説明
The use of the Te1, Te2, and Te3 macros, for example at line 676, potentially invokes ub. For example, consider Te1[(s1 >> 8) & 0xff]. For the sake of argument, assume that (s1 >> 8) & 0xff resolves to 255. In that case, the macro expands to (u32)((u64 *)((u8 *)Te + 3))[255]. The Te array contains 255 u64 values. Thus, this part of the expression ((u64 *)((u8 *)Te + 3))[255] loads a u64 value from that array, the top 3 bytes of which are from off the end of the array, which is definitely ub. Of course, then it is cast to u32 and those four bytes are discarded, which is why the ub is in practice harmless. In fact, the compiler probably creates assembly that only loads the lower 4 bytes anyways, which is why this has never caused a crash if, for example, the Te array was at the very end of a page and the next page didn't have read permissions set or was otherwise invalid. Still, it might be worthwhile cleaning it up into a memcpy or at least a 32 bit load, just in case the compiler ever gets sufficiently clever to start assuming that the bytes of s1 are always <= 254.