x86 BLSI and BLSR semantic bug

Host environment

Operating system: Windows 10 20H2
OS/kernel version: WSL2 Ubuntu 20.04.4 LTS (GNU/Linux 5.10.102.1-microsoft-standard-WSL2 x86_64)
Architecture: x86
QEMU flavor: qemu-x86_64
QEMU version: 7.1.90 (v7.2.0-rc0)
QEMU command line: qemu-x86_64 -cpu max a.out

Emulated/Virtualized environment

Operating system: None
OS/kernel version: None
Architecture: x86

Description of problem

The result of instruction BLSI and BLSR is different from the CPU. The value of CF is different.

Steps to reproduce

Compile this code

void main() {
    asm("blsi rax, rbx");
}

Execute and compare the result with the CPU. The value of CF is exactly the opposite. This problem happens with BLSR, too.

Additional information

This bug is discovered by research conducted by KAIST SoftSec.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information