1. Field of the Invention
The present invention relates to circuitry for hardware test and configuration and fault-tolerance. More specifically, the present invention relates to a method and an apparatus for restricting the damaging effects of software faults that interact with hardware test and configuration circuitry within a computer system.
2. Related Art
It has been a long held convention in computer system design that one should not design hardware which can be damaged by softwarexe2x80x94no matter how faulty or malicious the software is. If a system is not designed in this way, it is hard to ensure overall system reliability because software commonly fails in unpredictable ways.
This convention is generally adhered to in designing most circuitry within a computer system. However, the convention is not generally followed for test scan circuitry. Test scan circuitry is typically incorporated into a circuit, such as a microprocessor chip, for testing purposes. Test scan allows test inputs to be scanned into memory elements within the circuit by coupling the memory elements together into one or more xe2x80x9cscan chains.xe2x80x9d These scan chains act as long shift registers for scanning in test inputs and scanning out test outputs.
For example, referring to the circuitry illustrated in FIG. 1, when test mode signal 102 is asserted, multiplexers 110-112 connect memory elements (D-flip-flops) 120-122 into a shift register. This allows test inputs 104 to be shifted into memory elements 120-122. Note that when test mode signal 102 is not asserted, multiplexers 110-112 feed normal inputs 101 into memory elements 120-122.
The circuitry illustrated in FIG. 1 also includes multiplexer 113, which enables the circuit to switch between a test clock signal 108 and a main clock signal 106.
During testing, the circuit illustrated in FIG. 1 operates generally as follows. The circuit is first moved into a test mode by asserting select test clock signal 105 so that it selects test clock signal 108, and by asserting test mode signal 102. Next, inputs 104 are scanned into memory elements 120-122 using test clock signal 108. Then the circuit is moved out of the test mode by negating test mode signal 102, and the circuit is clocked with test clock signal 108 for one or more clock cycles. Finally, the circuit is moved back into test mode by asserting test mode signal 102, and the contents of memory elements 120-122 are scanned out of the circuit. Testing a circuit in this way enables system designers to see how the internal memory elements within the circuit change for different test inputs.
A problem can arise if faulty test software scans in a data pattern that can damage the circuit. For example, suppose that the test software scans ones into each of memory elements 120-122. This causes the outputs of memory elements 120-122 to activate drivers 140-142 through AND gates 170-172, respectively, at the same time causing a potential bus conflict on common bus line 160. This bus conflict is likely to damage at least one of drivers 140-142.
Note that this problem is to be avoided while test inputs 104 are being shifted into memory elements 120-122 by asserting test disable signal 109. Test disable signal 109 deactivates AND gates 170-172 preventing drivers 140-142, respectively, from being enabled. However, test disable signal 109 must be de-asserted in order to operate the circuitry normally for one or more clock cycles in order to perform the test. Hence, if the wrong values are stored in memory elements 120-122 they can damage drivers 140-142.
The problem of damaging circuitry during testing is,not a serious problem when the testing is being performed in the lab or on a production line, because damaged circuitry can be replaced before it is shipped to the consumer, and the test software is restricted to controlled test rigs. On the other hand, damaging circuitry during testing becomes a major problem when the testing occurs after the computer system is installed at a customer""s site.
It is becoming more common for scan software to be deployed in a customer system in the field so that service processors can automatically diagnose a problem in the customer system. This makes it possible to automatically reconfigure the customer system in the field to correct the problem. Unfortunately, complex scan software in service processors can easily suffer from bugs, which can damage the circuitry within the customer""s system. Hence, using scan software in the field can be undesirable because it can reduce system reliability.
What is needed is a method and an apparatus that prevents faulty scan test software from damaging the long-term reliability of a computer system""s circuitry.
One embodiment of the present invention provides a system that restricts the damaging effects of software faults that interact with test and configuration circuitry. This test and configuration circuitry includes a scan chain in the form of a serial linkage between memory elements within a circuit, thereby allowing a test input to be serially shifted into the memory elements. The system operates by receiving a test disable signal at the circuit. In response to the test disable signal, the system moves the circuit into a test disable mode, which limits any damaging effects to the circuit caused by shifting the test input into the memory elements in the scan chain. Next, the system shifts the test input into the memory elements in the scan chain. The system also determines whether the test input will cause damage to the circuit after the test input is completely shifted into the scan chain. If so, the system holds the circuit in the test disable mode so that the test input cannot damage the circuit. If not, the system moves the circuit out of test disable mode, and runs the circuit for at least one clock cycle in order to test the circuit.
In a variation on the above embodiment, the system determines whether the test input will cause damage to the circuit by examining the test input as the test input is shifted into the scan chain. This variation includes a state machine that looks for a pattern in the test input that will cause damage to the circuit.
In another variation, the system determines whether the test input will cause damage to the circuit by examining the test input after the test input is shifted into the scan chain by using a logic circuit that looks for a pattern in the scan chain that will cause damage to the circuit.
In one embodiment of the present invention, the test disable mode prevents more than one driver from driving a signal line at the same time in order to prevent conflicts between drivers.
In one embodiment of the present invention, after testing the circuit the system moves the circuit back into the test disable mode, and shifts a test output out of the scan chain. This test output can be examined to determine how the circuit performed during the test. In a variation on this embodiment, the scan chain includes a memory element that indicates whether the test input will cause damage to the circuit. This enables the system to determine whether the circuit moved out of the test disable mode during the test by examining the test output.
In one embodiment of the present invention, the test disable signal and the test input are received from a test controller which is located outside of the circuit.
In one embodiment of the present invention, the circuit can be operated using either a system clock or a test clock.
In one embodiment of the present invention, the circuit includes more than one scan chain.
In one embodiment of the present invention, the circuit resides within a single semiconductor chip.