When a packet triggers a reflexive ACL rule, VPP is restarted.
Note that this issue is not present in VPP-17.01

Example configuration:
1. bridge two interfaces and put them up:
vat# sw_interface_set_flags sw_if_index 1 admin_up link_up
vat# sw_interface_set_flags sw_if_index 2 admin_up link_up
vat# bridge_domain_add_del bd_id 1 flood 1 uu-flood 1 forward 1 learn 1 arp-term 0
vat# sw_interface_set_l2_bridge sw_if_index 1 bd_id 1
vat# sw_interface_set_l2_bridge sw_if_index 2 bd_id 1

2. add reflexive rule (action 2) that matches everything, assign to interface 1 on output
vat# acl_add_replace ipv4 action 2
vat# acl_interface_add_del sw_if_index 1 add output acl 0

3. verify configuration
vat# acl_dump
vl_api_acl_details_t_handler:193: acl_index: 0, count: 1
tag {}
ipv4 action 2 src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-0 dport 0-0 tcpflags 0 0

vat# acl_interface_list_dump
vl_api_acl_interface_list_details_t_handler:152: sw_if_index: 1, count: 1, n_input: 0
input 0

4. send a packet to interface 2:
The packet does not leave VPP through interface 1 and VPP is restarted.
(Example packet in attachments, althuogh this seems to happen with any packet that matches the classify rule. Packet trace not available due to the crash.)