sql: Fix pretty/display round-trip bugs found by fuzzing (#36983)

Print→reparse round-trip bugs in the SQL parser and pretty-printer,
surfaced by the grammar-aware fuzz target. Each fix has a regression
test; the sqllogictest/testdrive plan goldens are refreshed to match.

Themes: quoting bare keyword identifiers (any/all/some/list,
context-sensitive keywords), parenthesizing low-precedence operands
(prefix ops, casts, COLLATE, quantified comparisons), special-form
display correctness (EXTRACT/POSITION/SUBSCRIBE), and bounding parser
recursion/backtracking to reject pathological inputs.

Found by the cargo-fuzz suite ([separate infra
PR](#36982)).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: def-

Cargo.lock

@@ -1197,6 +1197,14 @@ impl HumanizerMode for HumanizedExplain {
     fn humanize_ident(col: usize, ident: Ident, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         if ident.as_str() == UNKNOWN_COLUMN_NAME {
             write!(f, "#{col}")
+        } else if ident.has_only_bare_chars() {
+            // The leading `#c` already disambiguates the column, and EXPLAIN
+            // output is never reparsed, so a keyword-named column (`any`,
+            // `all`, …) needs no quoting here — unlike in SQL display. Print
+            // the name bare for legibility; only fall back to the quoting
+            // `Ident` display for names with awkward characters (whitespace,
+            // braces, quotes) that would otherwise muddle the `{…}` annotation.
+            write!(f, "#{col}{{{}}}", ident.as_str())
         } else {
             write!(f, "#{col}{{{ident}}}")
         }

src/expr/src/explain/text.rs

@@ -74,6 +74,19 @@ impl Keyword {
         )
     }
 
+    /// Reports whether this keyword begins a query body (`SELECT`, `VALUES`,
+    /// `TABLE …`, etc.).
+    ///
+    /// When `AstDisplay` parenthesizes an expression (e.g. to disambiguate a
+    /// field access like `(expr).f`) and that expression's leading token is a
+    /// bare identifier with one of these names, the re-parser treats the
+    /// parentheses as a subquery and the identifier as its leading clause
+    /// (e.g. `(table & x)` parses as a `TABLE`-query). Such identifiers must be
+    /// quoted to round-trip. `SELECT`/`WITH` are already `is_always_reserved`.
+    pub fn begins_query_body(self) -> bool {
+        matches!(self, WITH | SELECT | VALUES | SHOW | TABLE)
+    }
+
     /// Reports whether this keyword requires quoting when used in scalar expressions.
     ///
     /// These are the keywords `Parser::parse_prefix` won't parse as an identifier.
@@ -140,6 +153,33 @@ impl Keyword {
             || self.is_reserved_in_column_alias()
             || self.is_reserved_in_scalar_expression()
     }
+
+    /// Reports whether a keyword has a special parser-dispatch form (e.g.
+    /// `POSITION(expr IN expr)`, `MAP[K => V]`) such that an unquoted
+    /// occurrence in expression position triggers the special grammar
+    /// rather than parsing as a plain identifier. The parser itself
+    /// disambiguates by looking at the next token, but `AstDisplay` has no
+    /// such context — so when emitting an `Ident` whose name matches one
+    /// of these, we force quoting to keep the round trip stable.
+    pub fn is_context_sensitive_keyword(self) -> bool {
+        matches!(
+            self,
+            ALL | ANY
+                | COALESCE
+                | EXISTS
+                | EXTRACT
+                | GREATEST
+                | LEAST
+                | MAP
+                | NORMALIZE
+                | NULLIF
+                | POSITION
+                | ROW
+                | SOME
+                | SUBSTRING
+                | TRIM
+        )
+    }
 }
 
 impl FromStr for Keyword {

src/sql-lexer/src/keywords.rs

@@ -429,7 +429,7 @@ impl AstDisplay for CsrSeedProtobufSchema {
         f.write_str("SCHEMA '");
         f.write_str(&display::escape_single_quote_string(&self.schema));
         f.write_str("' MESSAGE '");
-        f.write_str(&self.message_name);
+        f.write_str(&display::escape_single_quote_string(&self.message_name));
         f.write_str("'");
     }
 }