See D20249. Previously, see D20067. Currently, we render each query twice: one "masked" version (with passwords replaced with "****") and one "unmasked" version. In theory, we can improve performance here by only rendering once about 99% of the time, since very few queries have passwords/keys/session tokens / etc in them.

In practice, it's a bit tricky to figure out if the masked and unmasked versions will differ or not. This appears to be the most reasonable way to do it quickly. I set things up so that if we get it wrong we fail relatively safe (executing the masked query, which will have a syntax error and fail, instead of rendering the unmasked query).

• Locally, XHProf shows 20ms -> 12ms in PhutilQueryString::__construct() on a random revision page.
• Call count for xsprintf_query() falls from ~3,800 to ~2,000.

I'll try to gather a bit more evidence for this since I'm not totally confident in XHProf for this kind of micro-optimization, as it tends to overestimate the cost of function calls.