In three separate discussions on the Python mailing lists this month, people have objected to some design because it leaks something into the enclosing scope. But "leaks into the enclosing scope" isn't a real problem. It's something that implies the actual problem they're complaining about—but it implies many different things.

Often, people are just worrying because what they're doing would be a problem in C or Lisp or whatever their first language is. Many of these problems aren't true in Python, or are in theory but are never or rarely relevant to most Python scripts or modules, in which case the solution is to just stop worrying.

Sometimes, there is a real problem. But it's worth knowing what the real problem is, so you can solve that.

Background

For example, consider the usual way of adding optional parameters:

    def spam(eggs=None):
        if eggs is not None:

The problem here is that None is a perfectly good value for many uses, and you may want to distinguish spam(None) from spam().

One possibility is:

    def spam(*args):
        if args:
            eggs, = *args

But this gives you a much less meaningful signature, and takes more code, and provides less useful error messages (e.g., if you pass two arguments, instead of a TypeError telling you that spam takes at most 1 positional argument, you get a ValueError telling you that there were too many values to unpack).

So, the idiomatic solution is this:

    sentinel = object()
    def spam(eggs=sentinel):
        if eggs is not sentinel:

That solves both problems—None may be a valid value for eggs, but sentinel surely isn't, because you just invented it here, and don't use it for any meaning except "not a valid value for eggs". And the signature makes it pretty clear that "eggs" is an optional parameter, and the errors are exactly what you'd expect, and so on.

But it means the sentinel is now available in the same scope as the function.

So what? Well, that's what this post is about.

It's public

Often, the scope in question is the global scope of some module. Putting sentinel in the global scope of a module means anyone who uses the module will see it. This means that from module import * imports it. And that the inspect module, and similar tools, will show it as a part of the module's interface—your IDE or REPL may offer it as a possible completion for module. and module.s, your automatic documentation generator may list it in the documentation of the module's public interface, etc.

But the problem here isn't that it's in the module's global scope; it's that it's public in the module's global scope. This is exactly what the private underscore convention is for: use the name _sentinel instead of sentinel, and it's no longer public. People can still find it if they go looking for it, but most tools will not offer it to them—and, even if they do find it, they'll know they're not supposed to use it.

Also, any module that you intend people to use with from module import * really should have an __all__, which of course shouldn't include _sentinel.

But private isn't really private

Some people object that Python private names aren't really private. A malicious user can still access module._sentinel and, e.g., put it in the middle of a list, causing some function in your module to stop checking the list halfway through so they can sneak some other data through your protection.

Nothing is private in Python. There's no way to hide anything. If they couldn't access module._sentinel, they could still access module.spam.__defaults__[0]. Or, if you somehow hid it in the constants, module.spam.__code__.co_consts[0].

This is inherent to any language that allows reflection. Even in languages that don't, like C++, people can still find the "hidden" values by reinterpret_cast<char *> and similar tricks. Unless your language is specifically designed to protect pieces of code from each other (as Java is), there's nothing you can do about this. If you don't worry about it in every other language, don't worry about it in Python.

It may collide with something else

It's exceedingly unlikely that you actually had something different in the module named _sentinel. But what if use this same idiom twice in the same module? For example:

    _sentinel = object()
    def spam(eggs=_sentinel):
        if eggs is _sentinel:

    # ...

    _sentinel = object()
    def cheese(ham=_sentinel):

Now, if you call spam(), the default value is the first _sentinel (because that gets bound at function creation time), but the if statement is checking it against the second one (because that gets looked up at function call time). Oops!

But really, is this ever a problem? Unless you're writing 10000-line modules, or writing your modules by blind copy-paste, it should never come up. (And if you are, don't do that!) If you need multiple functions with sentinels in the same module, you either use the same one for all of them, or use a different name for each one.

The one time this can come up is in auto-generated code. You need to make your code generator create a guaranteed-new name each time, in case it gets run twice on the same module.

It wastes space

Micro-optimizing space in a Python module is a mug's game. The value is already in the module. So is the name (for reflection, help, etc.). It does add one more entry to a dict that links the two together. That's 24 bytes on most 64-bit platforms. Even an empty dict is 288 bytes, and a module dict usually has at least __name__, __package__, __doc__, __all__, __loader__, __spec__, on top of your public and private names. This isn't a problem worth solving. If it were, you'd want to write a custom module loader that returned a different object that uses __slots__ (or C code) instead of a __dict__.

It's slow

Comparing to None is fast, because None is stored as a fast constant embedded in the compiled function, but comparing to _sentinel is slow, because it's stored as a global name lookup, which generally means a dict lookup on the module.

You <i>can</i> solve that:

    _sentinel = object()
    def spam(eggs=_sentinel, _sentinel=_sentinel):
        if eggs is _sentinel:

Now, you're comparing the first argument to the second argument, and they both default to the same reference stored in the function's fast locals, instead of the second one being a global lookup.

But is this really a problem that needs to be solved? Yes, global lookups are slow. But so are function calls. And whatever you're actually going to do in the function is almost surely a lot slower. And even if everything were blazingly fast, the branch prediction failure on half the calls to spam would probably be much more costly than an access that almost always hits the cache.

Accessing a global inside a loop over 1000000 elements may be worth optimizing away, but here?

This micro-optimization used to be fairly common in early large Python apps—the Zope framework uses it all over the place. People also used to do things like pushing unbound methods as default values and then passing the self explicitly to avoid the attribute lookup and descriptor call. But as people have actually learned to profile Python code over the past couple decades (and as Python has improved, and CPUs have gotten more complicated…), it's become a lot less common, because it almost never provides any measurable benefit. So it probably won't help you here.

This also solves the collision problem, and allows you to solve the visibility problem by just doing del _sentinel after the function definition. But neither of those is really a problem either, as explained above.

And the cost is that it's less clear that, while eggs is an optional parameter, _sentinel is a "never pass this" parameter. The underscore helps, but this idiom isn't as widely known by programmers, or as widely supported by tools, as the usual uses of the underscore.

Conclusion

When you're worried that a value leaks into the enclosing scope, all of the real problems can be solved by just underscore-prefixing the name and leaving it out of __all__, and the other problems rarely need to be solved.