It is general in a microprocessor (CPU) that only one processor core is provided in one package to operate as one part while being combined with a command issuing section, an operating section, etc. For example, various kinds of control for a vehicle or the like are executed by using multiprocessor-configured electronic control unit (ECU) using plural CPUs. In the multiprocessor-configured ECU, plural CPUs forming the ECU are allocated to a monitor source (monitoring side: hereinafter referred to as “main side”) or a monitor target (monitored side: hereinafter referred to as “sub side”), and CPU at the main side (main-side CPU) monitors the operation state of the CPU at the sub side (sub-side CPU).
Specifically, the sub-side CPU inverts a predetermined port output value every predetermined time, and the main-side CPU monitors the predetermined port output. Here, when it occurs continuously at a predetermined number of times that the predetermined port output value is not inverted or it becomes a different value, the main-side CPU determines that the operation state of the sub-side CPU is abnormal. If the operation state of the sub-side CPU is determined to be abnormal, the main-side CPU replaces a value calculated by the sub-side CPU with a predetermined default value or the like, thereby executing a fail-safe operation.
When such a general technique is directly applied to multicore-configured ECU, the following problem arises. That is, in the multicore-configured ECU, a resource such as RAM, a register or the like which is common to plural processor cores forming the ECU is provided in one package, so that each processor core can access this common resource. Therefore, when the operation state of each sub-side core is abnormal, the sub-side core may access the area of the common RAM which is used by the main-side core to count the above predetermined number of times, so that the content of the common RAM is rewritten. If the content of the common RAM is rewritten as described above, the main-side core cannot accurately identify the operation state of the sub-side core because the main-side core determines the operation state of the sub-side core on the basis of the content stored and held in the common RAM. Furthermore, it is difficult to properly execute the fail-safe operation.
Therefore, according to JP 7-200503A, a writing-prohibiting area designating part is provided between each processor core and common RAM. When a processor core is about to write information into an area other than the dedicated area of the processor core, the writing is invalidated through the writing-prohibiting area designating part.
In the above technique, the area used by each processor core in the common RAM can be dedicated. Accordingly, for example, even when the operation state of the sub-side core is abnormal, the situation that the content stored and held in the area dedicated to the main-side core in the common RAM which is used by the main-side core is rewritten by the sub-side core hardly occurs.
However, when the abnormal operation state of the sub-side core is more serious, it may be considered that the sub-side core rewrites the writing-prohibiting area stored in the writing-prohibiting area designating part, and exclude the dedicated area of the main-side core in the common RAM used by the main-side core from the designation as the writing prohibiting area. In this case, the content stored in the dedicated area of the main-side core may be rewritten by the sub-side core. Therefore, the main-side core cannot accurately determine the operation state of the sub-side core. Further it is difficult for the main-side core to properly execute the fail-safe operation.