defaultarch: handle caller-set return addresses when inlining calls

[appleflyerv3]

detect registers that are set to the caller's next addr before a call is inlined, and therefore treat the jumps to those regs in the callee IL as returns to the call label.

[CLAassistant]

All committers have signed the CLA.

[appleflyerv3]

This fix allows Binary Ninja to recognize during function inlining when an inlined function returns by jumping to a register that was set to the caller’s fallthrough address. (lifted via LLIL_JUMP)

For example, this is used by RISC-V LLVM outlined functions such as jal t0, OUTLINED_FUNCTION_*, followed by jr t0 within OUTLINED_FUNCTION_*, where jr t0 is lifted as LLIL_JUMP(t0).
For binaries using this pattern, this allows OUTLINED_FUNCTION_* helpers, which are typically used as stack prologue/epilogue helpers, to be inlined correctly so the caller’s stack state is recovered.

Example:

sub_function:
    jal t0, OUTLINED_FUNCTION_1
    ...
    jal t0, OUTLINED_FUNCTION_2

OUTLINED_FUNCTION_1:
    addi sp, sp, -0x10
    sw   ra, 0xc(sp)
    sw   s0, 0x8(sp)
    sw   s1, 0x4(sp)
    sw   s2, 0x0(sp)
    jr   t0

OUTLINED_FUNCTION_2:
    lw   ra, 0xc(sp)
    lw   s0, 0x8(sp)
    lw   s1, 0x4(sp)
    lw   s2, 0x0(sp)
    addi sp, sp, 0x10
    jr   t0