The Binaryninja backend doesn't mark indirect calls correctly

[ayrtonm]

For some reason binaryninja doesn't mark indirect calls (blx on arm32 or callq on x64) as indirect branches so all tests are failing with this backend. I'm not sure if this is a bug or the expected behavior, but it's the same in both is_indirect_branch_default_impl in src/binaryninja_backend.cpp and the python equivalent of that function.

It'd be good to make a list of instructions that binaryninja marks as indirect branches to know what to expect in the results and add calls to that list if possible. Binaryninja does mark jmp *%rax, ldr pc ... and other indirect jumps correctly though, so a temporary workaround might be to use a custom backend to catch the instructions that binaryninja misses. This would require a slight changes to the Makefile to allow custom backends to have reverse dependencies (i.e. allow dynamically loaded code to call is_indirect_branch_default_impl).

[ayrtonm]

To work around this, the custom backend demo now uses the built-in backend as a fallback option. So to resolve indirect calls in addition to the jumps that binaryninja finds, build with the binja backend (i.e. make BACKEND=binja ...) then build the custom backend demo with make demo and pass libdemo.so as the second arg to the QEMU plugin.