This was a heap exhaustion problem. Computation.sml forks the prorgram execution into multiple independent heaps when encountering an if statement. The binary will also hash-cons equivalent heaps (see Makefile). Therefore, if we can get multiple heaps to be equal when the flag is some value, we can exfiltrate data based on whether the program OOMs or not.

The full exploit is at [https://pastebin.com/aeCdMk73](https://pastebin.com/aeCdMk73).