Safe Browsing has a canonicalization step. Given a URL the Safe Browsing implementation calculates several hashes, each of which is checked. They're basically cutting the URL up into gradually less specific URLs, so e.g. maybe the site malware.example.com is a friendly site discussing Malware, no harm there, but https://malware.example.com/samples/ is entirely full of sample malware, don't want that, so when you try to go to https://malware.example.com/samples/windowsmacker.exe the browser hashes not only malware.example.com but also malware.example.com/samples and malware.example.com/windowsmacker.exe
This lets Google flag the actual problem, without freaking out for users who aren't in harms way. Millions of users visiting the discussion site see nothing, but everybody directed to an actual malware installer gets a warning.
So a "prefix" operation happens in the code twice, once in processing the SHA-256 hash to get a 32-bit prefix which is all Google / TenCent are ever shown but also before that during canonicalisation to figure out a list of hashes (not a single hash) for each URL visited.
This lets Google flag the actual problem, without freaking out for users who aren't in harms way. Millions of users visiting the discussion site see nothing, but everybody directed to an actual malware installer gets a warning.
So a "prefix" operation happens in the code twice, once in processing the SHA-256 hash to get a 32-bit prefix which is all Google / TenCent are ever shown but also before that during canonicalisation to figure out a list of hashes (not a single hash) for each URL visited.