Due to external electrical noise, static electricity, instability of power supply voltage and other factors, a fatal error is likely to occur in a CPU of a microcomputer. This can preclude the CPU from executing programs. For example, such a fatal error state includes so-called “CPU runaway”. A common one of the countermeasures to a fatal error in the CPU of the microcomputer is a technique known as “watchdog”. In this technique, a timer having a cycle (loop) time sufficiently greater than that of software-based processing is provided, and configured to be reset at intervals of the loop of the software-based processing. In the event of a fatal error in the CPU, the software-based processing does not operate normally, so that the timer will expire without being reset, and the expiration of the timer serves as a trigger for providing a reset to the entire microcomputer. On the other hand, when the CPU operates normally (when no fatal error occurs), the microcomputer is not reset, because the timer is reset before the expiration.
However, in this technique, a fatal error state of the CPU is likely to continue for a large part of a time period from the start to expiration of the timer. Thus, in an environment where a lag time between the occurrence of a fatal error in the CPU and the expiration of the timer has an adverse effect on the use of the microcomputer, or where a false operation of the microcomputer during the lag time poses a risk to a user, the watchdog is not necessarily effective. However, it is employed because there is no other means.
Moreover, in the watchdog-based countermeasure to a fatal error in the CPU, it is difficult to, after the occurrence of the fatal error in the CPU, return the CPU to a state just before the occurrence of the error. This is because it takes a long time before a fatal error in the CPU is detected, so that a state of information in a CPU register or the like at a timing of the detection of the fatal error in the CPU becomes different from a state just before the occurrence of the fatal error.
Heretofore, a microcomputer has been configured such that, in response to detecting a fatal error in the CPU, it is entirely initialized while discarding the information in the CPU register or the like at the timing of the detection of the fatal error in the CPU. Thus, in order to recover the CPU from a fatal error, it is conventionally necessary to take a time for initializing the entire microcomputer, in addition to a time for detecting the fatal error in the CPU. Then, in order to return the microcomputer to the state just before the occurrence of the fatal error in the CPU, it is necessary to allow processing (processing according to an application program) which has been previously running until just before the occurrence of the error, to be reproduced after reset or initialization of the CPU. It is not easy to reproduce the previously running processing. Moreover, it is necessary to take a processing time for performing the reproduction. Therefore, depending on a usage environment of the microcomputer, the above technique of recovering the microcomputer from the fatal error of the CPU is likely to cause a big problem. For example, a machine is likely to be placed in an unstoppable state during the period after the fatal error in the CPU through until the initialization, resulting in the occurrence of an accident, and a serious situation such as a loss of monetary count is likely to occur.
Generally, only one signal for initialization is used for a one-chip microcomputer using a microcomputer. This means that the initialization is performed on the entire microcomputer. Thus, the microcomputer is designed on the assumption that the initialization of the microcomputer is performed in the event of an error having severity justifying the initialization of the entire microcomputer. Therefore, it is conventionally believed that it is unavoidable to take a long time for recovering the CPU from a fatal error therein, or to lose information or the like before the occurrence of the fatal error.
There has also been known a technique of periodically or cyclically providing a reset to only a CPU, instead of the cyclic interrupt, as disclosed in the following Patent Document 1. In the case of using this technique, a time period from the start to end of execution of an application program to be executed on the CPU is required to fall within a cycle time of the reset. This is because, if the CPU is reset during execution of the application program, information in a CPU register such as a program counter or a stack is also reset, so that addresses for instructions in the application program are erased. Thus, in the case of cyclically resetting only the CPU, the application program is required to have a significantly small size enough to allow a time period from the start to end of the processing thereof to fall within an interval of the CPU reset cycle. For this reason, a required size of the application program becomes smaller than that of a common program. This leads to an enormous increase in the number of the application programs. There is another problem that a programmer must create the application program in consideration of not only contents of processing based on the application program but also the reset cycle.