We taint identifiers when we are done with argument expansion; we untaint them when scan gets through the "untaint" token we leave right after the body of macro; we mark tokens noexpand in three situations: 1) when we copy a token marked noexpand; 2) when we get to expanding a token and see that its identifier is currently tainted; 3) when we scan for closing ) and see an identifier token with currently tainted identifier. That makes sure that by the time we get past the expanded body (and untaint the left-hand side of macro), all tokens bearing that identifier will be seen and marked noexpand. There is more elegant variant (it's practically straight from text of standard - set noexpand only in dup_token() and make it if (token_type(token) == TOKEN_IDENT) alloc->noexpand = token->noexpand | token->ident->tainted; which is as close as to transliteration of 6.10.3.4(2) as it gets), but before we can go for it, we need to sort out another problem - order of expansion/copying for arguments. So for now here's an equivalent heavier variant with a wart ((3) above) that works even with current expand_arguments() and when that gets sorted out we'll be able to get anti-recursion logics absolutely straightforward. And yes, it does preprocessor1.c correctly; it even get much subtler preprocessor7.c right.