...
The size of the array s is three, although the size of the string literal is four. Any subsequent use of the array as a null-terminated byte string can result in a vulnerability, because the s is not properly null-terminated.
...
This is the preferred approach, because the result size of the expectation array can always can be obtained derived even if the size of the string literal is changedchanges.
Exceptions
STR36-EX1: If the intention is to create a character array and not a null-terminated byte string, initializing to fit exactly without a null byte is allowed but not recommended. The preferred approach to create an array containing just the three characters, 'a', 'b', and 'c', for example, is to declare each character literal as a separate element as follows:
...