JP2009031985A - Software generation apparatus and program used for software generation apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To permit, even if an error of system design information is detected, subsequent software generation depending on the content of the error in a technique for generating software from system design information of a vehicle internal communication system. <P>SOLUTION: The software generation device records a detected error of system design information as an error item (761), prohibits generation of software based on the system design information when the error item is recorded, and permits the generation of software based on the system design information when no error item is recorded. Meanwhile, the software generation device excludes an error matched to any one of error neglect items from the object to be recorded as error item. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a software generation device and a program used for the software generation device.

  Conventionally, a technology for performing data communication between a plurality of ECUs in an in-vehicle communication system has been realized. Software executed in the ECU in such an in-vehicle communication system is developed by the following method, for example.

First, system designer information about the in-vehicle communication system is created by the designer of the entire in-vehicle communication system. Then, a software designer for a specific ECU in the in-vehicle communication system creates software using a computer program such as a software creation tool based on the created system design information (for example, Patent Literature 1).
Japanese Patent Laid-Open No. 2004-280786

  In such a technical field, system design information including an error may be passed to a software designer. Errors include inconsistencies within the system design information.

Examples of inconsistencies in the system design information include the following.
(1) It is defined that certain software (for example, software for calculating the fuel injection amount of the engine) is installed in two different ECUs. (2) It is defined that data is transmitted from one ECU to another ECU. However, these two ECUs are not connected to the same communication bus. Therefore, before generating the software from the system design information, the system design information was automatically detected and an error was detected. In this case, it is conceivable to employ a technique for prohibiting the generation of software in the software generation apparatus.

  However, even if an error is detected in the system design information, there is a case where subsequent software generation is not necessarily prohibited. For example, even if an error is detected in the system design information, the software development work will continue until the designer of the entire in-vehicle communication system is notified of the content of the error and provides a version of the system design information that corrects the error. There is a case where there is not enough room for the development schedule to stop and wait.

  In view of the above points, the present invention provides a technique for generating software from system design information of an in-vehicle communication system, and even if an error in the system design information is detected, depending on the content of the error, a technique for permitting subsequent software generation is provided. For the purpose.

  In order to achieve the above object, the present invention is characterized in that the software generation apparatus detects an error in the system design information as an error item and records it on a storage medium, and further records the detected error on the storage medium. Filtering using the ignored error items.

  Here, filtering processing excludes errors that match any of the error-ignored items from the target to be recorded on the storage medium as error items, and errors that do not match any of the error-ignored items are errors. This refers to processing that is left as an item to be recorded on a storage medium.

  Further, when one or more error items remain as a result of the filtering process, the software generation device prohibits generation of software based on the system design information, and when no error items remain, the software generation device The software generation based on the design information is permitted. Here, the software generation device may generate a part of software.

  As described above, the software generation device records the detected error in the system design information as an error item, and when the error item is recorded, the software generation device prohibits the generation of software based on the system design information and is not recorded. In some cases, software generation based on the system design information is permitted. However, the software generation apparatus excludes an error that matches any of the error ignoring items from the target to be recorded as the error item. Therefore, regarding the predetermined error in the system design information, even if the error is detected, the software generation is not prohibited.

  Thus, in the technology for generating software from the system design information of the in-vehicle communication system, even if an error in the system design information is detected, subsequent software generation can be permitted depending on the content of the error.

  Here, for each of one or more verification items recorded in the storage medium in advance, the software generation device searches the system design information for a component that satisfies the detection condition associated with the verification item, and if there is a component that satisfies The verification item may be detected as an error item.

  The detection condition here is a condition for detecting an error, and is a condition for the attribute of the component in the system design information. For example, “(1) Component A is application data defined to be transmitted and received between applications, (2) Component B is network data defined to flow in the network, (3) The condition that the component A and the component B are in a correspondence relationship and (4) the communication cycle of the component A is shorter than the communication cycle of the component B corresponds to an example of a detection condition.

  Note that the components of the system design information are ECUs, communication buses, communication data, etc., target data for which attributes (for example, connection relationship, communication cycle, etc.) are defined in the system design information, data transmission source, data A destination, a data transmission medium, and the like.

