res_pjsip_session.c: Fix crash on call disconnect.

The crash fix for ASTERISK-25183 backported some code from master to try
to make sure that a BYE response is processed by the same serializer used
by the BYE request.  The identified race condition causing that backport
was the BYE request code had not finished processing after sending the BYE
before the BYE response came in for processing under a different thread.
Unfortunately, there is still a race condition.  Now the race condition is
between destroying the call session's serializer in
ast_taskprocessor_unreference() and using ast_taskprocessor_get() to get a
reference to the serializer for a BYE response.  Even worse, the new race
condition is a design limitation of the taskprocessor implementation that
didn't matter in versions before v12.  Back then, taskprocessors were only
destroyed when a module unloaded.  Now res_pjsip can destroy them when a
call ends.

However, as noted on the ASTERISK-25183 commit,
session_inv_on_state_changed() is disassociating the dialog from the
session when the invite dialog state becomes PJSIP_INV_STATE_DISCONNECTED.
This is a tad too soon because our BYE request transaction has not
completed yet.

* Split session_end() that is called by session_inv_on_state_changed() to
hold off session destruction until the BYE transaction timeout occurs or a
failed initial INVITE transaction timeout occurs in
session_inv_on_tsx_state_changed().

ASTERISK-25201 #close
Reported by: Matt Jordan

Change-Id: Iaf8dc8485fd8392a2a3ee4ad3b7f7f04a0dcc961