An unsafe function-like macro is one that evaluates a parameter more than once in the code expansion or never evaluates the parameter at all. Never invoke an unsafe macro with arguments containing an assignment, increment, decrement, volatile access, input/output, or other other side effects (including function calls, which may cause side effects).
The documentation for unsafe macros must warn about putting side effects on the invocation, but the responsibility is on the programmer using the macro. Because of the risks associated with their use, it is recommended that you avoid the creation of unsafe macro functions. (See PRE00-C. Prefer inline or static functions to function-like macros.)
...
One problem with unsafe macros is is side effects on macro arguments, as shown by this noncompliant code example:
...
Compliant Solution (GCC)
GCC's __typeof extension make makes it possible to declare and assign the value of the macro operand to a temporary of the same type and perform the computation on the temporary, thus guaranteeing that the operand will be evaluated exactly once:
...
PRE31-EX0: An exception can be made for invoking an unsafe macro with a function call argument provided that the function has no side effects. However, it is easy to forget about obscure side effects that a function might have, especially library functions for which source code is not available; even changing errno is a side effect. Unless the function is user-written and does nothing but perform a computation and return its result without calling any other functions, it is likely that many developers will forget about some side effect. Consequently, although this exception is allowed, it is not recommended.
...
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...