The present invention relates to a semiconductor device and more particularly to a semiconductor device including processors (CPU cores).
It is required to detect quickly and accurately the fault (failure) of a semiconductor device while the semiconductor device is running in order to improve the functional safety and the like of the semiconductor device. Here, the functional safety means safety realized by the correct operation of a safety function. For example, there is ISO26262 laid down by ISO (International Organization for Standardization) as a functional safety standard for in-vehicle electronic devices and the like. As an example of a means to materialize a fail-safe function in which a device is controlled so that the safety of operation of the device is assured even if the failure of the device occurs owing to the malfunction, etc. of the device, or a fault-tolerant function in which a system can continue to run without stopping even if a malfunction occurs in a part, etc., a lockstep system is used. In a dual-core lockstep system, two processors (CPU (central processing unit) cores) of the same configuration perform the same processing, and a fault is detected, if any, by detecting the difference between the processing results obtained by the two processors.
For example, Japanese Unexamined Patent Application Publication No. Hei 10(1998)-116258 that discloses a lockstep fault-tolerant computer system may be referred to. In Japanese Unexamined Patent Application Publication No. Hei 10(1998)-116258, each of subsystems includes: a parallel input signature generation unit used for data compression that enables the operations of internal modules to be actually compared with each other; and a logic analysis unit for memorizing the outputs of the internal modules of the lockstep subsystem. The lockstep fault-tolerant computer system disclosed in this Patent Application Publication is configured so that, after an out-of-synchronization event occurs, the lockstep fault-tolerant computer system automatically searches the traces of the logic analysis unit; locates the position of the first difference in its active condition; determines an internal module that has given out a defective output, and indicates that the internal module is faulty.
As one of related technologies in which the output signals of processors are compressed and compared with each other, a comparative/redundant type information processing device including a first processing unit and a second processing unit that execute the same processes in parallel is disclosed, for example, in Japanese Unexamined Patent Application Publication No. 2011-113545, and the comparative/redundant type information processing device is configured as follows. Each of the first and second processing unit of the comparative/redundant type information processing device includes a diagnosis unit that compares and judges whether data obtained by the executions performed by the two processing units coincide with each other or not. The diagnosis unit includes: a summary information conversion unit that executes hash operation on the calculation data calculated by the processor and compresses the hashed data to make summary information; a summary information memory unit that memorizes the summary information; and a comparison unit that compares the summary data that is memorized by the summary information memory unit with summary information processed by a diagnosis unit to which the comparison unit does not belong, and judges whether both pieces of summary information coincide with each other or not. Each of the first and second processing unit compares both pieces of summary information obtained by compressing the calculation data with each other, judges whether both pieces of summary information coincide with each other or not, and sends a judgment signal to a system selection unit.
Japanese Unexamined Patent Application Publication No. Hei 5(1993)-324391 discloses a fault detection device used in a fail-safe processing apparatus in which the presence or absence of a fault is observed by operating plural microprocessors (CPU1, CPU2) in clock synchronization, and by comparing the bus outputs (20 to 2m) of the plural microprocessors that are running in clock synchronization. This fault detection device includes a bus comparison unit having a compression processing section in which predefined bit number of the multi-bit bus output (20 to 2m) of each of the microprocessors (CPU1, CPU2) is serially code compressed per bit or per unit of multi bits, and a comparison section that serially compares the compressed data of the microprocessors, which are output from the compression processing section, with each other, and detects a fault in the case where there is a discrepancy between the operations of the microprocessors.
Japanese Unexamined Patent Application Publication No. Hei 1(1989)-265171 discloses a configuration including a test pattern generator for generating random patterns as test inputs into plural devices of which a redundant apparatus is comprised; a compressor for temporally compressing the outputs generated by the devices in association with the test inputs to create compression values unique to the respective devices; an adder for adding the outputs of the compressor in modulo 2 arithmetic when the test inputs into the respective devices are finished; and a comparator that compares the addition result of the adder with a predefined random pattern that is determined on the basis of the pattern input number of the random patterns input into the respective devices to judge whether the addition result coincides with the predefined random pattern or not.
Japanese Unexamined Patent Application Publication No. 2011-128821 discloses a configuration including a first code analyzer (LFSR: Linear Feedback Shift Register) for compressing and encoding the history of multi-bit data that appears at an address bus or a data bus of a first microprocessor; a second code analyzer for compressing and encoding the history of multi-bit data that appears at an address bus or a data bus of a second microprocessor in the same procedures as in the case of the code analyzer; and a verification means for comparing a code obtained by the first code analyzer with a code obtained by the second code analyzer, with the result that the processing load of the microprocessors can be lightened, and at the same time failures can be accurately and speedily detected.