  As described above, when an error is detected using the verification item, the error ignoring item recorded in the storage medium may indicate the verification item. Then, when the verification item detected as the error item matches the verification item recorded as the error ignoring item in the storage medium, the software generation device matches the error related to the error item with the error ignoring item. It may be assumed that it is an error.

  With this configuration, the software generation apparatus can distinguish between exclusion and non-exclusion of detected errors from error items for each verification item. Accordingly, verification items that the user of the software generation apparatus wants to ignore can be excluded, and verification items that the user does not want to ignore can be excluded.

  Further, when error detection using the verification item is performed as described above, the error ignoring item recorded in the storage medium may indicate a component in the in-vehicle communication system. Further, in this case, the software generation device has a configuration in which either the constituent element that is the target of the verification item detected as the error item or the constituent element related to the constituent element is recorded as the error ignoring item in the storage medium. Based on matching with an element, an error relating to the error item may be an error matching the error disregarding item.

  With this configuration, the software generation apparatus can classify detection error exclusion / non-exclusion for each component of the system design information. Therefore, a software designer of a certain ECU should exclude errors regarding ECUs, data, etc. not related to his / her work, and exclude errors regarding components related to his / her work. be able to.

  In addition, if no error items remain as a result of the filtering process, the software generation apparatus sends a notification to the user that the filtering process has been performed and an inquiry for consent to the software generation. And the generation of software based on the system design information may be permitted based on the fact that the user responds to the inquiry with a consent response.

  In this way, after confirming that the user has an error in the system design information and agreeing to proceed with the software generation despite the error, the user can generate the software. to approve. Therefore, it is possible to make the user recognize that the generation work of the future software is to be performed at his / her own risk.

  Further, when no error items remain as a result of the filtering, the software generation apparatus includes a comment sentence indicating that the filtering has been performed in a part of the source code of the software. May be. In this way, when the user reads the contents of the source code, it can be confirmed that the source code may have been generated even though there is an error in the system design information.

  The software generation device also includes, in a part of the source code of the software to be generated, a statement that prohibits creation of the software product version when no error items remain as a result of the filtering. It may be like this. By doing so, even if a non-product version of the software can be generated, a product version of the software cannot be generated. Therefore, it is possible to reduce the possibility that the software generated based on the system design information including the error is mistakenly incorporated into the sales product.

  The error detected by the software generation device may be a contradiction between information defining communication data in the in-vehicle communication system in the system design information and other information included in the system design information. The features of the present invention can also be realized as a program.

  Hereinafter, an embodiment of the present invention will be described. FIG. 1 shows an example of a state where a plurality of ECUs (ECU-E01, ECU-E02, ECU-E03) are connected to either or both of communication buses B1 and B2 in the vehicle in the in-vehicle communication system 60. Indicates. In the present embodiment, a software creation procedure to be executed by a CPU (not shown) mounted in each of the plurality of ECUs and an apparatus used in the creation procedure will be described.

  FIG. 2 shows a software hierarchical structure of a software group executed in each CPU. The software executed by each CPU is divided into a software platform (hereinafter referred to as software PF) 1, a configuration code (referred to as a configuration code in the drawing) 2, and an application 3. The configuration code 2 may be regarded as a part of the software PF1, or may be regarded as a separate one from the software PF1.

  The software PF is a program group for directly driving the hardware of the ECU on which the CPU is mounted. Therefore, the configuration of the software PF strongly depends on the hardware configuration of the ECU. Examples of the software PF include an OS (for example, OSEK-OS (registered trademark)) and a device driver.

  The application is a software group that drives the hardware of the ECU on which the CPU is mounted by using the function provided by the software PF. As an application, for example, if the ECU is an engine ECU, various amounts (accelerator opening, engine rotation speed, etc.) necessary for calculating the engine ignition timing are transferred to another ECU (or another CPU in the same ECU). ), The ignition timing is calculated from the received information, and there is software for realizing a process for controlling the injector so that the calculated ignition timing is realized.

  The use of the function provided by the software PF is, for example, the operation of the software PF using hardware (for example, output of a control signal to an actuator, acquisition of a detection signal from a sensor, communication with another ECU) This is realized by providing an application interface (hereinafter referred to as API) for executing signal transmission / reception, and calling the API as required by the application.

  Software PF installed in different ECUs often provides a common API to applications. Therefore, it is not necessary to code the application in consideration of the hardware configuration of the ECU in creating the application.

