This invention relates to a method for safe writing of a pointer for a ring memory, further to such a ring memory having a pointer memory location and to a smart card containing such a ring memory.
Ring memories or cyclic memories, whose content is also referred to as a cyclic file or the like, can be formed as virtual memories or hardware memories. A ring memory is in particular a typical form of organization for an electrically erasable programmable read-only memory (EEPROM), to which the present invention and the presentation of examples of the invention specifically relate, although the invention can find application for ring memories in general.
A ring memory contains a given number of memory locations, the cyclic file in the ring memory containing a series of records with one record stored in one memory location in each case. The records are written cyclically one after the other to the ring memory, provided that the oldest record is always overwritten for writing a new record. With continuous numbering 1, 2, . . . n of the memory locations of the ring memory, memory location xe2x80x9c1xe2x80x9d cyclically follows memory location xe2x80x9cn.xe2x80x9d The xe2x80x9ccurrentxe2x80x9d or most recent record is found in a memory location that is addressed by a pointer. For writing consecutive records, the pointer is augmentedxe2x80x94cyclicallyxe2x80x94by one memory location address at a time.
To illustrate the problem underlying the present invention, we will now take a closer look at the writing of a new record to a predetermined memory location of a ring memory formed as an EEPROM. Such EEPROMs find use in particular in smart cards, so that the problem existing here relates in particular to smart cards.
In order to write a new record to a predetermined memory location, in particular the memory location receiving the oldest record within the ring memory, the content of said predetermined memory location must first be erased before the new data can be written. This is usually done by augmenting the pointer and writing the new record in successive steps. If there is an interruption in the write operation e.g. due to a power failure, the information of the new record might be lost, as well as the pointer information, which is even more serious since then there is no information information about the location where the next record is to be stored. Another problem relating to the pointer information is possible falsification of the pointer, for example when the pointer is being updated.
The prior art shows a number of suggestions for avoiding such errors in a ring memory. FR-A-2 699 704 describes a method for updating data in an EEPROM wherein a multidigit flag is stored for each individual record. When a new record is to be written at the location of the xe2x80x9coldxe2x80x9d record, the old record including its flag is first erased. The new record is written at the location of the old record, the corresponding flag being set to a value stating that data updating is taking place. Then the flag of the previous current record is set to xe2x80x9coldxe2x80x9d and the flag of the new record indicating that updating is ongoing is set to xe2x80x9ccurrent.xe2x80x9d This method is intensive in terms of labor and memory space. If there is an interruption during the flag changeover after storage of the new record, there is no current record so that the state is indefinite.
EP-A-0 398 545 discloses a ring memory wherein a flag formed from one bit is present for each record. When a new record is written to the ring memory, the new record is marked after the write operation with a flag designating a current record, for example xe2x80x9c1.xe2x80x9d Subsequently, the flag xe2x80x9c1xe2x80x9d belonging to the hitherto current record is set to xe2x80x9c0.xe2x80x9d In this intermediate stage there are thus two flags with the value xe2x80x9c1.xe2x80x9d This dilemma of the indefinite pointer flag for the current record is supposed to be overcome with the aid of the convention that in case of several flags with the value xe2x80x9c1xe2x80x9d the xe2x80x9cupperxe2x80x9d flag is always valid. Since flags consisting of single bits are already especially susceptible to write errors, faulty pointer data can very easily occur during updating of the pointer flag.
DE-A-196 50 993 discloses a ring memory provided with an additional memory location not recognizable from outside the interface of the ring memory. Upon a write operation the oldest record is always overwritten, followed by an updating of the pointer in such a way that the pointer then points to the new data item. In case of a disturbance, only the information of the oldest record is then lost but this is not recognizable from outside the interface. This memory system also involves the pos-involves the possibility of false pointer data arising from faulty writing of the pointer.
The invention is based on the problem of providing a method that permits safe writing of the pointer. Furthermore, a ring memory in conjunction with a safe pointer is to be provided.
For solving this problem according to claim 1, a further, redundant pointer is stored rather than a single pointer. In an especially preferred embodiment, the first and second, redundant pointer are written separately, in particular staggered in time, so that in case of a disturbance possibly occurring in the course of the writing of the two pointers at least one pointer comprises the correct pointer information. As a further inventive feature, the first and second pointers each have a check value. Said check value permits a faulty pointer to be recognized. A correction operation is possible by merely one write operation, that is, by copying the intact pointer.
Updating of the pointer is preferably effected in a first step while simultaneously forming the check value belonging to the first pointer. After comparison of the first, new pointer with the second pointer, the second pointer is optionally produced as a copy of the first pointer.
If a disturbance occurs during writing of the first and second pointers, for example a power failure during writing of an EEPROM, the first pointer might be already updated while the second pointer still has the old value. Depending on the time of the disturbance and the type of error, the original information of the first pointer can either be recovered from the second pointer, or the second pointer can be updated later in accordance with the first pointer.
The use of an additional, redundant pointer provides reliable protection against the formation of faulty pointer data in particular when the two pointers are written at separate times. Furthermore, this provides the possibility of reconstructing the particular desired pointer content in every situation, in particular in case of power failures at the time of pointer updating. The check value belonging to each pointer preferably consists of the complement of the code of the relevant memory location number. The pointer consists of the address or number of the current memory location; the check value is obtained by forming the complement.
In a special embodiment it is provided that a pointer consists of two bytes, the first byte (8 bits) containing the memory location code in a form comprising two hexadecimal numbers, and the second byte of the pointer containing the corresponding complementary hexadecimal code.
The preferred measures according to the invention provide a multiple redundancy that allows error detection and correction practically at any time. In particular, they create the possibility of reconstructing the pointer content in case of a disturbance in the form of a power failure.
The inventive method makes it possible to obtain virtually complete protection of the data with little additional effort for memory space for the second pointer and the check values and an additional write cycle for writing the second pointer. It is especially preferred to utilize these advantages in a smart card, which normally contains sensitive data requiring special protection.
In conjunction with the abovementioned measures, use is preferably also made of the measure of expanding the cyclic memory by one memory location, said additional memory location not being apparent from outside, that is, at the interface of the ring memory. The new record to be written is then written at the location of the oldest record so that in case of a disturbance only the oldest record is lost but this is not noticeable outwardly since only the predetermined number of memory locations without the additional memory location is present from outside.