Hi Hao Peng,
I can see how this might seem magical or circular, but I think it's not.
In the setup for the safety argument (the first paragraph of 5.4.3, above #1), we defined U as the smallest term greater than T whose leader (leaderU) does not store the committed log entry. So we can say that the leaders of T+1, T+2, ..., U-1 (if those terms exist), did store the committed log entry by assumption or, more clearly, by the definition of U.
By paragraph 7, we know "the voter" stored the committed entry from term T when it voted for leaderU, and we're in the case that leaderU's last log term is greater than the voter's. Well, one of those earlier leaders (T+1, T+2, ..., U-1) had to have created leaderU's last log entry, but then since they had the committed entry from term T, they would have had to replicate that entry in the log preceding that last log entry. So then leaderU would also contain the committed log entry. That contradicts the definition of U, which said that leaderU does not have that entry, and that contradiction is what we were trying to show.
Hope this helps,
Diego