Example 4, wherein one of the first address and the second address is a continuous series of zeros, and the other of the first address and the second address is a continuous series of ones.

[0084] Example 6: An apparatus according to any one of Examples 1 to 5, wherein the sub-part comprises: a second sub-part located at a second position within the data storage device indicated by a second address, the second address being the complement of one of the first address, the first sub-part being used to instruct the processing core to execute a first subroutine to jump to the second address; and a second trap sub-part located at a second trap position within the data storage device, the second trap position being indicated by a second trap address, the second trap address differing from the second address by only a single bit, the second trap sub-part being used to instruct the processing core to execute a second trap subroutine to jump to the second address, jump to itself, or jump to the first address.

[0085] Example 7: The apparatus according to Example 6 includes electrically connecting the program counter to the address bus of the data storage device, wherein in the event of a single fixed low-order fault occurring at one or more of the address bus or the program counter, the second trap sub-part prevents a jump to an unknown address.

[0086] Example 8: The apparatus according to any one of Examples 1 to 7 includes a watch timer for detecting a fault in the program counter or a fault in the address bus that electrically connects the program counter to the data storage device during runtime, and the watch timer for initiating a reset operation in response to detecting the fault in the program counter during runtime.

[0087] Example 9: The apparatus according to Example 8, wherein the monitoring timer is implemented independently of the subroutine.

[0088] Example 10: In the apparatus according to any one of Examples 8 and 9, the watch timer is used to initiate the reset operation independently of the processing core.

[0089] Example 11: The apparatus according to any one of Examples 8 to 10, wherein the watch timer is implemented in hardware separate from the processing core.

[0090] Example 12: An apparatus according to any one of Examples 1 to 11, comprising electrically connecting the program counter to the address bus of the data storage device, wherein in the event of a single fixed high-order fault occurring at one or more of the address bus or the program counter, the first trap sub-portion prevents a jump to an unknown address.

[0091] Example 13: A system comprising: a safety-critical device; and a processing circuit for controlling the safety-critical device, the processing circuit comprising: a processing core including a program counter for cyclically passing through an address; a data storage device including computer-readable instructions stored thereon, the computer-readable instructions including a sub-part of the computer-readable instructions, the sub-part being used to instruct the processing core to execute a subroutine, the sub-part including: a first sub-part located at a first location within the data storage device indicated by a first address in the address; and a first trap sub-part located at a first trap location within the data storage device, the first trap location being indicated by a corresponding first trap address in the address, the first trap address differing from the first address only by an integer multiple of the first address. The first trap sub-part is configured to instruct the processing core to execute a first trap subroutine to jump to the first address or jump back to itself; the second sub-part is located at a second location within the data storage device indicated by a second address in the address, the second address being the complement of one of the first address, the first sub-part being configured to instruct the processing core to execute a first subroutine to jump to the second address; and the second trap sub-part is located at a second trap location within the data storage device, the second trap location being indicated by a corresponding second trap address in the address, the second trap address differing from the second address by only a single corresponding bit, the second trap sub-part being configured to instruct the processing core to execute a second trap routine to jump to the second address, jump to itself, or jump to the first address.

[0092] Example 14: According to the system described in Example 13, the number of the first trap sub-parts and the number of the second trap sub-parts are each equal to the number of bits of the address.

[0093] Example 15: A method of operating a processing circuit, the method comprising: initiating a loop of addresses in a program counter at a first address, the first address corresponding to a first sub-part of a computer-readable instruction stored at a first location by a data storage device; in response to the first address in the program counter and a first type of fixed fault of the program counter or the address bus, executing a first trap subroutine corresponding to a first trap sub-part of the computer-readable instruction to jump to the first address or jump to itself; in response to the first address in the program counter and the absence of a first type of fixed fault of the address bus, executing a first subroutine corresponding to the first sub-part of the computer-readable instruction to jump to a second address corresponding to a second sub-part of the computer-readable instruction at a second location in the data storage device; and in response to the second address in the program counter and a second type of fixed fault of the program counter or the address bus, executing a second trap subroutine corresponding to a second trap sub-part of the computer-readable instruction to jump to the second address, jump to the first address, or jump to itself.

