Abnormal Behavior of the movw %ax, %cs Instruction in Real Mode

In the following code, when a TB (Translation Block) contains a single instruction, the value of bx after hlt is 1. When a TB contains multiple instructions, the value of bx after hlt is 2.

Host environment

Operating system: archlinux

OS/kernel version: 6.16.8

Architecture: x86_64

QEMU flavor: qemu-system-x86_64

QEMU version: QEMU emulator version 10.1.0

    .section    .text
    .global     _start
_start:
    .code16
    movw    $1, %ax
    xorw    %bx, %bx
    movw    %ax, %cs
    jmp     0f          # addr: 0x7c07
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    movw    %cs, %bx    # addr: 0x7c17
0:  cli
    hlt
    jmp     0b

    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop

    # Non-debug environment, where a TB block executes multiple instructions at once  
    # In the non-debug environment, the jmp at line 8 will jump here


    movw    $2, %bx     # addr: 0x7c29
    cli
    hlt
    jmp     0b

as --32 -g -mx86-used-note=no -o main.o main.s
ld -static -m elf_i386 -Ttext=0x7c00 -o main main.o
objcopy -O binary main main.bin
dd if=/dev/zero of=disk.img bs=8M count=1
dd if=main.bin of=disk.img conv=notrunc
echo -ne '\x55\xaa' | dd of=disk.img oseek=510 bs=1 conv=notrunc
qemu-system-x86_64 -hda disk.img --accel tcg,one-insn-per-tb=on -s -S