  The configuration code includes detailed information (for example, transmission / reception cycle, initial value, fail value) of communication data handled by the application. Communication data handled by an application refers to data that the application passes to and from another application executed by another CPU. When the communication partner application is executed by another CPU in the same ECU, the data is data for inter-CPU communication. When the communication partner application is executed by a CPU in another ECU, the communication data is communication data between ECUs. The configuration code includes a program for realizing transmission or reception of the communication data using the software PF. Specifically, the program for realizing transmission or reception of communication data using the software PF is a function program for data transmission / reception (hereinafter referred to as communication data function). These communication data functions use an API provided by the software PF. The application is described so as to realize data transmission / reception by calling communication data functions for data transmission / reception.

  A configuration code in a certain CPU has one data transmission / reception function for each type of communication data handled by all applications executed by the CPU.

  As shown in FIG. 3, an execution image of software for a certain CPU (that is, object code) is compiled by linking the software PF, configuration code, and application for the CPU (in this specification, it is a static link). ) To create.

  FIG. 4 schematically shows a configuration code generation method. The configuration code 8 is created by processing of the configuration tool 7 which is a program executed in the configuration code generation device 50.

  The configuration code generation device 50 includes an arithmetic circuit (that is, a CPU), a RAM, a ROM, a hard disk drive (corresponding to an example of a storage medium), an operation device (a keyboard, a mouse, etc.), a display, and the like (not shown). The arithmetic circuit reads and executes the configuration tool 7 stored in the RAM or the hard disk drive. When the arithmetic circuit is executing the configuration tool 7, the user who is the creator of the configuration code 8 refers to information such as system design information 4 including information on an error ignoring item list, which will be described later, and refers to the referenced information. By operating the operating device, input to the arithmetic circuit. The arithmetic circuit generates the configuration code 8 based on the input information and records it in the hard disk drive. The setting information used by the configuration tool 7 for generating the configuration code 8 is recorded as project information 5 on the hard disk drive.

  Note that the compile, link, and execution image generation processing shown in FIG. 3 may be performed by an arithmetic circuit of the configuration code generation device 50, or by a device other than the configuration code generation device 50. It may be like this. Even when a device other than the configuration code generation device 50 compiles, links, and generates an execution image, the configuration code generation device 50 corresponds to the software generation device of the present invention. This is because the configuration code 8 is also a part of the object code finally created.

  FIG. 5 schematically shows an example of the system design information 4. The system design information is information describing attributes for each component in the in-vehicle communication system 60. The components of the system design information are, for example, each of the ECUs (ECU-E01 and E02 in FIG. 5) in the in-vehicle communication system 60, each of the applications (applications A01 and A02 in FIG. 5 includes bus B1), communication data (data A in FIG. 5, CANID1, F1 data 1 and F1 data 2 in frame 1), and the like. Thus, the components of the system design information are data, a data transmission source, a transmission destination, and a data transmission medium.

  As attributes of each component, there are, for example, a transmission source, a transmission destination, a transmission medium, a data type, and a transmission cycle (that is, an update cycle) of each data. In the example of FIG. 5, for data A, the transmission source is specified in application A01, the transmission destination is specified in application A02, the data type is specified as a signed 16-bit integer, and the update cycle is specified as 64 milliseconds. Has been. Further, it is defined that F1 data 1 is included in frame 1. Further, the transmission source of frame 1 is defined by ECU-E01, the transmission destination is defined by ECU-E02, the data transmission medium is defined by bus B1, and the update cycle is defined by 100 milliseconds.

  Note that data A is application data because it is defined to be transmitted and received between applications. The F1 data 1 and F1 data 2 in the frame 1 are network data because they are defined to be transmitted and received between ECUs.

  Moreover, as another attribute of each component, for example, there is a usage relationship among each data, application, ECU, and communication bus. In the example of FIG. 5, since the data A is transmitted and received by the applications A01 and A02, the data A is used by the applications A01 and A02. Further, since the application A01 is executed by the ECU-E01, it is used by the ECU-E01. Further, since the application A02 is executed by the ECU-E02, it is used by the ECU-E02.

