1. Field of the Invention
The present invention relates to a computer system having non-volatile memory for storing sequences of instructions for execution by a processor in the computer system, and more particularly to fault-tolerance techniques for in-circuit programming to update and modify sequences of instructions stored in non-volatile memory.
2. Related Art
Integrated circuit microcontrollers have been developed which include arrays of non-volatile memory on an integrated circuit for storing sequences of instructions to be executed by a microcontroller. The sequences of instructions are stored in read-only memory (ROM), which must be programmed during manufacture of a device, and cannot be updated. The sequences of instructions can also be stored in an EPROM array. However, this approach requires special hardware to program the EPROM array before the device is placed in a circuit. In yet other systems, EEPROM memory is used for storing instructions. EEPROM has the advantage that it can be programmed much more quickly than EPROM, and can be modified on the fly. In yet another approach, flash memory is used to store instructions. This allows for higher density and higher speed reprogramming of the non-volatile memory. When a device combines a reprogrammable non-volatile memory, such as EEPROM or a flash memory, with a microcontroller, the device can be reprogrammed while it is in a circuit, allowing for in-circuit programming based on interactive algorithms.
The ability to interactively download instruction and data to a remote device can be very valuable in a network environment. For example, a company can service a customer""s equipment without requiring the customer to bring the equipment to a service center. Rather, the company can execute diagnostic functions using the in-circuit programming capability of the customer""s equipment across a communication channel such as the Internet or telephone lines. In this way, software fixes can be downloaded to a customer""s equipment, and the equipment can be reenabled with corrected or updated code.
Reliability can become a problem during in-circuit programming. The in-circuit programming process can take up to ten minutes, during which time there may be data transmission errors or recording errors. These errors can be especially troubling if the code which performs the communication with the outside world (handshaking code) is itself modified during the in-circuit programming process. If this code gets corrupted, the in-circuit programming module may be left without any way of resetting itself or communicating with the outside world.
What is needed is a method for providing fault-tolerance during in-circuit circuit programming which can recover from an error during the in-circuit programming process, even if the code used by the in-circuit programming process to communicate with the outside world is improperly programmed.
The present invention provides a method and an apparatus for providing fault-tolerance during in-circuit programming. The invention operates by ensuring that a portion of the computer system""s boot code is protected from the in-circuit programming process, so that it will not be corrupted during in-circuit programming. The invention maintains an in-circuit programming status, which is set to an incomplete value when the in-circuit programming process is in progress, and is reset to a complete value after the in-circuit programming process terminates. If the system is reset during the in-circuit programming process, the system will boot from the protected section of boot code, otherwise, the system will boot from normal boot code, which is programmable through the in-circuit programming process. The invention also operates in conjunction with a watch dog timer which causes the system to reset itself if the in-circuit programming process fails to successfully terminate.
Thus, the present invention can be characterized as a method for providing error recovery during in-circuit programming of a computer system, comprising: setting an in-circuit programming status to an incomplete value, indicating the in-system programming process is in progress; initiating the in-circuit programming process; when the in-circuit programming process terminates, setting the in-circuit programming status to a complete value indicating that the in-circuit programming process is complete; and during initialization of the system, executing a first boot code sequence if the in-circuit programming status has a complete value, the first boot code sequence being programmable through the in-circuit programming process, and executing a second boot code sequence if the in-circuit programming status has an incomplete value, the second boot code sequence being protected from the in-circuit programming process.
According to one aspect of the present invention, the in-circuit programming process includes testing a section of code programmed by the in-circuit programming process.
According to another aspect of the present invention, the in-circuit programming process is monitored in order to detect a delay in the transmission of in-circuit programming instructions. The in-circuit programming process is restarted if the delay exceeds a specific time out value. In one embodiment, the monitoring is conducted by a remote host from which the in-circuit programming code is downloaded. In another embodiment, the monitoring is performed using a watch dog timer coupled to the in-circuit programming system.
According to another aspect of the present invention, the above-mentioned method includes the step of storing an address of a remote host from which the in-circuit programming code is downloaded.
The present invention may also be characterized as an apparatus for providing error recovery during in-circuit programming of a computer system, comprising: a processor; a first boot code sequence coupled to the processor; a second boot code sequence coupled to the processor; an in-circuit programming status indicator coupled to the processor, the status indicator being set to an incomplete value during in-circuit programming, and being set to a complete value after in-circuit programming is complete; and a selector mechanism coupled to the first boot code sequence and the second boot code sequence, for selecting a boot code sequence for computer system initialization, the selector mechanism selecting the first boot code sequence if the in-circuit programming status indicator is set to a complete value, and selecting the second boot code sequence if the in-circuit programming status indicator is set to an incomplete value.
The present invention can also be characterized as a method for providing error recovery during in-circuit programming of a computer system, comprising: monitoring the in-circuit program in process in order to detect a delay in transmission of in-circuit programming instructions from a remote host; and restarting the in-circuit programming process if the delay exceeds a timeout value.