Conventional electronic control units (ECUs) to be installed in, for example, vehicles are configured to, in case where the program execution of a microcomputer freezes up or hangs up due to disturbances, such as radio noise, detect the freeze or hang-up and reset the microcomputer.
As a method of detecting and handling an abnormal execution of a task that should be programmed to be executed at regular intervals, there is well known a method of resetting a microcomputer using a watchdog timer.
This method provides a watchdog timer to be electrically connected to a microcomputer. The watchdog timer is operative to continuously count. The watchdog timer is also operative to output a reset signal to the microcomputer unless it is reset at first regular intervals by a watchdog timer clear signal (WDC signal) output from the microcomputer.
On the other hand, in the microcomputer, a specific routine (task) in a program to be executed thereby at second regular intervals shorter than the first regular intervals is installed in advance in the microcomputer. The specific routine being executed by the microcomputer at the second regular intervals works to output the WDC signal to the watchdog timer.
The method using watchdog timer can determine that the program execution freezes up or hangs up when the routine is abnormally carried out by the microcomputer due to any trouble so that the duration of no WDC signal output state from the microcomputer exceeds a predetermined period. Thus, the method enables the watchdog timer to reset the microcomputer.
However, in a program consisting of a plurality of tasks with priority and designed to run under the RTOS set forth above, even if the program freezes up or hangs up under execution of a task in the program, such as the task goes to an infinite loop, another task higher in priority than the hung/frozen task may be interrupted to be normally handled.
The interrupted handle of another task higher in priority than the hung/frozen task disable output of the WDC signal to the watchdog timer, thereby frequently resetting the microcomputer. This may cause the execution of the program to be frequently interrupted.
Thus, in order to avoid the frequent interruptions, installation of the specific task in a program to be executed by a microcomputer is insufficient. A specific task (routine) designed to be launched and executed by a microcomputer at regular intervals will be referred to as “time synchronized task” hereinafter.
Thus, there is conventionally well-known a method of monitoring an abnormal execution of a program consisting of a plurality of tasks with priority and designed to run under the RTOS. For example, such a method is disclosed in Japanese Unexamined Patent Publication No. H07-114490.
The method causes a microcomputer to execute a time synchronized task A higher in priority than some of the remaining tasks, thus repeatedly outputting the WDC signal to a watchdog timer.
In the method, the time synchronized task A being executed by the microcomputer monitors whether a specific task B with the lowest priority in all of the tasks is normally executed.
When it is determined that no specific task B has been carried out for more than a constant period of time, the time synchronized task A disables output of the WDC signal. This enables the watchdog timer to reset the microcomputer.
Specifically, when a task equal to or higher in priority than the time synchronized task A hangs up or freezes up, no task A itself is executed so that no WDC signal is outputted from the microcomputer. In addition, when a task lower in priority than the task A hangs up or freezes up, no task B is carried out so that the task A disables output of the WDC signal.
Accordingly, even if any task hangs up or freezes up, it is possible to reliably reset the microcomputer.
In the conventional method of monitoring an abnormal execution of a program under the RTOS, the RTOS is designed to allow a plurality of tasks of a program to be properly scheduled in priority. If a task hangs up or freezes up, some of the tasks equal to or lower in priority than the hung/frozen task cannot be executed under the RTOS.
Thus, if a malfunction occurs in the RTOS so that the remaining tasks except for the tasks A and B cannot be executed, the conventional method cannot detect the abnormal conditions set forth above appearing in the microcomputer.