  Further, as another attribute of each component, for example, there is a correspondence relationship between application data and network data. In the example of FIG. 5, it is defined that the application data A is transmitted as F1 data 1 of the frame 1 in the bus B1, so that the data A and F1 data 1 are in a correspondence relationship.

  Further, as another attribute of each component, for example, there is a connection relationship between the ECU and the communication bus. In the example of FIG. 5, it is defined that the ECUs E01 and E02 are connected to the bus B1.

  This system design information is often used in the form of being created by the designer of the entire in-vehicle communication system 60 and handed to the designer of each ECU software in the in-vehicle communication system 60. Based on this system design information, each software designer uses the configuration tool 7 to design software executed in the ECU in charge of the software.

  FIG. 6 shows a functional configuration of the configuration tool 7 in a block diagram. By executing the configuration tool 7, the arithmetic circuit of the configuration code generation device 50 causes the user operation reception process 71, the configuration editing process 72, the file output process 73, the file input process 74, the configuration code generation process 75, and the verification process 76. Can be realized.

  In the user operation reception process 71, the arithmetic circuit realizes an operation according to the user's operation content with respect to the operation device of the configuration code generation device 50. Specifically, when an operation for editing system design information or the like is performed, execution of the configuration editing process 72 is started. When an operation for saving a file (ie, saving to a hard disk drive) is performed, execution of the file output process 73 is started. When an operation for loading a file such as system design information (ie, reading from the hard disk drive) is performed, execution of the file input process 74 is started. Further, when an operation for generating the configuration code is performed, the execution of the configuration code generation process 75 is started. Further, when an operation for performing verification is performed, execution of the verification process 76 is started.

  In the configuration editing process 72, the arithmetic circuit receives user operations such as new creation, addition, correction, and deletion of the contents of the system design information via the operation device, and generates system design information on the RAM according to the received operation. Or, the system design information on the RAM is changed. In the file output process 73, the arithmetic circuit records the created system design information, configuration code, and other data on the hard disk drive.

  In the file input process 74, the arithmetic circuit reads the system design information from a storage medium such as a hard disk drive to the RAM. In the configuration code generation process 75, the arithmetic circuit generates a configuration code from the system design information in the RAM. In the verification process 76, the arithmetic circuit verifies the error of the system design information in the RAM.

  In the file input process 74 and the configuration code generation process 75, execution of the verification process 76 may be called.

  Details of the verification process 76, the file input process 74, and the configuration code generation process 75 will be described below. FIG. 7 shows a flowchart of the verification process 76. In the verification process 76, the arithmetic circuit first performs error detection on the system design information in the RAM in step 761.

  Specifically, the arithmetic circuit detects an error in the system design information as one error item for each error, and records the error item in the RAM.

  Error detection is performed using one or more verification items recorded in advance in a ROM or hard disk drive. FIG. 8 shows an example of verification items. In this example, one verification item includes information on an item number for uniquely identifying the verification item, an item type indicating the type of the verification item, and detection conditions associated with the verification item.

  The detection condition is a condition for detecting an error, and is a condition for the attribute of the component in the system design information. In the example of FIG. 8, the condition that “the transmission cycle of application data is shorter than the transmission cycle of network data” is the detection condition. This condition is that if the target constituent elements are A and B, with respect to the attributes of the constituent elements A and B, “(1) The constituent element A is application data defined to be transmitted / received between applications, ( 2) The component B is network data defined to flow in the network, (3) the component A and the configuration degree B are in a corresponding relationship, and (4) the communication cycle of the component A is the configuration The rule is shorter than the communication cycle of element B.

  When this condition is satisfied, the network data corresponding to the application data cannot achieve the communication frequency requested by the application data. Therefore, in the system design information, there is a contradiction between the information defining the data A and the information defining the F1 data 1 (corresponding to an example of other information included in the system design information). .

  Examples of other verification items include inconsistencies between information in system design information, duplicated correspondence between application data and network data, ignoring restrictions on software PF, and violation of source code stipulations for output , Etc. As a contradiction between information in the system design information, for example, there is a contradiction that there is no network data corresponding to application data transmitted / received between two applications executed by different ECUs.

  The arithmetic circuit may change the verification item according to the operation content based on the user performing a predetermined change operation on the operation device.

