Fuzzing and edge-pair coverage

It is noted in the AFL whitepaper that AFL tracks branch (edge) coverage rather than block coverage, and that this helps in discovering more vulnerabilities. Let us consider a fuzzer that takes an additional step and tracks edge-pair coverage. Consider the following code excerpt:

function buggy(...) { int x = 0; [...] // to be filled in if (x > 10) { FAIL; } }

For this problem, your task is to provide code for the // to be filled in section. You can add new parameters to the buggy function and then use those parameters in the code you write. Your code must satisfy the following key property: test inputs achieving 100% edge coverage for your new code might not yield an input reaching FAIL, but test inputs achieving 100% edge-pair coverage for your code will definitely yield an input reaching FAIL. (Coverage is only measured for your new code, not for the if conditional already shown in the example containing the FAIL statement.) The only control constructs your code can use are if-then and if-then-else (no loops are allowed). Assume these constructs are translated to a control-flow graph in the standard manner shown in the lecture slides.

Give the full completed buggy(...) function as your solution, and explain why 100% edge coverage might not yield a failing input but 100% edge-pair coverage definitely will.