binja: crash when trying to get LLIL of a function that is not properly analyzed

[xusheng6]

While running capa on 2f7f5fb5de175e770d7eae87666f9831.elf_, I get this crash:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/Users/xusheng/capa/capa/main.py", line 1103, in <module>
    sys.exit(main())
             ^^^^^^
  File "/Users/xusheng/capa/capa/main.py", line 994, in main
    capabilities, counts = find_capabilities(rules, extractor, disable_progress=args.quiet)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/common.py", line 75, in find_capabilities
    return find_static_capabilities(ruleset, extractor, disable_progress=disable_progress, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 168, in find_static_capabilities
    function_matches, bb_matches, insn_matches, feature_count = find_code_capabilities(ruleset, extractor, f)
                                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 115, in find_code_capabilities
    features, bmatches, imatches = find_basic_block_capabilities(ruleset, extractor, fh, bb)
                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 71, in find_basic_block_capabilities
    ifeatures, imatches = find_instruction_capabilities(ruleset, extractor, f, bb, insn)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/xusheng/capa/capa/capabilities/static.py", line 38, in find_instruction_capabilities
    for feature, addr in itertools.chain(
  File "/Users/xusheng/capa/capa/features/extractors/binja/extractor.py", line 95, in extract_insn_features
    yield from capa.features.extractors.binja.insn.extract_features(fh, bbh, ih)
  File "/Users/xusheng/capa/capa/features/extractors/binja/insn.py", line 559, in extract_features
    for feature, ea in inst_handler(f, bbh, insn):
  File "/Users/xusheng/capa/capa/features/extractors/binja/insn.py", line 167, in extract_insn_bytes_features
    llil = func.get_llil_at(ih.address)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 1811, in get_llil_at
    return self.get_low_level_il_at(addr, arch)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 1791, in get_low_level_il_at
    llil = self.llil
           ^^^^^^^^^
  File "/Applications/Binary Ninja.app/Contents/Resources/python/binaryninja/function.py", line 987, in llil
    raise ILException(f"Low level IL was not loaded for {self!r}")
binaryninja.exceptions.ILException: Low level IL was not loaded for <func: x86_64@0x4a6290>

This crash happens because we are trying to access the IL instruction without making sure it exists in the first place. The function is quite complex and it times-out on the default analysis time limit.

We might want to use get_llils_at instead which will return an empty list in this case. See also Vector35/binaryninja-api#6205

What puzzles me is that we have not seen it before -- this crash should have been noticed long before

[xusheng6]

Note this is related to but different from #2249. In #2249, the issue is the function can be analyzed properly, but we are not tracking the total analysis time on it perperly, and as a result, it eventually exceeds the analysis time limit and bails out. In this new issue, the function is actually too complex to analyze and it exceeds the analysis time directly