In order to detect an error using a verification item, the arithmetic circuit performs the following processing for each verification item.
(1) Search for component elements satisfying the detection condition attached to the verification item from the system design information. (2) If there is a component (or a set of component elements) satisfying the detection result as a result of the search, the verification is performed. Detecting an item as an error item (3) By recording such a detected error item in the RAM, an error item is generated for each component (or component set) detected in the procedure (2). The

Here, the procedure (2) will be described in more detail by taking the verification item VD-1000 shown in FIG. 8 as an example. In the procedure (2), the arithmetic circuit executes the following steps.
(2-1) The processing from (2-2) onward is executed for each of all ECUs defined in the system design information.
(2-2) The processes after (2-3) are executed for each of all applications used by the ECU.
(2-3) The processes after (2-4) are executed for each of all application data transmitted by the application.
(2-4) When the application data is associated with the network data, the processing after (2-5) is executed.
(2-5) It is determined whether the transmission cycle specified for the application data is shorter than the transmission cycle specified for the frame including the network data. If the transmission cycle is short, the error item is generated.

  The error item generated in this procedure (2-5) includes the item number of the verification item, the type of the verification item, and error detection position information. The error detection position information is a configuration element (application data and network data in the example of FIG. 8) that is a target of a detection condition corresponding to an error item, or a configuration related to the configuration element in terms of usage relationship, correspondence relationship, etc. Information indicating an element. Specifically, the error detection position information includes the application, the application data, the ECU, the network data, and a frame including the network data.

  FIG. 9 illustrates a list of error items generated by such procedures (2-1) to (2-5). In this example, two error items for VD-1000 are included in the list.

  In step 762 following step 761, a filtering process is performed. In other words, the error ignore item list is read from the ROM or the hard disk drive, the error item that matches any of the read error ignore item lists is deleted from the error item list, and the error that does not match any of the read error ignore item lists Leave the item in the error item list.

  The error ignoring item list is a list having one or more items (that is, error ignoring items) that specify which error items are excluded from the error item list. The arithmetic circuit may be configured to change the content of the error ignoring item list according to the operation content based on the user performing a predetermined change operation on the operating device.

  FIG. 10 shows an example of the error ignoring item list. In this example, the error ignoring item list includes two error ignoring items. One is an error ignoring item for the verification item number VD-1000, and the other is for the verification item number VD-1001.

  Each error ignoring item may or may not include detection position information. The detection position information is information indicating the components to be excluded. The error ignoring item for the verification item number VD-1001 does not include the detection position. The exclusion process performed by the arithmetic circuit for such error-ignored items excludes error items that contain the same verification item number in the error-ignored item from the error item list and other error items as error Leave in item list.

  The error ignoring item for the verification item number VD-1000 includes a detection position called data B. Exclusion processing performed by the arithmetic circuit for such an error ignoring item is an error item including the same verification item number in the error ignoring item, and all the detection positions are included as error detection positions. The error item is excluded from the error item list, and other error items are left in the error item list.

  As in the above two examples, when the verification item detected as the error item matches the verification item recorded as the error ignoring item, the arithmetic circuit sets the error related to the error item as the error ignoring item. Suppose that it is a matching error.

  With this configuration, the configuration code generation device 50 can distinguish between exclusion and non-exclusion of detected errors for each verification item. Accordingly, verification items that the user of the software generation apparatus wants to ignore can be excluded, and verification items that the user does not want to ignore can be excluded.

  In the example of the latter (VD-1000), either the component (error detection position) that is the target of the verification item detected as the error item or the component (error detection position) related to the component. However, on the basis of matching with the component (detection position) recorded as the error ignoring item, the error relating to the error item is excluded from the error item list as the error matching the error ignoring item.

  With this configuration, the software generation apparatus can classify detection error exclusion / non-exclusion for each component of the system design information. Therefore, a software designer of a certain ECU should exclude errors regarding ECUs, data, etc. not related to his / her work, and exclude errors regarding components related to his / her work. be able to.

  If the content of the error ignoring item list is empty, the filtering process is not performed. After step 762, execution of verification process 76 ends. Such verification processing 76 detects an error in the system design information as an error item and records it on the storage medium. Among the detected errors, an error that matches any of the error ignoring items recorded on the storage medium, The error items are excluded from the target to be recorded in the error item list in the RAM, and those that do not match any of them are left as the target to be recorded in the error item.

