Add graceful degradation for large SQL queries

[kkm-horikawa]

Description

Add graceful degradation for SQL queries that exceed sqlparse's token limits, preventing crashes in the SQL panel.

Problem:
When SQL queries contain thousands of parameters (e.g., UUIDs in IN clauses), the SQL panel crashes with SQLParseError (sqlparse >= 0.5.5).

Solution:
Catch SQLParseError and retry formatting with grouping disabled. This approach:

• Handles the crash automatically without requiring configuration
• Eliminates the need for a new setting like SQL_PRETTIFY_MAX_LENGTH

Out of scope: The freezing behavior with older sqlparse versions (< 0.5.5) is a pre-existing issue and not addressed in this PR.

Before (debug-toolbar 5.2 + sqlparse 0.5.3) - page freezes (out of scope):

Before (debug-toolbar 6.1 + sqlparse 0.5.5) - SQLParseError:

After (this PR):

Reproduction project: https://github.com/kkm-horikawa/debug-toolbar-perf-issue

Fixes #2293

Checklist:

• I have added the relevant tests for this change.
• I have added an item to the Pending section of docs/changes.rst.

[tim-schilling]

Let's split the error handling of SQLParseError out of this PR, into its own.

[kkm-horikawa]

Thanks for the feedback! I've removed the SQLParseError handling from this PR.

This PR now focuses solely on the SQL_PRETTIFY_MAX_LENGTH setting (proactive length check).

I'll create a separate PR for SQLParseError handling after this one is merged. Does this approach work for you?

[tim-schilling]

Thank you for suggesting this. However, I think we have too many utility functions for rendering the SQL at this point. A change will need to review more of the whole process and identify why it's appropriate compared to other options. For example, I think there may be something achievable by modifying parse_sql and/or using SQLParse's FilterStack API. Let me know what you think please.

[tim-schilling]

I feel like this should be integrated into the sqlparse logic in get_filter_stack(). Have you looked into that at all to see if we can do something with FilterStack?

[kkm-horikawa]

Done. I've integrated the length check directly into parse_sql instead.

[tim-schilling]

Please avoid importing things within functions.

[kkm-horikawa]

Fixed. Moved the import to the top of the file.

[tim-schilling]

We may want to convert this all to a template and use render_to_string() so that it's easier to use the intcomma template filter. This would better handle internationalization of using commas versus periods.

[kkm-horikawa]

I've removed the message display for now to keep the change minimal. If a notice is desired, I can add it using a template as you suggested - see my comment above for details.

[tim-schilling]

Suggested change

	"SQL_PRETTIFY_MAX_LENGTH": 50000, # Skip formatting for SQL longer than this
	"PRETTIFY_SQL_MAX_LENGTH": 10000, # Skip formatting for SQL longer than this

Let's rename this to better match the other setting. Let's also use the default SQLParse max value from https://sqlparse.readthedocs.io/en/latest/api.html#security-and-performance-considerations.

[kkm-horikawa]

Done.

[kkm-horikawa]

Thank you for the feedback. You're right that adding a separate utility function is unnecessary.

I've refactored to integrate the length check directly into parse_sql. I've also renamed the setting to PRETTIFY_SQL_MAX_LENGTH with a default of 10000 to match sqlparse's MAX_GROUPING_TOKENS.

The current implementation doesn't show a message when formatting is skipped - it just returns the escaped SQL. I made this choice to avoid adding new files or functions for this specific case, keeping the change minimal. However, if you'd prefer to have a notice displayed to users, I can add that using a template with render_to_string() and intcomma as you suggested. What do you think?

[tim-schilling]

I'm not sure this is right. This would limit sql queries to a string length of 10,000 characters. I was under the impression we were trying to improve performance when the query has more than 10,000 tokens. I believe that's not the same thing as a query with a string length of 10,000 characters.

And if we're removing the formatting in this case, it would make sense to avoid calling stack.enable_grouping() in that case.

[tim-schilling]

I believe catching the error explicitly does what you're after:

@lru_cache(maxsize=128)
def parse_sql(sql, *, simplify=False):
    stack = get_filter_stack(simplify=simplify)
    try:
        return "".join(stack.run(sql))
    except SQLParseError:
        # The query either exceeds the number of tokens or depth of tokens.
        # Recreate the FilterStack and explicitly disable the grouping to avoid
        # those errors.
        stack = get_filter_stack(simplify=simplify)
        stack._grouping = False
        return "".join(stack.run(sql))

[kkm-horikawa]

Thank you for the review!

Your suggested approach of catching SQLParseError is much better. It handles the issue only when it actually occurs,
and eliminates the need for a new configuration setting.

I'll update the implementation in this direction. Thank you for your patience and continued guidance through multiple
reviews!

[kkm-horikawa]

Done. Thank you for the review!

I've updated the implementation to catch SQLParseError as you suggested. This approach also eliminates the need for
the PRETTIFY_SQL_MAX_LENGTH setting.

This PR focuses on handling the SQLParseError crash introduced in sqlparse >= 0.5.5. The freezing behavior with older
versions (< 0.5.5) is pre-existing and considered out of scope for this PR.

I've also updated the PR description to reflect these changes.

Thank you for your patience and continued guidance through multiple reviews!

[tim-schilling]

@kkm-horikawa please review the LLM output more thoroughly in the future. For some reason, LLMs love to generate inline import statements. We try to avoid that practice in this project.

[github-actions]

Coverage report

Click to see where and how coverage changed

File	Statements	Missing	Coverage	Coverage (new stmts)	Lines missing
debug_toolbar/panels/sql
utils.py
Project Total

This report was generated by python-coverage-comment-action

[tim-schilling]

Give the side_effect attribute a look and then the call_count attribute. We can reuse some standard library tools to avoid rebuilding the wheel 😁

[tim-schilling]

If you get stuck, let me know. I purposefully didn't write out the code, but I'm happy to include that if you're just wanting this PR to wrap up quickly.

[tim-schilling]

I'd like to see the test improved a bit more before we merge this. Thank you for continuing to iterate on this!

[tim-schilling]

@kkm-horikawa can you merge your changes in from your other PR when you have time please?