Limiting the CPU vs protecting against an infinite loop are two different problems. The former is usually solved by sandboxing and using the limiters exposed by it, while the latter can be easily solved by just adding a cancellation timeout, when the function call/process/API call/whatever takes longer than X seconds, cancel it and return an error.