  Next, details of the file input process 74 for reading the system design information in the hard disk drive into the RAM will be described. The arithmetic circuit executes the program shown in the flowchart in FIG. 11 in order to realize the file input process 74.

  In executing this program, first, in step 741, system design information is read from the hard disk drive to the RAM, and then in step 742, the above-described verification processing 76 is executed. As a result, an error item list for the system design information is generated.

  In step 744, it is determined whether or not the verification result in step 722 is “no error”, that is, whether or not the error item list is empty. If there is no error, the result is displayed in step 748. Execute the process.

  If “there is an error”, step 746 is subsequently executed, and the system design information read in step 741 is discarded from the RAM. This prohibits the creation of a configuration code from this system design information (at least until the system design information is again read from the hard disk drive to the RAM). After step 746, a result display process is subsequently executed in step 748.

  In order to implement the result display process, the arithmetic circuit executes a program 200 shown in the flowchart of FIG. In execution of the result display process 200, first, in step 210, it is determined whether or not the error ignoring item list in the RAM is empty, that is, whether or not the filtering process has been performed or not. Subsequently, in step 220, an error ignoring item list is displayed on the display, and then step 230 is executed. If it is empty, step 230 is executed without executing step 220. The fact that the error ignoring item list is empty means that the filtering process in step 762 described above has not been performed, and conversely that the error ignoring item list is not empty means that the filtering process has been performed. It means that.

  In step 230, the result (for example, error item list) of the verification process 76 performed immediately before is displayed on the display. Subsequently, in step 240, if the configuration code has already been generated, the generation result is displayed. When the result display process 200 is executed following the file input process 74, nothing is displayed on the display in step 240.

  Next, details of the configuration code generation process 75 for generating a configuration code based on the system design information in the RAM will be described. The arithmetic circuit executes the program shown by the flowchart in FIG. 13 in order to realize the configuration code generation process 75.

  In the execution of this program, first, in step 751, the above-described verification processing 76 is executed, and then in step 752, whether or not the verification result is “no error” in the same manner as in step 742 of the file input processing 74. If “no error”, step 753 is executed. If “error”, step 757 is followed to execute the result display process 200 described above.

  In step 753, it is determined whether or not the error ignoring item list is empty. If it is empty, then in step 756, code generation processing is executed. If it is determined that there is no error in step 752 and the error ignored item list is determined to be empty in subsequent step 753, it means that no error in system design information was detected in the verification process in step 751. It is. Therefore, in this case, there is no problem even if the configuration code is generated based on this system design information.

  In step 752, it is determined that “no error” and in step 753 it is determined that the error ignoring item list is not empty. This means that the error in the system design information is detected in the verification process in step 751. The error item for is possibly deleted from the error item list. In this case, in step 754, a predetermined display is performed on the display. The specified display may have ignored the error in the system design information, so the configuration code created based on this system design information is not covered by the warranty and agrees to that effect. It is a display for inquiring whether or not. This display is a notification that filtering has been performed and an inquiry for consent to generate the configuration code.

  Subsequently, in step 755, it waits for a response to this inquiry to the controller device, and if there is a response, it determines whether this response indicates consent or non-agreement. If the agreement is indicated, the configuration code generation process is executed in step 756. If the agreement is not indicated, the result is displayed in step 757 without performing the configuration code generation process. Process 200 is performed.

  As described above, when no error items remain as a result of filtering error items from the error item list, a notification that the filtering has been performed and an inquiry for consent to generate the configuration code are issued. , To the user (see step 754), and based on the fact that the user has given a response to the inquiry, the generation of the configuration code based on the system design information is permitted (see step 756). Generation of a configuration code based on system design information is prohibited based on the response of consent.

  By doing so, the user was confirmed that there was a possibility of ignoring the error in the system design information, and agreed to proceed with configuration code generation despite the error. Above, allow configuration code generation. Therefore, it is possible to make the user recognize that the generation work of the configuration code is to be performed at his / her own risk.

  Further, in order to realize the code generation processing in step 756, the arithmetic circuit executes the program 300 shown in the flowchart in FIG. In executing this program, first, in step 310, a header portion of the configuration code is generated. FIG. 15 illustrates a part of the configuration code. In the example of FIG. 15, the part generated in step 310 is the part 81 from the first line to the sixth line.