FIG. 1 is a diagram showing a prototype example of a semiconductor device of clock-delay type dual-core lockstep scheme. With reference to FIG. 1, this semiconductor device includes a first processor (CPU core) 10 for a normal operation; a second processor (CPU core) 20 for monitoring the operation of the first processor for the normal operation; an input control circuit 30; and an output comparison circuit 40′. The first and second processors 10 and 20, of which the dual-core lockstep system is comprised, have the same configuration, and they are also referred to as a “Master core”, and a “Checker core” respectively. Each of the processors (10 and 20) includes, for example, a CPU, a cache memory, a cache controller, an interrupt controller (INTC), an interrupt interface, a bus interface, and the like, although all these items are not always musts. In addition, it is also all right that each of the processors further includes a floating processing unit (FPU) that carries out floating point operations, a memory protection unit (MPU) that executes access control on external memories; a peripheral interface that is used for accessing external peripherals (address spaces).
A CPU input into the input control circuit 30 represents a signal input into the first processor (Master core) 10. The CPU input corresponds to a signal input into the first processor 10 as a response sent from a memory, I/O devices, or the like (not shown in FIG. 1) in response to an access performed by the first processor 10 to the memory, I/O devices, or the like. Flip-flops (FFs) 31 and 32 function as delay circuits that delay the CPU input by the time period of a predefined number of cycles. Each of the flip-flops (FFs) 31 and 32 is, for example, an edge-trigger type D-flip-flop (D-FF) that outputs a sampled signal, which is obtained by sampling a signal input into the data terminal, at the rising edge of a clock signal. The flip-flops (FFs) 31 and 32, which are cascade-coupled in series, function as a shift register, and the CPU input is output from the flip-flop (FF) 32, for example, with a delay time of two clock cycles while the clock signal is used as a shift clock. Alternatively, in the case where the flip-flops (FFs) 31, 32 are configured in such a way that the flip-flop 31 samples a signal input into the data terminal of the flip-flop 31 at the rising edge of the clock signal, and the flip-flop 32 samples a signal input into the data terminal of the flip-flop 32 at the falling edge of the clock signal, the flip-flops (FFs) 31 and 32 function as a delay circuit with a delay time of one and a half clock cycles.
A signal that is input into the first processor 10, that is, the CPU input, is delayed by the flip-flops 31 and 32, and this delayed signal is input into the second processor 20. The second processor 20 brings in the same signal that the first processor brings in, for example, the time period of two clock cycles later, and performs the same processing as the first processor does the time period of two clock cycles later. Because of the delay (dispersion) between the timings of pieces of processing performed by the first and second processors 10 and 20, the peak of electricity consumption and the like can be dispersed.
In addition, in FIG. 1, it is needless to say that the input signal (CPU Input) into the first processor 10 or the second processor 20 can be a multi-bit (parallel-bit) signal. In this case, in the input control circuit 30, plural two-stage flip-flops (31, 32) should be installed in parallel in accordance with the number of bits of the input multi-bit signal. It is necessary that the same consideration as above should be paid to the drawings described hereinafter.
In an output comparison circuit 40′, a two-stage flip-flop (41, 42) functions as a delay circuit that delays an n-bit signal (Master output) that is output from the first processor by the delay time same as the two-stage flip-flop (31, 32) of the input control circuit 30 gives to the CPU input. Each of the flip-flop (FF×n) 41 and the flip-flop (FF×n) 42 includes plural edge-trigger type D-flip-flops (D-FFs) each of which outputs a sampled-data signal obtained by sampling a signal input into its data terminal at the rising edge of a clock signal (not shown in FIG. 1), and n D-flip-flops (n represents the number of the D-flip-flops) are disposed in parallel in accordance with the n-bit output. In FIG. 1, “FF×n” denotes that n 1-bit flip-flops (FFs) (n represents the number of the 1-bit flip-flops) are disposed in parallel.
The two-stage flip-flop (41, 42) delays the n-bit signal (Master output) output from the first processor 10, for example, by the time period of two clock cycles.
A coincidence comparison circuit 43 examines whether the n-bit signal output in parallel from n flip-flops of which the flip-flop 42 is comprised and the n-bit signal (Checker output) output from the second processor 20 the time period of two clock cycles later in comparison with the output from the first processor 10 coincide with each other or not. In this case, the coincidence comparison circuit 43 compares bit-wise the corresponding bits of the two n-bit signals with each other to check whether the corresponding bits of the two n-bit signals coincide with each other.
A flip-flop 44 samples a comparison result output (1-bit) from the coincidence comparison circuit 43 per clock, and outputs the sampled comparison result output as a presence or absence of comparison error signal. If there is a comparison error, it means that an error such as a data breakdown has occurred in the processors. In this case, the first processor 10, the second processor 20, and the like perform predetermined pieces of processing in accordance with a functional safety target and the like. In FIG. 1, a clock signal “clock”, a clock enable signal “clock_enable” that is a control signal for controlling the activation of the clock signal, and a reset signal “reset” are input into both first and second processors 10 and 20 in common. In addition, the clock signal clock and the reset signal reset are input not only into the first and second processors 10 and 20 in common, but also into the input control circuit 30 and the output comparison circuit 40′ in common as well.