The interpreter and the Just-In-Time (JIT) compiler are two core components of modern JavaScript engines, both of which take bytecodes as input. Most bugs in these components are closely related to specific bytecodes. Therefore, effective fuzzing should pay close attention to how bytecode is generated and exercised. However, previous work fails to consider this aspect and instead focuses primarily on the syntactic and semantic validity of test cases. This causes two major issues: 1) certain bytecodes are never exercised during fuzzing; 2) some bytecodes are exercised infrequently. In this paper, we propose BCFuzz, a bytecode-driven fuzzing approach designed to enhance the diversity of generated bytecode and increase testing opportunities for low-frequency bytecodes. Specifically, we introduce a parser-oriented probing technique to identify the necessary conditions for generating specific bytecodes and use this information to enhance the input generation process. To better test low-frequency bytecodes, we propose bytecode-aware seed preservation, scheduling, and mutation strategies. We evaluate BCFuzz on four mainstream JavaScript engines. In 72 hours of testing, BCFuzz discovers 1.73$\times$ and 1.67$\times$ more bugs than DIE and Fuzzilli, respectively. In total, BCFuzz uncovered 21 previously unknown bugs. Of these, 17 have already been fixed and one has been assigned a CVE. All the discovered bugs are related to bytecodes.