However, uncorrectable errors may arise, and the microcontrollers then generate an exception when reading an uncorrectable error such as this.
In this context, the present invention relates to a method making it possible to detect, to locate, and to handle the arising of an uncorrectable error in a non-volatile memory of any type of microcontroller.
As is known, automotive vehicles, like any other type of vehicle, comprise computers comprising microcontrollers that are able to execute embedded software.
To this end, said microcontrollers exhibit volatile or non-volatile data storage means. Such microcontrollers thus exhibit a volatile memory, also called random-access memory, typically memory of RAM type, the acronym, well known to the person skilled in the art, standing for Random Access Memory. Moreover, for lasting data storage, microcontrollers also exhibit a non-volatile memory, typically memory of Flash type, well known to the person skilled in the art. Flash memory is in particular used for backing up the software of the microcontroller, the “firmware” according to the term well known to the person skilled in the art, and for data backup relating to the life cycles of the microcontroller and of its embedded software.
In practice, when the software embedded in the microcontroller is executed, the latter reads the Flash memory so as to thereafter allow the implementation of “high-level” application software and the proper execution of the decisional functions that it comprises.
As regards non-volatile memory, it is well known that Flash memory is used a great deal, because of its economic competitivity and its compactness.
A known problem related to the use of Flash memory resides however in the difficulty in ensuring the consistency of the data stored therein. According to the prior art, as mentioned briefly hereinabove, there exist microcontrollers with Flash memory, in which the backed-up data are associated with an error correction code, known by the acronym ECC.
By virtue of the associating of the data backed up in the Flash memory with an error correction code, the prior art makes it possible to detect and to process a large part of the errors relating to an inconsistency of the data read in Flash memory.
However, among the errors which may arise when reading data in Flash memory, some are not correctable. In this case, when, in the course of execution, a microcontroller attempts to read a datum corresponding to an uncorrectable error, the microcontroller raises an exception which, according to the prior art, generally brings about the restarting of the microcontroller. Indeed, according to the prior art, when an exception is raised while reading data in Flash memory, following the arising of an uncorrectable error, it is not possible to restore a stable state of the microcontroller, prior to the arising of the uncorrectable error, the parameters constituting the low-level context of said stable microcontroller, the state of the internal registers, of the stack pointer, of the address registers, . . . etc., being lost.
Thus, more precisely, according to the prior art, when a microcontroller receives the instruction to read a datum in Flash memory, it implements a reading interface able to execute the read instruction. Said reading interface is in practice a function of the “driver” of the microcontroller. The “driver” handles, in particular, all the requests to read and write data arising from the application software implemented by the computer comprising the microcontroller concerned. When said microcontroller, in practice said reading interface, is confronted with an uncorrectable error, such as a nonexistent instruction or an irretrievably corrupted datum, said microcontroller raises an exception via an exception handler. Said exception, in general, brings about the restarting of the microcontroller.
The technical problem which ensues from this behavior of the reading interface cooperating with the exception handler, in known microcontrollers, resides in the fact that, in the case where an uncorrectable error is due to corruption of a memory area of the Flash memory, the exception is raised loop-wise and this brings about loop-wise restarting of the microcontroller and of the computer concerned. In practice, after several consecutive restarts of a critical computer, an automotive vehicle in which this type of malfunction were to arise would be disabled by the engine control and not restartable without the intervention of a technician.
According to a known technique, certain specific microcontrollers, necessarily exhibiting fixed-size function call contexts stored in a dedicated stack, exhibit an exception handler capable, on prior request, of returning the software of the microcontroller to a higher function than the calling of the reading interface that prompted an exception because of an error identified as uncorrectable, without giving rise to a restart of the microcontroller. However, this known solution is not applicable to many microcontrollers, in particular not comprising any fixed-size function call contexts stored in a dedicated stack.