I still stand by my question, though. If I consider WebAss is a VM, which I think in some extend, it already is given that it let the process owner control/limit memory and IO sandbox. But, my understanding is that a true VM also needs to provide CPU sandbox, right? To answer another question in this thread related to JS "while (true) {}", most browser would already warn about the script CPU time and allow us to terminate/stop the long running script. I could say the same for a true VM that would limit the number of CPUs to use or even execution time out. Even with the JVM, where there is no mechanism to limit the execution of the entire process, I can run JVM plugins/modules in a separate thread and set execution time limit in that contained thread.