  Subsequently, in step 320, it is determined whether or not the error ignoring item list is empty, that is, whether or not filtering has been performed. If it is empty, a table portion is generated in step 350. The table portion is a main portion of the configuration code and includes a function for calling data exchanged with the target ECU. In the example of FIG. 15, the portion 84 corresponds to the table portion.

  When it is determined in step 320 that the error ignoring item list is not empty (that is, when it is determined that there is a possibility of ignoring the system design information error), and subsequently, in step 330, the filtering process is performed and output. Add a comment to the header stating that the configuration code is temporary. In the example of FIG. 15, the part added in step 330 corresponds to the part 82.

  As described above, when no error items remain as a result of the error exclusion, the software generation device includes a comment sentence indicating that the exclusion has been performed in part of the software source code. . In this way, when the user reads the contents of the source code, it can be confirmed that the source code may have been generated even though there is an error in the system design information.

  Subsequently, in step 340, a statement prohibiting creation of the product version is added to a position following the header portion. In the example of FIG. 15, the part added at step 340 corresponds to the part 83. The imperative sentence in this example is a preprocessor imperative sentence. Consider a case where a product version object code is generated using a configuration code including such a statement. In this case, at the time of compilation, the user adds an option for generating a product version object code, specifically, a PRPDUCT_BUILD option as a compile option.

  At this time, during execution of the preprocessor, an error message “Cannot be used in the product because it is a code generated in error suppression state” is output to the display by the statement in part 83 of FIG. 15, and then the compilation is stopped. Is done.

  As described above, when no error items remain as a result of the filtering process, the arithmetic circuit generates a part of the source code of the software that generates a statement that prohibits the creation of the product version of the software. Include in the configuration code as By doing so, even if a non-product version of the software can be generated using the configuration code, a product version of the software cannot be generated. Therefore, it is possible to reduce the possibility that the software generated based on the system design information including the error is mistakenly incorporated into the sales product.

  As described above, the configuration code generation device 50 records the detected error in the system design information as an error item (see step 761 in FIG. 7). If an error item is recorded, the configuration code generation device 50 is based on the system design information. Configuration code generation is prohibited (see steps 752 to 757 in FIG. 13 and steps 744 to 746 in FIG. 11), and generation of configuration codes based on the system design information is permitted if not recorded. (See step 752 → 756 in FIG. 13 and step 744 → 748 in FIG. 11). However, the configuration code generation device 50 excludes an error that matches any of the error ignoring items from the target to be recorded as the error item (see step 762 in FIG. 7). Therefore, regarding the predetermined error in the system design information, even if the error is detected, the software generation is not prohibited.

  Thus, in the technology for generating software from the system design information of the in-vehicle communication system, even if an error in the system design information is detected, subsequent software generation can be permitted depending on the content of the error.

  In the above embodiment, the configuration code generation device 50 corresponds to an example of a software generation device, the configuration tool 7 corresponds to an example of a program for the software generation device, and the RAM, ROM, and flash of the configuration code generation device 50 A memory, a hard disk drive, and the like correspond to an example of a storage medium. Further, the computer 7 functions as an example of a detection unit by executing step 761 of the verification process, and functions as an example of a filtering unit by executing step 762, and steps 752 to 756 of the configuration code generation process 75 are performed. Execution functions as an example of prohibition / permission means, and execution of steps 744 and 746 of the file input process 74 also functions as an example of prohibition / permission means.

It is a figure which shows the example of the state in which each of several ECU is connected to either or both of communication buses B1 and B2 in a vehicle. It is a figure which shows the hierarchical structure of the program group performed in each CPU. It is a figure which shows roughly the procedure which produces | generates the execution image of the program performed by each CPU. It is a figure which shows the method of the production | generation of a configuration code schematically. It is a figure which shows an example of the system design information 4 typically. 3 is a diagram illustrating a functional configuration of a configuration tool 7. FIG. It is a flowchart of the verification process 76. FIG. It is a figure which shows an example of a verification item. It is a figure which shows an example of an error item list. It is a figure which shows an example of an error disregarding item list. 10 is a flowchart of file input processing 74. 10 is a flowchart of a result display process 200. 10 is a flowchart of configuration code generation processing 75; 3 is a flowchart of a code generation process 300. It is a figure which shows an example of the configuration code produced | generated.

