Currently if a VM fails to load, we print a warning but continue booting the system regardless. However, the corresponding 'struct vm' is left in a potentially inconsistent state and there does not seem to be a mechanism that would prevent other VMs from interacting with it.

We should either consider panicking (and relying on A/B to recover) or handle this situation correctly.

(Migrated from b/144566104.)