Optimize away unneeded export trampolines

[ahomescu]

Due to a variety of restrictions on function pointers (COPY relocations, C function pointer equality), we currently add export trampolines to all functions in a binary. This has both a performance cost and security implications.

Some of these trampolines could be removed, if we could determine that their addresses never get taken as pointers. If a function is only ever called directly from inside the binary using a CALL/JMP instruction, we can just patch the instruction directly if we have a relocation for it. However, we can't determine if that is the case just by looking at the relocation itself (PC32 and PLT32 relocations are used for both branches and addressing instructions like LEA). Checking the byte before the relocation for a branch opcode (E8 or E9) is not sufficient, since that byte could represent the instruction opcode or its MRM or SIB bytes. We may need to fully disassemble each function to locate all its direct internal branches which can bypass the trampolines.