[0094] Example 16: The method according to Example 15 includes, in response to the second address in the program counter or the absence of a fixed fault of the second type in the address bus, executing a second subroutine corresponding to a second sub-part of the computer-readable instructions to jump to the application start address corresponding to the application sub-part and the application subroutine of the computer-readable instructions.

[0095] Example 17: The method according to any one of Examples 15 and 16 includes: detecting a fault in the operation of the processing circuit during the operation time of the processing circuit; and resetting the operation of the processing circuit in response to the detected fault.

[0096] Example 18: According to the method of Example 17, detecting the fault includes detecting a fixed fault in the program counter or the address bus by one of a watchdog timer and a diagnostic test.

[0097] Example 19: The method according to any one of Examples 15 to 18, wherein the first type of fixed fault is a fixed high fault, and the second type of fixed fault is a fixed low fault.

[0098] Example 20: The method according to any one of Examples 15 to 19, wherein starting the loop at the first address in the program counter includes starting the loop at the first address in the program counter, which includes a continuous series of all zeros.

[0099] Example 21: A processing circuit includes: a processing core including a program counter configured to cycle through an address; and a data storage device including computer-readable instructions stored thereon, the computer-readable instructions including sub-parts of the computer-readable instructions, the sub-parts of the computer-readable instructions being configured to instruct the processing core to execute a subroutine, each sub-part of the computer-readable instructions corresponding to a subroutine in the subroutine, the location of the sub-parts of the computer-readable instructions within the data storage device being associated with the address, the sub-parts including: a first sub-part at a first location within the data storage device indicated by a first address; and a first trap sub-part at a first trap location within the data storage device, the first trap location being indicated by a first trap address, the first trap address differing from the first address by only a single bit, the first trap sub-part being configured to instruct the processing core to execute a first trap subroutine to jump to either the first address or to one of the first trap addresses.

[0100] Example 22: The processing circuit according to Example 21, wherein the first address is a continuous series of zeros.

[0101] Example 23: The processing circuit according to any one of Examples 21 and 22, wherein the sub-part further comprises: a second sub-part located at a second location within the data storage device indicated by a second address, the second address being the complement of one of the first address, the first sub-part being configured to instruct the processing core to execute a first subroutine to jump to the second address; and a second trap sub-part located at a second trap location within the data storage device, the second trap location being indicated by a second trap address, the second trap address differing from the second address by only a single bit, the second trap sub-part being configured to instruct the processing core to execute a second trap subroutine to jump to the second address or jump back to the second trap address.

[0102] Example 24: According to the processing circuit of Example 23, one of the first address and the second address is a continuous series of zeros, and the other of the first address and the second address is a continuous series of ones.

[0103] Example 25: The processing circuit according to any one of Examples 21 to 24 further includes: a watchdog timer configured to detect a fixed fault of the program counter during runtime, the watchdog timer being configured to initiate a reset operation in response to the detection of a fixed fault.

[0104] Example 26: The processing circuit according to Example 25, wherein the watchdog timer is implemented independently of the subroutine to prevent the fixed fault from interfering with the operation of the watchdog timer.

[0105] Example 27: The processing circuit according to any one of Examples 25 and 26, wherein the watch timer is configured to initiate and start the reset operation independently of the processing core.

[0106] Example 28: A processing circuit according to any one of Examples 25 to 27, wherein the watchdog timer is implemented in hardware separate from the processing core.

