!til There is a conceptually simpler way of figuring out which value was read out of bounds in a &spectre attack - just index using an in-bounds value immediately afterward and see if the access is fast or slow. If it's fast, and you know the value used for the index, then you know that the secret out-of-bounds value == your index, and you've extracted the information.