Add a README for the CompositorFrame fuzzer.

A quick README describing some of the quirks and gotchas of this
particular fuzzer, and providing a very high-level overview of how it
functions. Isn't meant to provide an introduction to fuzzing in general,
but links to further documentation available.

R=kylechar@chromium.org, riajiang@chromium.org

Bug: 923088
Change-Id: I1ca073906292216f9a92c1ecaf62e5da5d850815
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1586236Reviewed-by: kylechar <kylechar@chromium.org>
Commit-Queue: kylechar <kylechar@chromium.org>
Auto-Submit: Céline O'Neil <celineo@google.com>
Cr-Commit-Position: refs/heads/master@{#654559}

components/viz/service/compositor_frame_fuzzer/README.md

+# CompositorFrame Fuzzer
+
+## Fuzzer functionality
+
+The fuzzer takes a binary protobuf RenderPass message, as specified in
+compositor_frame_fuzzer.proto, which describes the root RenderPass for a
+CompositorFrame as input. It uses [libFuzzer][libfuzzer] and
+[libprotobuf-mutator][protobuf-mutator] to generate and mutate a corpus of
+inputs that exercise as many code paths as possible. See [libFuzzer in
+Chromium][libfuzzer-chromium] documentation for general information on these
+tools and how they are used in Chromium.
+
+On each iteration, the CompositorFrame fuzzer builds a CompositorFrame
+following the specifications in the protobuf-format input and submits it to the
+display compositor. A simulated browser process submits a CompositorFrame which
+embeds the fuzzed CompositorFrame. The display compositor then produces pixel
+output using SoftwareRenderer.
+
+## Seed corpus
+
+A seed corpus helps jumpstart the fuzzer by providing it with an existing set of
+valid inputs to try. See the [efficient fuzzing guide][efficient-fuzzing] for
+more information.
+
+The `.asciipb` files in the text_format_seed_corpus directory will automatically
+be compiled and added to the seed corpus once they have been added to the
+sources list in BUILD.gn.
+
+## Running locally
+
+To run multiple fuzzer iterations and generate a corpus (the initial corpus
+directory may be empty or already contain entries):
+
+```shell
+compositor_frame_fuzzer <path-to-corpus> [optional: <path-to-seed-dir>]
+```
+
+To execute a single input test case:
+
+```shell
+compositor_frame_fuzzer <path-to-test-case>
+```
+
+## Debugging
+
+The CompositorFrame fuzzer produces minimal logging, but will accept verbosity
+flags (`--v=1`) to enable helpful logging for debugging.
+
+Since the fuzzer runs headlessly, run it with the flag
+`--dump-to-png[=dir-name]` to dump the browser display into PNG files for
+debugging.
+
+A possibly useful pattern to debug new fuzzer functionality is to write a new
+seed corpus entry exercising the new paths, then visually testing whether this
+entry is rendered correctly. For instance, to test that the
+`nested_render_pass_draw_quads.asciipb` corpus entry renders correctly:
+
+```shell
+compositor_frame_fuzzer <path-to-build-gen-files>/components/viz/service/compositor_frame_fuzzer/binary_seed_corpus/nested_render_pass_draw_quads.pb --v=1 --dump-to-png=<path-to-out-dir>
+```
+
+[libfuzzer]: http://llvm.org/docs/LibFuzzer.html
+[protobuf-mutator]: https://github.com/google/libprotobuf-mutator/
+[libfuzzer-chromium]: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/README.md
+[efficient-fuzzing]: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/efficient_fuzzer.md