[0107] Example 29: A safety-critical system includes: a safety-critical device; and a processing circuit configured to control the safety-critical device. The processing circuit includes: a processing core including a program counter configured to cycle through an address; a data storage device including computer-readable instructions stored thereon, the computer-readable instructions including a sub-part of the computer-readable instructions, the sub-part being configured to instruct the processing core to execute a subroutine, the sub-part including: a first sub-part located at a first location within the data storage device indicated by a first address in the address; and a first trap sub-part located at a first trap location within the data storage device, the first trap location being indicated by a first trap address in the address, the first trap address being related to the first address. The first trap sub-part, differing by only a single bit, is configured to instruct the processing core to execute a first trap subroutine to jump to the first address or jump back to the first trap address; the second sub-part, located at a second position within the data storage device indicated by a second address in the address, the second address being the complement of one of the first address, is configured to instruct the processing core to execute a first subroutine to jump to the second address; and the second trap sub-part, located at a second trap position within the data storage device, the second trap position being indicated by a second trap address of the address, the second trap address differing from the second address by only a single bit, is configured to instruct the processing core to execute a second trap subroutine to jump to the second address or jump back to the second trap address.

[0108] Example 30: The security-critical system according to Example 29, wherein the number of the first trap sub-parts and the number of the second trap sub-parts are each equal to the number of bits of the address.

[0109] Example 31: A method of operating a processing circuit, the method comprising: initiating a loop of addresses in a program counter at a first address, the first address corresponding to a first sub-part of a computer-readable instruction stored at a first location by a data storage device; in response to the first address in the program counter and a fixed fault of a first type of the program counter, executing a first trap subroutine corresponding to a first trap sub-part of the computer-readable instruction to jump to the first address; in response to the first address in the program counter not having a fixed fault of the first type, executing a first subroutine corresponding to the first sub-part of the computer-readable instruction to jump to a second address corresponding to a second sub-part of the computer-readable instruction at a second location in the data storage device; and in response to the second address in the program counter and a fixed fault of a second type of the program counter, executing a second trap subroutine corresponding to a second trap sub-part of the computer-readable instruction to jump to the second address.

[0110] Example 32: The method according to Example 31 further includes: in response to the absence of a fixed fault of the second type at the second address in the program counter, executing a second subroutine corresponding to a second subpart of the computer-readable instructions to jump to the boot address of the boot subpart and the boot subroutine corresponding to the computer-readable instructions.

[0111] Example 33: The method according to any one of Examples 31 and 32 further includes: detecting a fault in the operation of the processing circuit during the operation time of the processing circuit; and resetting the operation of the processing circuit in response to the detected fault.

[0112] Example 34: According to the method of Example 33, detecting the fault includes detecting a fixed fault of the program counter by one of a watchdog timer and a diagnostic test.

[0113] Example 35: The method according to any one of Examples 31 to 34, wherein the first type of fixed fault is a fixed low fault, and the second type of fixed fault is a fixed high fault.

[0114] Example 36: The method according to any one of Examples 31 to 35, wherein starting the loop at the first address in the program counter includes starting the loop at the first address in the program counter, which includes a continuous series of all zeros.

[0115] in conclusion

[0116] As used in this disclosure, the terms "module" or "component" can refer to a specific hardware implementation that performs the actions of a module or component and / or a software object or software routine that can be stored on and / or executed by general-purpose hardware of a computing system (e.g., a computer-readable medium, processing device, etc.). In some examples, the different components, modules, engines, and services described in this disclosure can be implemented as objects or processes that execute on a computing system (e.g., as separate threads). While some of the systems and methods described in this disclosure are generally described as being implemented in software (stored on and / or executed by general-purpose hardware), specific hardware implementations or combinations of software and specific hardware implementations are also possible and contemplated.

[0117] As used in this disclosure, the term "combination" referring to multiple elements can include any combination of all elements or any combination of various different sub-combinations of certain elements. For example, the phrase "A, B, C, D or combinations thereof" can refer to any one of A, B, C, or D; a combination of each of A, B, C, and D; and any sub-combination of A, B, C, or D, such as A, B, and C; A, B, and D; A, C, and D; B, C, and D; A and B; A and C; A and D; B and C; B and D; or C and D.

[0118] Terms used in this disclosure, and especially in the appended claims (e.g., the body of the appended claims), are generally intended to be “open” terms (e.g., the term “comprising” should be interpreted as “including but not limited to”, the term “having” should be interpreted as “at least having”, the term “comprising” should be interpreted as “including but not limited to”, etc.).

