define a rule as following:

struct acl_ipv4_rule acl_rule[] = {
{                                                                                                                  
        .data = {.userdata = 103, .category_mask = 1, .priority = 1},
        /* proto */                                                                                                    
        .field[0] = {.value.u8 = 0, .mask_range.u8 = 0x0,},                                                            
        /* source IPv4 */                                                                                              
        .field[1] = {.value.u32 = IPv4(0, 0, 0, 0), .mask_range.u32 = 0,},                                             
        /* destination IPv4 */                                                                                         
        .field[2] = {.value.u32 = IPv4(192, 168, 2, 4), .mask_range.u32 = 32,},                                        
        /* source port */                                                                                              
        .field[3] = {.value.u16 = 0, .mask_range.u16 = 0xffff,},                                                    
        /* destination port */                                                                                         
        .field[4] = {.value.u16 = 1024, .mask_range.u16 = 0xffff,},                                                       
    },
};

build a pkt like this:

pv4_hdr->next_proto_id = 6;
ipv4_hdr->src_addr = rte_cpu_to_be_32(IPv4(10, 18, 2, 3));
ipv4_hdr->dst_addr = rte_cpu_to_be_32(IPv4(192, 168, 2, 4));
port = (uint16_t*)((unsigned char*)ipv4_hdr + sizeof(struct ipv4_hdr));
port[0] = rte_cpu_to_be_16(3333);
port[1] = rte_cpu_to_be_16(4608);

rte_acl_classify_scalar will mismatch this packet!

i readed rte_acl_classify_scalar function, and found the reason:

    while (flows.started > 0) {

        input0 = GET_NEXT_4BYTES(parms, 0);
        input1 = GET_NEXT_4BYTES(parms, 1);

        for (n = 0; n < 4; n++) {

            transition0 = scalar_transition(flows.trans,
                transition0, (uint8_t)input0);
            input0 >>= CHAR_BIT;

            transition1 = scalar_transition(flows.trans,
                transition1, (uint8_t)input1);
            input1 >>= CHAR_BIT;
        }

        while ((transition0 | transition1) & RTE_ACL_NODE_MATCH) {
            transition0 = acl_match_check(transition0,
                0, ctx, parms, &flows, resolve_priority_scalar);
            transition1 = acl_match_check(transition1,
                1, ctx, parms, &flows, resolve_priority_scalar);
        }
    }

everytime, scalar get 4bytes to transition, and usually it work well, but if we set a acl rule as prior, mismatch will appear.
this is because field[3] is a 100% wild node, so it was removed as a deactivated field.

in this situation, when rte_acl_classify_scalar runs, proto/sip/dip match ok, and then it skip sport because it was removed.
now input0 is a int value(4 bytes) started form dport.
it will get a match-node after 2 bytes match(dport is a short value), but cycle stoped untill n = 4, finally it translated to another node which is not a match-node, the mismatch happened.

i'm not sure search_sse_8/search_sse_4/search_avx2x16 is Ok.

how to fix it?
i think set GET_NEXT_4BYTES to GET_NEXT_BYTE will solve this problem, but it will influence performance.
another way, don't use acl_rule_stats to remove deactivated field, but code will change a lot.