init: fix crash when reboot is triggered by a builtin

Builtin commands may set the sys.powerctl property, which causes
reboot to be immediately processed.  Unfortunately, part of the reboot
processing involves clearing the action queue, so when this scenario
happens, ActionManager::ExecuteOneCommand() can abort due to its state
being unexpectedly changed.

Longer term, the real fix here is to split init and property service.
In this case, the property sets will be sent to property service and
the reboot will only be processed once property service responds back
to init that the property has been set.  Since that will not happen
within the action queue, there will be no risk of failure.

Short term, this change sets a flag in init to shutdown the device
before the next action is run, which defers the shutdown enough to fix
the crash, but continues to prevent any further commands from running.

Bug: 65374456
Test: force bullhead into the repro case and observe that it no longer
      repros

Merged-In: I89c73dad8d7912a845d694b095cab061b8dcc05e
Change-Id: I89c73dad8d7912a845d694b095cab061b8dcc05e
(cherry picked from commit 3633a401)