[0119] Furthermore, if a specific number of introduced claim statements are anticipated, such an intent will be explicitly stated in the claims, and without such statements, no such intent exists. For example, to aid understanding, the appended claims may contain the use of introductory phrases “at least one” and “one or more” to introduce claim statements. However, the use of such phrases should not be construed as implying that a claim statement introduced by the indefinite article “a” or “an” limits any particular claim containing such an introduced claim statement to an example containing only one such statement, even when the same claim includes the introductory phrase “one or more” or “at least one” and indefinite articles such as “a” or “an” (e.g., “a” and / or “an” can be interpreted as referring to “at least one” or “one or more”); the same applies to the use of definite articles to introduce claim statements.

[0120] Furthermore, even when specific numbers of the introduced claim statements are explicitly listed, those skilled in the art will recognize that such statements should be interpreted as referring to at least the number listed (e.g., in the absence of other modifiers, the basic statement of "two statements" means at least two statements or two or more statements). Moreover, in cases where conventions such as "at least one of A, B, and C" or "one or more of A, B, and C" are used, such constructions are generally intended to include only A, only B, only C, both A and B, both A and C, both B and C, or all three A, B, and C, etc.

[0121] Furthermore, any separate word or phrase presenting two or more alternative terms in the specification, claims, or drawings should be understood to include the possibility of including one term, any one term, or both terms. For example, the phrase "A or B" should be understood to include the possibility of including "A" or "B" or "A and B".

[0122] While this disclosure describes the invention with respect to certain illustrated examples, those skilled in the art will recognize and understand that the invention is not limited thereto. Rather, many additions, deletions, and modifications may be made to the illustrated examples and the examples themselves without departing from the scope of the invention as claimed below and its legal equivalents. Furthermore, features from one example may be combined with features from another example while still being included within the scope of the invention as contemplated by the inventors.

Claims

1. An apparatus comprising: The processing core includes a program counter for cyclically passing through addresses; and A data storage device includes computer-readable instructions stored thereon, the computer-readable instructions including sub-parts of the computer-readable instructions for instructing the processing core to execute subroutines, each sub-part of the computer-readable instructions corresponding to a subroutine in the subroutines, the location of the sub-parts of the computer-readable instructions within the data storage device being associated with the address, the sub-parts including: The first sub-part is located at a first location within the data storage device, indicated by a first address; and A first trap sub-section is located at a first trap location within the data storage device. The first trap sub-section is indicated by a corresponding first trap address, which differs from the first address by only one bit. The first trap sub-section is used to instruct the processing core to execute a corresponding first trap sub-routine to jump to either the first address or to itself.

2. The apparatus of claim 1, wherein the first address is a continuous series of zeros.

3. The apparatus of claim 1, wherein the first address comprises a plurality of bits, and each of the first trap addresses differs from the first address by a single corresponding bit.

4. The apparatus of claim 1, wherein the sub-part comprises: The second sub-part is located at a second location within the data storage device, indicated by a second address, where the second address is the complement of the first address. The first sub-part is used to instruct the processing core to execute a first subroutine to jump to the second address. and The second trap sub-section is located at a second trap location within the data storage device. The second trap location is indicated by a second trap address, which differs from the second address by only one bit. The second trap sub-section is used to instruct the processing core to execute a second trap subroutine to jump to the second address or to itself.

5. The apparatus of claim 4, wherein one of the first address and the second address is a consecutive series of zeros, and the other of the first address and the second address is a consecutive series of ones.

6. The apparatus of claim 1, wherein the sub-part comprises: The second sub-part is located at a second location within the data storage device, indicated by a second address, where the second address is the complement of the first address. The first sub-part is used to instruct the processing core to execute a first subroutine to jump to the second address. and The second trap sub-part is located at a second trap location within the data storage device. The second trap location is indicated by a second trap address, which differs from the second address by only one bit. The second trap sub-part is used to instruct the processing core to execute a second trap subroutine to jump to the second address, jump to itself, or jump to the first address.

7. The apparatus of claim 6, further comprising electrically connecting the program counter to the address bus of the data storage device, wherein in the event of a single fixed low-order fault occurring at one or more of the address bus or the program counter, the second trap sub-portion prevents a jump to an unknown address.

