[mockery]

A mispredicted branch is incredibly likely to perform operations that would normally fault (consider misprediction of a null pointer check, for example...) I don't think it's feasible to have a (useful) version of speculative execution that can trigger a true fault, because the mispredicted branches are going to violate all sorts of software invariants.

[ChuckMcM]

NULL is an interesting case. I'm not sure how Linux handles it but in some OSes there is a page table entry for virtual address 0 for just this reason. You have to assume that bugs will access it. I'm wondering about pages that are outside of your allocated address space.