A method for operating a microcontroller, which includes a processor and a peripheral circuit on a common chip, the method including initiating a process in the peripheral circuit, in the peripheral circuit generating recovery data, executing the process, checking whether the process has been executed successfully and, in the event that the check reveals that the process has not been executed successfully, generating recovered data from the recovery data, and executing the process again.

A method, an apparatus, and a computer-readable storage medium having instructions for cancelling a redundancy of two or more redundant modules. Results of the two or more redundant modules are received; reliabilities of the results are ascertained; and, based on the ascertained reliabilities, an overall result is determined from the results. The overall result is output for further processing.

A railway safety critical application system substitutes commercial off-the-shelf (COTS) hardware and/or software for railway-domain specific product components yet is validated to conform to railway safety critical system failure-free standards. The safety critical system uses a pair of tasks executed on a controller of a COTS personal computer or within a virtual environment with asymmetric communications capability. Both tasks receive and verify safety critical systems input message data and security code integrity and separately generate output data responsive to the input message. The first task has sole capability to send complete safety critical system output messages, but only the second task has the capability of generating the output security code. A failure of any of systems hardware, software or processing capability results failure to transmit a safety critical system output message or an output message that cannot be verified by other safety critical systems.

A system for code development and execution includes a client interface and a client processor. The client interface is configured to receive user code for execution and receive an indication of a server that will perform the execution. The client processor is configured to parse the user code to identify one or more data items referred to during the execution. The client processor is also configured to provide the server with an inquiry for metadata regarding the one or more data items, receive the metadata regarding the one or more data items, determine a logical plan based at least in part on the metadata regarding the one or more data items; and provide the logical plan to the server for execution.

An operating method of a vehicle watchdog circuit is provided. The method includes monitoring whether communication with a vehicle controller through a preset protocol is enabled and when a communication fault does not occur by monitoring whether communication is enabled, transmitting an error detection query to the vehicle controller every preset period. A response to the error detection query is received, and an operation of the vehicle controller is monitored, and upon determining that the operation of the vehicle controller is normal, a plurality of preset reset signals are sequentially transmitted to the vehicle controller.

Embodiments for automated testing of a virtualization management system are described. An example computer-implemented method for automated testing of a virtualization management system includes sending, by a test server, a test case to a plurality of instances of the system under test, the test case sent to each instance of the system under test via each interface from a plurality of interfaces supported by the system under test. The method further includes, for each instance of the system under test, performing multi-interface comparison. The comparison includes comparing, by the test server, responses to the test case from each of the interfaces. The method also includes in response to the responses from each of the interfaces being identical, storing the responses in an instance-response file corresponding to the instance. The method also includes reporting, by the test server, an error in response to the responses from each interface not being identical.

Embodiments for automated testing of a virtualization management system are described. An example computer-implemented method for automated testing of a virtualization management system includes sending, by a test server, a test case to a plurality of instances of the system under test, the test case sent to each instance of the system under test via each interface from a plurality of interfaces supported by the system under test. The method further includes, for each instance of the system under test, performing multi-interface comparison. The comparison includes comparing, by the test server, responses to the test case from each of the interfaces. The method also includes in response to the responses from each of the interfaces being identical, storing the responses in an instance-response file corresponding to the instance. The method also includes reporting, by the test server, an error in response to the responses from each interface not being identical.

An interrupt controller, and method of operation of such an interrupt controller, are provided. The interrupt controller has an interrupt source interface for receiving interrupts from one or more interrupt sources, and a plurality of output interfaces, where each output interface is associated with a processing device that can execute an interrupt service routine to process an interrupt request issued to that processing device. The interrupt source interface has transaction generation circuitry to generate, for each received interrupt, an original transaction to represent the interrupt and a duplicate transaction to represent the interrupt. Buffer circuitry then buffers the original transaction and the duplicate transaction for each received interrupt, and selection circuitry is provided for selecting transactions from the buffer circuitry, and for routing each selected transaction for receipt by the output interface identified by an address portion of the selected transaction. Each output interface has queue storage comprising a plurality of queue entries, where each queue entry is allocated to a transaction received by the output interface and is used to store interrupt identifying information provided by a data portion of the transaction. The queue storage is arranged to maintain duplication tracking information to identify when both the original transaction and its associated duplicate transaction have been received by the output interface. Each output interface inhibits issuing an output signal that would cause an interrupt request for the original transaction to be sent to the associated processing device, until the duplication tracking information identifies that both the original transaction and the associated duplicate transaction have been received by that output interface. This provides an efficient functional safety compliant design for an interrupt controller.

A computing device has access to a normal code execution environment and a suspect code execution environment. Suspect code data indicative of code that has been determined to be likely to cause a crash is accessed. Program code is executed using the normal code execution environment until suspect code as indicated in the suspect code data is encountered. Execution of suspect code takes place within the suspect code execution environment where a failure, if any, is contained. If the suspect code executing within the suspect code execution environment completes without failure, the resulting execution context is transferred to the normal code execution environment for continued processing. Otherwise, the suspect code is skipped and processing continues in the normal code execution environment. The code execution environments may be different cores of the same processor, different processors, or different devices.

Examples of the present disclosure relate to a method for anomaly response in a system on chip. The method comprises measuring a magnitude of a transient anomaly event in an operating condition of the system on chip. Based on the magnitude it is determined, for each of a plurality of components of the system on chip, an indication of susceptibility of that component to an anomaly event of the measured magnitude. Based on the determined indications of susceptibility for each of the plurality of components, an anomaly response action is determined. The method then comprises performing the anomaly response action.