8. The apparatus of claim 1, further comprising a watchdog timer configured to detect a fault in the program counter or a fault in the address bus electrically connecting the program counter to the data storage device during runtime, the watchdog timer being configured to initiate a reset operation in response to the detection of the fault in the program counter during runtime.

9. The apparatus of claim 8, wherein the monitoring timer is implemented independently of the subroutine.

10. The apparatus of claim 8, wherein the monitoring timer is used to initiate the reset operation independently of the processing core.

11. The apparatus of claim 8, wherein the monitoring timer is implemented in hardware separate from the processing core.

12. The apparatus of claim 1, further comprising electrically connecting the program counter to an address bus of the data storage device, wherein, in the event of a single fixed high-order fault occurring at one or more of the address bus or the program counter, the first trap sub-portion prevents a jump to an unknown address.

13. A system comprising: Safety-critical equipment; and Processing circuitry, the processing circuitry being used to control the safety-critical equipment, the processing circuitry comprising: The processing core includes a program counter for cyclically passing through addresses; A data storage device, the data storage device including computer-readable instructions stored thereon, the computer-readable instructions including a sub-part of the computer-readable instructions, the sub-part being used to instruct the processing core to execute a subroutine, the sub-part including: The first sub-part is located at a first location within the data storage device, indicated by a first address in the address; The first trap sub-part is located at a first trap location within the data storage device. The first trap location is indicated by a corresponding first trap address in the address. The first trap address differs from the first address by only a single corresponding bit. The first trap sub-part is used to instruct the processing core to execute a first trap subroutine to jump to the first address or jump back to itself. The second sub-part, located within the data storage device at a second location indicated by a second address in the address, the second address being the complement of one of the first address, the first sub-part being used to instruct the processing core to execute a first subroutine to jump to the second address; and The second trap sub-part is located at a second trap location within the data storage device. The second trap location is indicated by a corresponding second trap address in the address, which differs from the second address by only a single corresponding bit. The second trap sub-part is used to instruct the processing core to execute a second trap subroutine to jump to the second address, jump to itself, or jump to the first address.

14. The system of claim 13, wherein the number of the first trap sub-parts and the number of the second trap sub-parts are each equal to the number of bits of the address.

15. A method of operating a processing circuit, the method comprising: A loop of addresses is started in the program counter at a first address, the first address corresponding to a first sub-part of a computer-readable instruction stored at a first location by a data storage device; In response to the first address in the program counter and a fixed type fault of the first type of the program counter or address bus, a first trap subroutine corresponding to the first trap sub-part of the computer-readable instruction is executed to jump to the first address or to itself. In response to the first address in the program counter and the absence of a fixed fault of the first type in the address bus, a first subroutine corresponding to the first sub-part of the computer-readable instruction is executed to jump to the second address of the second sub-part of the computer-readable instruction at the second location in the data storage device. as well as In response to the second address in the program counter and a second type of fixed fault in the program counter or the address bus, a second trap subroutine corresponding to the second trap sub-part of the computer-readable instruction is executed to jump to the second address, jump to the first address, or jump to itself.

16. The method of claim 15, further comprising, in response to the second address in the program counter or the absence of a fixed fault of the second type on the address bus, executing a second subroutine corresponding to a second sub-part of the computer-readable instructions to jump to an application sub-part corresponding to the computer-readable instructions and an application start address of the application subroutine.

17. The method of claim 15, comprising: Detecting faults in the operation of the processing circuit during its runtime; as well as The processing circuit is reset in response to a detected fault.

18. The method of claim 17, wherein detecting the fault comprises detecting a fixed fault in the program counter or the address bus by one of a watchdog timer and a diagnostic test.

19. The method of claim 15, wherein the first type of fixed fault is a fixed high fault, and the second type of fixed fault is a fixed low fault.

20. The method of claim 15, wherein starting the loop at the first address in the program counter comprises starting the loop at the first address in the program counter consisting of a consecutive series of all zeros.