Explanation of symbols

1 ... software PF, 2 ... configuration code, 3 ... application,
4 ... System design information, 5 ... Project information, 7 ... Config tool,
8 ... Configuration code, 50 ... Configuration code generator,
60 ... In-vehicle communication system, 71 ... User operation acceptance process, 72 ... Config editing process,
73 ... File output process, 74 ... File input process,
75 ... Config code generation process, 76 ... Verification process, 200 ... Result display process,
300: Code generation processing, B1, B2: Bus, E01 to E03: ECU,
A01-A05 ... Application.

Claims (8)

Generating software executed in any of the in-vehicle communication systems composed of a plurality of ECUs that communicate with each other in the vehicle based on system design information indicating the design contents for the configuration and operation of the in-vehicle communication system A software generation device,
Detecting means for detecting an error in the system design information as an error item and recording it on a storage medium;
Among the errors detected by the detection means, those that match any of the error ignoring items recorded on the storage medium are excluded from the target to be recorded on the storage medium as the error item, and any of the error ignoring items is detected. Filter means for leaving those that do not match as the error items to be recorded in the storage medium,
When one or more error items remain as a result of the operation of the filter means, the generation of the software based on the system design information is prohibited, and when no error items remain, the system design A software generation apparatus comprising: prohibition / permission means for permitting generation of the software based on information. For each of one or more verification items recorded in advance in the storage medium, the detection unit searches the system design information for a component that satisfies the detection condition associated with the verification item, and if there is a component that satisfies the condition, Detecting a verification item as the error item,
The error ignoring item recorded in the storage medium indicates a verification item,
When the verification item detected as an error item matches the verification item recorded as an error ignoring item in the storage medium, the filtering unit matches an error related to the error item with the error ignoring item. The software generation apparatus according to claim 1, wherein the software generation apparatus is an error. For each of one or more verification items recorded in advance in the storage medium, the detection unit searches the system design information for a component that satisfies the detection condition associated with the verification item, and if there is a component that satisfies the condition, Detecting a verification item as the error item,
The error ignoring item recorded in the storage medium indicates a component in the in-vehicle communication system,
In the filtering unit, either the constituent element that is the target of the verification item detected as the error item or the constituent element related to the constituent element matches the constituent element recorded as the error ignoring item in the storage medium. 3. The software generation apparatus according to claim 1, wherein an error relating to the error item is an error that matches the error disregarding item. The prohibition / permission means, when there is no error item left as a result of the operation of the filtering means, notifies the user that the operation of the filtering means has been performed and consents to the generation of the software 4. The software generation based on the system design information is permitted based on the user's inquiry and a user's consent response to the inquiry. 5. Software generation device described in one. The prohibition / permission means, when there is no error item remaining as a result of the operation by the filtering means, a comment sentence indicating that the operation by the filtering means has been performed, in the source code of the software The software generation apparatus according to claim 1, wherein the software generation apparatus is included in a part of the software generation apparatus. The prohibition / permission means, when no error items remain as a result of the operation of the filtering means, a command statement prohibiting creation of the product version of the software is provided in the source code of the software The software generation apparatus according to claim 1, wherein the software generation apparatus is included in a part of the software generation apparatus. The error detected by the detection means is a contradiction between information defining communication data in the in-vehicle communication system in the system design information and other information included in the system design information. Item 7. The software generation device according to any one of Items 1 to 6. Generating software executed in any of the in-vehicle communication systems composed of a plurality of ECUs that communicate with each other in the vehicle based on system design information indicating the design contents for the configuration and operation of the in-vehicle communication system A program used for the software generation apparatus of
Detecting means for detecting an error in the system design information as an error item and recording it on a storage medium;
Among the errors detected by the detection means, those that match any of the error ignoring items recorded on the storage medium are excluded from the target to be recorded on the storage medium as the error item, and any of the error ignoring items is detected. Filter means for leaving a non-matching item as an error item to be recorded in the storage medium, and when one or more error items remain as a result of the operation by the filtering means, based on the system design information A program for causing a computer to function as prohibition / permission means for permitting the generation of software based on the system design information when generation of software is prohibited and no error items remain.

Images