Re: Wha?
Spectre-class attacks don't necessary require branch-prediction poisoning or cache timing. There are side channels in speculative execution that don't involve either of those mechanisms (in some processor architectures).
Even when a spec-ex side-channel attack does involve the cache, a flush isn't strictly necessary. Flushing is just an optimization so that the attack can leak information at a rate that makes exploitation feasible; and as the original Yarom and Falkner paper notes, their original FLUSH+RELOAD attack has the advantage of targeting the L3 cache, so the attacking process need not be running on the same core. And there are other approaches which don't require flushing.
Some references: The Yarom and Falkner FLUSH+RELOAD paper. DJB's classic 2005 paper on cache side-channel key extraction, which popularized the need for constant-time crypto; no flushes involved there (but it's a different sort of attack). From 2009, there's Brumley and Hakala showing some fancier flushless cache-timing attacks, using trace data. For flushing without reloading, see Gruss et al. There are also instruction-cache attacks and other variants; you can find references in those papers.
There's a paper that describes various cache side-channel attacks, including some with and without flushing, but I can't recall the author or title at the moment, and a quick search didn't turn it up. In any case, though, the point is that flush-based attacks are just one of the more convenient options.