Fix linux-sandbox actions being killed prematurely when using virtual threads

This change fixes a bug where linux-sandbox actions that take longer
than 30 seconds can be killed prematurely and cause the build to fail.

There are two things that contribute to this bug:

Part one:
When using virtual threads with the JavaSubprocessFactory, the process
is forked from the currently running virtual thread's carrier thread.
The virtual thread then waits for the subprocess to complete, which
causes the carrier thread to detach. If there is no other work for the
carrier thread to perform, it becomes idle. If it is idle for long
enough it can be killed by the ForkJoinPool it is a member of. The
default virtual thread scheduler in JDK 25 uses a ForkJoinPool with an
idle TTL of 30 seconds.

Part two:
The linux-sandbox process sends SIGKILL to the child process when its
parent dies. This is setup like so: `prctl(PR_SET_PDEATHSIG, SIGKILL)`.

These two things combined cause problems for Bazel builds if you:
 * Use the linux-sandbox strategy
 * Use virtual threads via --experimental_async_execution
 * Have an action which takes longer than 30 seconds to complete

If the Bazel server isn't very busy while that 30 second action is
running, the parent carrier thread can be killed due to inactivity,
which causes the linux-sandbox process to die, which causes the build to
fail.

This is only an issue if you're using virtual threads. When using
platform threads they directly wait on the subprocess to complete. The
thread is considered busy while waiting, which prevents it from being
killed.

This change fixes the issue by always forking from a long-lived platform
thread. That way there is no risk of the platform thread being killed
prematurely. The fix does so while still enabling the linux-sandbox
processes to be properly killed when the Bazel server is killed.

Author: jjudd

src/main/java/com/google/devtools/build/lib/shell/JavaSubprocessFactory.java

@@ -15,7 +15,9 @@
 package com.google.devtools.build.lib.shell;
 
 import com.google.common.base.Preconditions;
+import com.google.common.base.Throwables;
 import com.google.common.collect.Lists;
+import com.google.common.util.concurrent.Uninterruptibles;
 import com.google.devtools.build.lib.shell.SubprocessBuilder.StreamAction;
 import com.google.devtools.build.lib.util.OS;
 import com.google.devtools.build.lib.util.StringEncoding;
@@ -24,6 +26,10 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.lang.ProcessBuilder.Redirect;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.locks.ReentrantLock;
@@ -118,6 +124,17 @@ public long getProcessId() {
   public static final JavaSubprocessFactory INSTANCE = new JavaSubprocessFactory();
   private final ReentrantLock lock = new ReentrantLock();
 
+  // Subprocesses fork from this platform thread to ensure the subprocess's parent is long lived,
+  // which prevents actions from being killed erroneously. See the doc comment on
+  // {@link startOnPlatformThread} for more details.
+  private static final ExecutorService forkExecutor =
+      Executors.newSingleThreadExecutor(
+          r -> {
+            Thread t = new Thread(r, "subprocess-fork");
+            t.setDaemon(true);
+            return t;
+          });
+
   private JavaSubprocessFactory() {
     // We are a singleton
   }
@@ -143,7 +160,7 @@ private JavaSubprocessFactory() {
   private Process start(ProcessBuilder builder) throws IOException {
     lock.lock();
     try {
-      return builder.start();
+      return startOnPlatformThread(builder);
     } catch (IOException e) {
       if (e.getMessage().contains("Failed to exec spawn helper")) {
         // Detect permanent failures due to an upgrade of the underlying JDK version,
@@ -159,6 +176,31 @@ private Process start(ProcessBuilder builder) throws IOException {
     }
   }
 
+  /**
+   * Starts a subprocess by forking from a long-lived platform thread, which prevents the parent
+   * thread from being killed when using virtual threads.
+   *
+   * <p>A virtual thread forks from its carrier thread. The carrier thread is detached while the
+   * virtual thread waits for the forked process to complete. If there isn't other work for the
+   * carrier thread to do, then it is idle and can be killed due to inactivity. The parent carrier
+   * thread being killed causes the linux-sandbox to die because it self destructs when its parent
+   * dies.
+   *
+   * <p>The default virtual thread scheduler uses a {@link java.util.concurrent.ForkJoinPool} for
+   * its carrier threads with an idle TTL of 30 seconds. Without a long-lived platform thread as
+   * the parent, builds can fail unexpectedly when actions take longer than 30 seconds.
+   */
+  private Process startOnPlatformThread(ProcessBuilder builder) throws IOException {
+    Future<Process> future = forkExecutor.submit(builder::start);
+    try {
+      return Uninterruptibles.getUninterruptibly(future);
+    } catch (ExecutionException e) {
+      Throwables.throwIfInstanceOf(e.getCause(), IOException.class);
+      Throwables.throwIfUnchecked(e.getCause());
+      throw new IllegalStateException("Unexpected error starting subprocess", e.getCause());
+    }
+  }
+
   @Override
   public Subprocess create(SubprocessBuilder params) throws IOException {
     Preconditions.checkState(